Most of the employees in the office are mobile workers. Because the virus database is not updated in time and the system patches are not installed, the mobile office equipment is in a dangerous state. When accessing the internal network, it is likely to threaten the entire network. How to defend the network to access this door?
The author is in a media company with hundreds of reporters. Each reporter is equipped with a laptop and an Internet device. Journalists often carry laptops on business trips and do not log in to the internal network for a long time. Anti-virus software and system patch updates are deployed in the network. When the reporter connects to the company network through VPN or other means, the connection time is very short, and the system patch and virus database cannot be downloaded immediately. Because the virus database is not updated in time, and the system patch is not installed, the laptop is in a "dangerous" state. Once the virus is infected and other viruses such as viruses or Trojans are brought to the internal network, it will have a great impact on the network.
Is there any way to automatically detect the security of the client computer when you log in to the network, and then allow you to log in to the network after complying with the security standards? That is NAP, network protection strategy.
NAP is strictly controlled
Windows Server 2008 provides NAP (Network Access Protection). The network protection policy is that any client computer (client and VPN client) must pass the network health check, such as Whether to install the latest security patch, whether the signature database of the anti-virus software is updated, whether the firewall is enabled, etc., is allowed to enter the internal network after meeting the security conditions. Computers that fail the system health check are quarantined to a restricted access network. In a restricted access network, repair the state of the computer (such as downloading a special system patch from the patch server, forcibly opening a firewall policy, etc.), and then accessing the company's internal network after reaching the network health standard.
Windows Server 2008 provides a variety of methods for network access protection. The easiest way is to use NPS (Network Policy Server) policy with DHCP service to complete network access protection. To deploy this policy, you need to configure the client computer: Enable the Enable Security Center (Domain PC Only) policy in Group Policy; enable the DHCP Quarantine Force Client policy. To enable the NAP proxy service, it is recommended to set it to "automatic" startup mode.
Installing NPS Services
After installing Windows Server 2008 by default, the NPS (Network Access Policy) service is not installed and requires the network administrator to manually install the service.
Start Server Manager and run the Role Add Wizard. In the Select Roles dialog box, in the Roles list, select the Network Policy and Access Services option that you want to install. Others are installed by default. Just fine.
After the NPS service is installed, the DHCP service in the member server will be replaced by the new NPS-capable component. The network administrator needs to configure the DHCP options involved in the NPS. By default, the NPS-associated component "Network Access Protection" is not enabled, and the policy is enabled in the DHCP scope attribute.
NAP switches computers between restricted networks and unrestricted network access within the same scope by adding a User Class Scope category. This set of special scope options (DNS server, DNS domain name, router, etc.) is used when providing leases to poorly performing client computers. For example, the default DNS suffix provided to a good client is "book.com" and the DNS suffix provided to a bad client is "Testbook.com".
Configuring NPS Policy
The NPS policy consists of four parts: Network Health Authenticator, Update Server Group, Health Policy and Network Policy, which will be used for computers joining the company network. Verification, isolation, remediation, and health policy review.
Network Health Validator: Evaluate the computer's running status, what checks need to be performed, and set up a checklist to detect which computers connected to the network are secure and which are not secure, such as firewall shutdown, according to the set policy. It is considered unsafe, no anti-virus software is installed, it is not safe computer. Start the Network Policy Server component, open NPS (Local)→Network Access Protection→System Health Validator, and configure the status to be detected in the attribute list, as shown in Figure 1.
Update Server Group: Allows network administrators to set up systems that can be accessed by computers with poor health. By accessing the defined system, computers with poor status will be restored to normal. During the setup process, note that the IP address of the target server and DNS domain name resolution must be consistent. Start the "Network Policy Server" component, open "NPS" → "Network Access Protection" → "System Health Validator", create a new "Update Server Group", set the IP address and name of the virus database update server or patch update server.
The health policy is used to establish a standard for the health of client computers. It is recommended to create two policies, one for a secure computer policy and one for a non-secure computer. The computer that the network health verifier verifies is classified into a secure computer policy if it is secure, and if the network health verifier verifies that the computer is unsecure, it will be classified into an unsecured computer. Start the "Network Policy Server" component, open "NPS" → "Policy" → "Health Policy", create two new "health strategies", one is "pass all security verification" strategy, as shown in Figure 2; the other is " There is no safety and health check policy.
Network Policy: Defines the processing logic rules and determines how to handle them based on their computer health. Network health validators, update server groups, and health processing are grouped together through network policies. The network policy is defined by the administrator and is used to instruct the NPS how to handle the computer based on the running state of the computer. NPS evaluates these policies from top to bottom, and once the computer matches the policy rules, processing stops immediately.
Two policies have been created, namely "pass all security verification" policy and "no network security check" policy. Previous 12 Next Read the full story
In the Windows Server 2008 system environment, we sometimes see the recycle bin icon on the system d
Enabling configuration auditing The auditing features of Windows Server 2008 systems are not enable
After AD migrated from Server 2003 to Server 2008, it not only brought about performance improvement
In Windows Server 2008, the login password must be complex enough by default. English, numbers, and
Win2008 Forgot password Crack password Clear password method
Windows server 2008 R2 upgrade to windows 2012 migration Alwayson AG method
Wind2008 how to disable Ctrl+Alt+Delete key combination login system
Windows Server 2008: Winners in the battle between brothers and sisters
Details Windows Server 2008 Comprehensive Review Strategy
The efficient domain management experience under Windows Server 2008
Using NPS Strategy for Windows Server 2008
Windows Server 2008 R2 New Features Overview
Flexible setting of Windows Server 2008 to deal with system management puzzles
How to install Hyper-V under Windows Server 2008 Core
How to cancel the Win8 power-on password
How does the CentOS system remove IP from the Fail2ban blacklist
Batch modify file (or folder) owner or permission
Win10 version of "Outlook Mail and Calendar" keyboard shortcuts Daquan
Win10 TH2 official version upgrade power outage interruption solution
Amazing tricks teach you how to install PE to hard drive
Win8.1 layout perfect magnetic stickers skills
How does Windows 8 modify the way files are opened?
Win7 automatically shuts down when playing League of Legends and how to deal with it
How to change the location where the notification information appears in the Win10 system