Network Access Protection using DHCP in Windows Server 2008 R2

Network Access Protection using DHCP in Windows Server 2008 R2


In today’s IT, data integrity and information security is the major concern among the system administrators - thanks to the increasing number of highly sophisticated and coordinated attacks that are ripping away the company's reputation and customer trust within hours that took years to build.

So, how do the hackers manage to do it? Answer is simple: By gaining access to servers and clients they were not authorized to access, caused due to one or more security lapses. Keeping this in mind, I’ve written this article which will help you understand how NAP plays an important role in reducing such attacks by providing system administrators a more flexible and granular control of who is able to access their network.

What NAP does is that validates each client computer’s health status (that request access to the internal network) against a set of the corporate policies and determines its level of access depending upon its health. If the computer is found to be health compliant, it is placed onto the internal network. But if the client is found to be non-compliant, NAP facilitates auto-remediation of its health by placing it in a restricted network along with the remediation server group, which is responsible for ‘repairing’ the client’s health status. On completion of the remediation procedure successfully, it is placed onto the internal network, just like in the previous case where the computer was already healthy.

Q. What kind of ‘health’ are we talking about?

A: By ‘health’ of a computer, I mean making sure that all the measures that ensure the computer to be working in its best form possible are taken, like-
• Windows Updates are enabled and up to date (provided by default)
• A Firewall is turned on and properly configured (provided by default)
• Antivirus, anti-spyware are installed with definitions up to date(provided by default)
• Other custom application requirements/ru
les are met

There are five basic ways in which NAP can be implemented:-

1. IPSec: In this type of implementation, the client computer can communicate with only a limited number of servers until it demonstrates its compliance. Other administered systems will ignore network traffic from this client when it is non-compliant. Once compliance is proved, it is allowed unrestricted access. This implementation relies on Public Key Infrastructure (PKI) certificates and hence can get complex sometimes, but is the most secure.

2. 802.1x: In this type, over wired or wireless networks- the client’s access is restricted by network infrastructure services such as connection access points like routers and switches until the client demonstrates its compliance.

3. VPN: This type is used to restrict connections from remote clients that attempt to dial-in or VPN at the VPN server itself. Since it is used for remote connection restriction, we cannot use this for controlling access of local clients that are present on site.

4. DHCP: In this type, the DHCP server assigns an IPv4 address configuration to client that allows it limited access to the network until it demonstrates compliance. This is the easiest to deploy, but also the least secure.

5. TS Gateway: This helps ensure that clients meet the health policy requirements of your organization before they are allowed to connect to internal network resources through TS Gateway servers.

What are the NAP’s advantages?

(a). Since it can be integrated with Active Directory, it can directly be managed using the Group Policy Management console.

(b). It is compatible with other custom rule enforcement applications and hence, gives more flexibility.

(c). If you have Windows Server 2008 R2 servers with Windows 7 clients, you can seamlessly make NAP work with DirectAccess for remote access too.

(d). Deploying NAP on Forefront provides even more elevated level of access control and malware protection.

In this screencast, I've demonstrated how NAP is implemented using DHCP! Please feel free to ask questions or leave your feedback!
Leave a Comment
  • Please add 1 and 1 and type the answer here:
  • Post
Wiki - Revision Comment List(Revision Comment)
Wikis - Comment List
Sort by: Published Date | Most Recent | Most Useful
Posting comments is temporarily disabled until 10:00am PST on Saturday, December 14th. Thank you for your patience.
  • Great Video Demo!! BTW what app did you use to record the screen?

  • Gandalf50 - Thanks for visiting my article and taking time to comment! I've used Camtasia Screen Recorder to record it! :)

  • Nice Article and Video

  • That is most helpful. What I want to know is how to deny a DHCP address to a non-NAP capable, non-domain compture.

Page 1 of 1 (4 items)