Most of the employees in the office are mobile workers. Because the virus database is not updated in time and the system patches are not installed, the mobile office equipment is in a dangerous state. When accessing the internal network, it is likely to threaten the entire network. How to defend the network to access this door?
The author is in a media company with hundreds of reporters. Each reporter is equipped with a laptop and an Internet device. Journalists often carry laptops on business trips and do not log in to the internal network for a long time. Anti-virus software and system patch updates are deployed in the network. When the reporter connects to the company network through VPN or other means, the connection time is very short, and the system patch and virus database cannot be downloaded immediately. Because the virus database is not updated in time, and the system patch is not installed, the laptop is in a "dangerous" state. Once the virus is infected and other viruses such as viruses or Trojans are brought to the internal network, it will have a great impact on the network.
Is there any way to automatically detect the security of the client computer when you log in to the network, and then allow you to log in to the network after complying with the security standards? That is NAP, network protection strategy.
Windows Server 2008 provides NAP (Network Access Protection). The network protection policy is that any client computer (client and VPN client) must pass the network health check, such as whether to install the latest Whether the security patch, the signature database of the anti-virus software is updated, whether the firewall is enabled, etc., is allowed to enter the internal network after meeting the security conditions. Computers that fail the system health check are quarantined to a restricted access network. In a restricted access network, repair the state of the computer (such as downloading a special system patch from the patch server, forcibly opening a firewall policy, etc.), and then accessing the company's internal network after reaching the network health standard.
Windows Server 2008 provides a variety of methods for network access protection. The easiest way is to use NPS (Network Policy Server) policy with DHCP service to complete network access protection. To deploy this policy, you need to configure the client computer: Enable the Enable Security Center (Domain PC Only) policy in Group Policy; enable the DHCP Quarantine Force Client policy. To enable the NAP proxy service, it is recommended to set it to "automatic" startup mode.
After installing Windows Server 2008 by default, the NPS (Network Access Policy) service is not installed and requires the network administrator to manually install the service.
Start Server Manager and run the Role Add Wizard. In the Select Roles dialog box, in the Roles list, select the Network Policy and Access Services option that you want to install. Others are installed by default. Just fine.
After the NPS service is installed, the DHCP service in the member server will be replaced by the new NPS-capable component. The network administrator needs to configure the DHCP options involved in the NPS. By default, the NPS-associated component "Network Access Protection" is not enabled, and the policy is enabled in the DHCP scope attribute.
NAP switches computers between restricted networks and unrestricted network access within the same scope by adding a User Class Scope category. This set of special scope options (DNS server, DNS domain name, router, etc.) is used when providing leases to poorly performing client computers. For example, the default DNS suffix provided to a good client is "book.com" and the DNS suffix provided to a bad client is "Testbook.com".
The NPS strategy consists of four parts: Network Health Validator, Update Server Group, Health Policy and Network Policy, which will verify and isolate the computers that are added to the company network. , remediation, and health strategy review.
Network Health Validator: Evaluate the computer's running status, what checks need to be performed, and set up a checklist to detect which computers connected to the network are secure and which are not secure, such as firewall shutdown, according to the set policy. It is considered unsafe, no anti-virus software is installed, it is not safe computer. Start the Network Policy Server component, open NPS (Local)→Network Access Protection→System Health Validator, and configure the status to be detected in the attribute list, as shown in Figure 1.
Update Server Group: Allows network administrators to set up systems that can be accessed by computers with poor health. By accessing the defined system, computers with poor status will be restored to normal. During the setup process, note that the IP address of the target server and DNS domain name resolution must be consistent. Start the "Network Policy Server" component, open "NPS" → "Network Access Protection" → "System Health Validator", create a new "Update Server Group", set the IP address and name of the virus database update server or patch update server.
The health policy is used to establish a standard for the health of client computers. It is recommended to create two policies, one for a secure computer policy and one for a non-secure computer. The computer that the network health verifier verifies is classified into a secure computer policy if it is secure, and if the network health verifier verifies that the computer is unsecure, it will be classified into an unsecured computer. Start the "Network Policy Server" component, open "NPS" → "Policy" → "Health Policy", create two new "health strategies", one is "pass all security verification" strategy, as shown in Figure 2; the other is " There is no safety and health check policy.
Network Policy: Defines the processing logic rules and determines how to handle them based on their computer health. Network health validators, update server groups, and health processing are grouped together through network policies. The network policy is defined by the administrator and is used to instruct the NPS how to handle the computer based on the running state of the computer. NPS evaluates these policies from top to bottom, and once the computer matches the policy rules, processing stops immediately.
Two policies have been created, namely "pass all security verification" policy and "no network security check" policy. Previous 12 Next Read the full story
windows 2008R2 can not install the operating system patch, or can not install the Sp1 upgrade packag
With Windows Server 2008, we can easily build our own servers on the LAN to allow random access to r
I believe many of my friends are taking advantage of Windows Server 2008 systems powerful features a
Lets talk a little bit about it. At present, HyperVs virtual machine is very good. Microsoft has rel
Install windows server system prompt "can not install windows on this drive" solution
Win2008 wireless network is not properly configured to use IP protocol error solution
Join cross-subnet routing Windows Server 2008 VPN
How to migrate Windows 2003 to Windows 2008
Smooth access to "neighbors" in Windows Server 2008 network
Customize Windows 2008 to make it suitable for everyday use
How to install Hyper-V under Windows Server 2008 Core
Join cross-subnet routing Windows Server 2008 VPN
Deep into Windows Server 2008 self-monitoring
Win10 "Add others to this computer" how to do flashback
American analysts believe that Win10 will be as successful as Win7.
Errors when installing Windows 7? Effective solution
Windows7 system timed shutdown: 1, set the system to shut down regularly
How to back up the IE8 accelerator
How to clean up Windows XP redundant files
How to fix the problem of blue screen code 0x000000ED in Win8 system?
Windows 10 system how to completely shut down the firewall
How to automatically install the driver function in win7 system?
Answers to common software and hardware problems under Vista