MCTS Guide to Microsoft Windows 7

Document Sample
MCTS Guide to Microsoft Windows 7 Powered By Docstoc
					           MCTS Guide to
         Microsoft Windows 7

                  Chapter 13
             Enterprise Computing

Understand Active Directory
Use Group Policy to control Windows 7
Control device installation with Group Policy
Plan enterprise deployments of Windows 7
Describe enterprise deployment tools for
Windows 7
Use Windows Server Update Services to
apply updates
Understand Network Access Protection

                 Active Directory
Windows networks can be:
 – Workgroup-based
 – Domain-based

Domain-based networks can be centrally managed and
is much more efficient than workgroup-based networks
for larger environments
 – Windows 2000 Server and later versions include Active
   Directory (AD) used to create domain-based networks
     • Active Directory expands on the domain concept by linking domains in
       logical structures named trees, and multiple trees into forests

Domain Controller (DC)
 – Windows Server holding a copy of AD information
 – Authenticate users when they log on to a workstation
 – Responds to requests for domain resources (files, printers. etc.)


                Active Directory (cont.)
Active Directory Structure
    – Central security database used
      by all computers that are
      members of the same domain
    – Stores information about user
      accounts and computers
    – AD uses the same naming
      layout for resources as DNS

   Organizational Units (OUs)
    – Each domain can be subdivided into OUs
    – Allow you to organize the objects in a domain
    – Can be used for delegating management permissions
    – Used to apply Group Policies (GPOs)


                Active Directory (cont.)
Active Directory Structure (cont.)
   Trees and Forests
    – Can creates more complex AD structures by combining multiple
      domains into a tree and multiple trees into a forest
           Reasons to use multiple domains
               • Decentralized Administration: Simplifies assignment of
                 management responsibilities better than using OUs
               • Unreliable WAN links: Can minimizes replication traffic across the
                 WAN links
               • Multiple password policies: Pre-Windows Server 2008 domains
                 can only have a single password policy

    – Forest Root Domain
          – The first AD domain created in an organization
          – Multiple domains are connected to the forest root domain
          – Domains with the same naming structure are in a single tree
          – Domains with different naming structures are in separate trees


                Active Directory (cont.)
Active Directory Structure (cont.)
   Trees and Forests (cont.)
    – For multiple domains
      within a forest, Transitive
      Trust Relationships are
      generated automatically
      between the domains
          • In a forest, each domain
            trusts its parent and

    – Trust relationships exists
      between domain trees within
      an Active Directory forest


                 Active Directory (cont.)
Active Directory Structure (cont.)
   Active Directory Partitions
    – AD is divided into manageable units called Partitions
           • Domain Partition: Holds user accounts, computers accounts, and other
             domain-specific information. Replicated only to DCs in the same domain
           • Configuration Partition: Holds general information about the AD forest,
             including how replication is performed. Is replicated to all DCs in a forest
           • Schema Partition: Maintains definitions of all AD objects and attributes
             within a forest (AD’s DNA). Is replicated to all DCs in a forest.
           • Application Partitions: Can be manually created to hold application-
             specific information. Replication occurs to DCs specified by the Admin.

    – Global Catalog Servers: DCs holding a subset of information
      from all domain partitions within a forest.
           • Used for quick lookups and authentication rom different areas of a forest


                 Active Directory (cont.)
Active Directory Structure (cont.)
   Active Directory Sites and Replication
    – AD uses a multimaster replication scheme
        • Data can be changed on any DC and changes are replicated to other DCs
        • Ensures AD is current on all DCs

    – Replication may not occur immediately depending on a DCs
      location within the Site
        • AD Sites are defined by IP subnets
        • Typically, a Site is created for each physical location in the network or
          based on the quality of the connection between the physical locations

    – Within a site (Intra-Site), replication is unmanaged (Uses KCC)
        • Replication starts 15 seconds after a change is made. Multiple changes
          are batched together for efficiency.
    – Between sites (Inter-Site), replication is controlled by Site Links
        • By default, replication occurs every 180 minutes, but can be shortened to
          15 minutes. Additional site links allow more control over replication.


                 Active Directory (cont.)
Active Directory Structure (cont.)
   Active Directory and DNS
    – A common mistake on AD networks is an incorrect DNS
      configuration of servers and workstations
        • AD stores information about DCs and other resources in DNS

    – Incorrect DNS configurations can result in:
        • Slow user logons                     •   Inability to apply group policies
        • Failed replication between DCs       •   Limited access to resources

    – DNS data should be divided within the organization
        • Internal DNS servers: Should resolve information within AD and forward
          requests for Internet records on behalf of internal clients and servers.

        • External DNS servers: Should never participate in AD and only resolve
          Internet-class requests for clients outside of the organization.

    – Separate domain names can be used to achieve this design:
        • Internal:   Norman.local                        External:


                 Active Directory (cont.)
Active Directory Structure (cont.)
   Joining a Domain
    – To integrate into a domain's security structure, computers must
      be joined to the domain
        • Allows for central administration of the computer/user via Group Policy

    – Security changes that occur when joined to a domain:
        • Domain Admins group becomes member of the local Administrators group
        • Domain Users group becomes a member of the local Users group
        • Domain Guests group becomes a member of the local Guests group

    – Joining a workstation to the domain created an AD computer
      account allowing users to access domain resources
        • It synchronizes time with DCs in the domain because authentication and
          resource access processes are time sensitive


                        Group Policy
   Group Policy is an integrated AD feature used to centrally
   manage Windows 7 computers and users
   Example of settings configurable under Group Policies:
    – Desktop settings, such as wallpaper and the ability to right-click
    – Security settings, such as the ability to log on locally
    – Logon, logoff, startup, and shutdown scripts
    – Folder redirection to store My Documents on a network server
    – Software distribution
   Group Policies can be linked to an AD Site, Domain, or OU
    – Policies can also be applied locally to a single computer

   Policy settings are held in Group Policy Object (GPO)
    – Collection of registry settings applied to Windows 7 computers


                    Group Policy (cont.)
   GPOs are divided into User
   and Computer settings
    – User settings apply to any User
      account within a container
    – GPO Computer settings are applied
      to any computer within a container

                                                 Configuration of GPOs
                                                 is performed using the
                                                 MMC Group Policy
                                                 Management Console


                    Group Policy (cont.)
   Workstations and Member servers download GPO
   settings during startup and roughly every 90 minutes
    – DCs download GPO settings every five minutes
    – GPupdate.exe utility can trigger manual application of GPOs


                    Group Policy (cont.)
Group Policy Inheritance
   GPOs are applied in the following order:
                  Local computer
                  Parent OU
                  Child OU

    – All of the individual GPO settings are inherited by default
    – One computer or user can process many policies during
      startup and logon
    – At each level, more than one GPO can be applied to a user or
    – If multiple GPOs are in one container, policies are applied in
      the order specified by the administrator


                    Group Policy (cont.)
Group Policy Inheritance (cont.)
   It is essential to know the precedence given to each
    – Precedence determines what settings apply when there are
      conflicting settings between policies

   The following steps are used to determine which policy
    settings to apply
    – If there is no conflict, the settings for all policies are applied
    – If there is a conflict, later settings overwrite earlier settings
      (Domain policy overrides the Local policy)
    – If settings in a computer policy and user policy conflict,
      the settings from the computer policy are applied


                    Group Policy (cont.)
Group Policy Enhancements in Windows 7
  Details of how policy settings are applied have been
   updated in Windows Vista and Windows 7
   – Many new policy settings are also available for Windows
     Vista/7 that are not valid for previous version of Windows

  Group Policy Service
   – Used by Windows 7 to process group policies
       • Windows 2000/XP used the Winlogon service to process group polices
         making it less flexible
   – Group Policy service offers the following benefits:
       • Group Policy settings can be applied without any reboots
       • Performance increases and resource usage is reduced for processing
       • Policy events are logged to System log instead of the Application log
       • Information about Group Policy applications is logged to a Group Policy
         Operational log


                    Group Policy (cont.)
Group Policy Enhancements in Windows 7 (cont.)
  Group Policy Preferences
   – Used by Windows 7 to process group policies
       • Windows 2000/XP used the Winlogon service to process group polices
         making it less flexible
   – Group Policy Preference settings can be manually changed by
     the end-users
       • Whenever computer restarts, the Group Policy Preference is reapplied
   – Pushed down to computer as part of Group Policy process
   – Has features that may have required scripting in the past
   – Items configurable with Group Policy Preferences include:
       •   ODBC data sources                   •   Enable/Disable devices
       •   Printers                            •   Drive mappings
       •   Scheduled tasks                     •   Service configuration
       •   IE settings                         •   VPN/Dialup connections
       •   Registry keys                       •   Start Menu configuration


    Controlling Device Installation
Organizations are concerned about hardware
equipment leaving and entering the premises
  A Windows 7 Group Policy enhancement can prevent
   device installation
   – One option in previous Windows versions was to disable or
     remove USB and other hardware ports. But . . .
       • Common peripherals, (keyboard, mice, printers) connect via USB ports
   – A better solution is to prevent installation of devices at OS level
       • If devices cannot be installed, then data cannot be transferred to it
   – Can control removable storage as a class of devices
       • Example: Policies can limit the installation of printers to only those that
         are company approved. Prevents users from installing nonstandard
         printers and driving up support costs


  Controlling Device Installation (cont.)
Device Identification
   When new devices are installed, the OS uses a Device
   Identification String and Device Setup Class to properly
   install the new device
        • Device Identification String is used
          to find correct driver for the device
        • Device Setup Class controls how
          driver software is installed

   Both Device Identification Strings
   and Device Setup Classes can be
   used to control device installation


  Controlling Device Installation (cont.)
Device Identification (cont.)
   Device Identification Strings
    – Devices often report multiple device identification strings
        • Hardware ID is the most specific device identification string
    – Multiple IDs allow the best available driver to be installed
        • From a control perspective, use the more generic hardware IDs to control
          installation rather than the specific ones
    – Compatible IDs are another type of device identification string
        • Allows a device driver from other vendors to be used when the device
          specific driver is not available
        • Drivers based on Compatible ID may result in reduced device functionality

   Device Setup Classes
    – Used during a new device installation process to describe how
      the installation should be performed
        • Identifies a generic type of device rather than a specific make or model
        • Some devices have multiple GUIDs if they are multifunction devices


  Controlling Device Installation (cont.)
Device Installation Group Policy Settings
   Windows 7 includes ten
   group policy settings to
   control device installation:
    – Settings are located in
      Computer Configuration\
      Administrative Templates\
      System\ Device Installation\
      Device Installation Restrictions

   Group Policy settings controlling device installation are:
      • Allow administrators to override Device Installation Restriction
        policies: When enabled, the Administrators group is able to install and update device
        drivers for any device regardless of other policy settings. When setting is not explicitly
        disabled, administrators can override Device Installation Restriction policies.


  Controlling Device Installation (cont.)
Device Installation Group Policy Settings (cont.)
  Group Policy settings controlling device installation are: cont.
      • Allow installation of devices using drivers that match these device setup
        classes: When enabled, devices matching the specified setup classes can be installed if
        the default configuration is to block device installation. If a device has multiple setup
        classes and one of the setup classes is specifically blocked, this setting will not override the
        blocked setup class.

      • Prevent installation of devices using drivers that match these device
        setup classes: When enabled, devices matching the specified setup classes cannot be
        installed. This setting overrides any other settings that allow device installation.

      • Display a custom message when installation is prevented by a policy
        setting: When enabled, a customized message is displayed when device installation is
        blocked by a device installation restriction policy. This allows you to clearly indicate to users
        why the error is occurring.

      • Display a custom message title when device installation is prevented by a
        policy setting: When enabled, a customized title is displayed in the error dialog box
        when device installation is blocked by a device installation restriction policy.


  Controlling Device Installation (cont.)
Device Installation Group Policy Settings (cont.)
  Group Policy settings controlling device installation are: cont.
      • Allow installation of devices that match any of these device IDs: When
        enabled, devices matching a specified device ID can be installed if default configuration is
        to block device installation. If a device has multiple device IDs and one of the device IDs is
        specifically blocked, then this setting will not override the blocked device ID.

      • Prevent installation of devices that match any of these device IDs:
        When enabled, devices matching the specified device IDs cannot be installed. This setting
        overrides any other settings that allow device installation.

      • Time (in seconds) to force reboot when required for policy changes to
        take effect: When enabled the computers affected by this policy applies will reboot when
        required to apply changes to Device Installation Restrictions. When this is disabled or not
        configured, then a reboot is not forced.

      • Prevent installation of removable devices: When enabled, removable
        devices cannot be installed. Removable devices are those identified as removable
        by their driver, such as USB devices.

      • Prevent installation of devices not described by other policy settings:
        When enabled, all device installation is blocked unless the device ID or device setup class
        is specifically allowed.


  Controlling Device Installation (cont.)
Removable Storage Group Policy Settings
  Since removable storage is a concern for organizations,
  additional Group Policy settings can control access to
  different types of removable storage, rather than
  preventing installation.
    – These settings can
      deny read or write
      access to specific
      removable storage


  Controlling Device Installation (cont.)
Removable Storage Group Policy Settings (cont.)
  Devices controllable with policy settings are:
     – CD and DVD: Controls read-write access to CD/DVD drive, including burning. Some
       burning software accesses drives in ways policy does not prevent. In this case, prevent
       installation of burning software to ensure CDs/DVDs cannot be burned.

     – Custom Classes: Controls read-write access to any device setup class that is defined.
       Useful for future devices not specifically defined in existing policy settings.

     – Floppy Drives: Controls read-write access to floppy drives, including USB floppy drives

     – Removable Disks: Controls read-write access to all removable disks, including USB

     – All Removable Storage classes: Can deny access to all types of removable
       storage. This setting overrides all others for removable storage.

     – Tape Drives: Control read-write access to tape drives such as those used to backups

     – Windows Portable Devices (WPD): Controls read-write access to smart devices
       such as media players. Many of these devices also act as a removable disk.


                Deployment Planning
  Often, Windows 7 is introduced when new computers are
  purchased resulting in a mix of old and new OS
     • Windows Easy Transfer can be used to migrate user settings and files to new
       computers. This time-intensive process is acceptable in smaller organizations.

     • Larger organizations have a need for OS standardization. OS migration is a
       large project with a formal planning process. This is essential to keeps support
       costs down.

  Process for implementing Windows 7 includes:
     1. Define the scope and goals of the project
     2. Assess the existing computer systems
     3. Plan the new computer system configuration
     4. Determine a deployment process
     5. Test the deployment process
     6. Deploy Windows 7


          Deployment Planning (cont.)
Scope and Goals of the Project
  Organizations should not change an OS just for the
  sake of change
   – Must be significant benefits to the organization
     • Need to quantify the benefits of migrating to Windows 7;
       not simply listing its features

  Scope for a Windows 7 migration project defines which
  computers should be upgraded and data to be migrated
   – Users often want to retain current files and application settings
     under the new OS
     • This adds a significant amount of work to the migration process


         Deployment Planning (cont.)
Existing Computer Systems
  Existing computer systems must be evaluated to ensure
  they can support Windows 7
   – Evaluation is composed of two parts:
     • Hardware Evaluation - Existing hardware must be evaluated to ensure it is
       powerful enough to run Windows 7 and support any desired features such
       as the Aero interface. Hardware that does not support Windows 7 must be
       replaced or excluded from the migration project.

     • Software Evaluation - Existing applications must be evaluated to ensure
       they run properly in Windows 7. Applications that do not run properly in must
       be replaced or accommodated by running under an older OS. An older OS
       can be run in a VM or by configuring the computer to dual-boot the older OS
       and Windows 7.


         Deployment Planning (cont.)
New Configuration
  The default Windows 7 configuration is sufficient for
  some organizational needs
   – In many other cases, organizations customize the default
     Windows 7 configuration to match its needs
     • Security settings, power management configuration, and other settings may
       need to be customized while other configuration settings can be applied after
       installation by using GPOs.

   – Applications must also be considered as part of the
     configuration planning
     • Changing to a new OS is often a good time to introduce a new Office suite.
       Making multiple changes at the same time reduces the number of times
       users are impacted by change.


         Deployment Planning (cont.)
Select the Deployment Process
  Can either upgrade an existing OS or do a clean install
   – Upgrade retains all existing computer settings, user’s files,
     applications, and application settings
   – Clean installation allows standardized configuration rather than
     using existing settings

  Potential installation methods:
   – Boot from DVD
   – Run unattended setup from a network share or DVD
   – Imaging
   – Windows Deployment Services
   – Systems Management Server


         Deployment Planning (cont.)
Test Deployment
  Must thoroughly test the deployment process
   – First part of testing process should be done in an environment
     completely separate from the rest of the production network
     • Needs to mimic the real network as closely as possible
     • Test PCs must have similar hardware and software to production PCs

   – Then, perform a test pilot on a small scale to designated users
     within the organization
     • Selected Users and Computers must be representative of the overall


         Deployment Planning (cont.)
Actual Deployment
  After testing is completed, Windows 7 can be deployed
  to the overall organization
   – In most cases, deployment:
     • Will not be over a single night or a single weekend
     • Will be by department, region, building, or floor

   – Breaking deployment into smaller phases reduces the risk of
     • If problems arise during migration missed during the testing period, then only
       the current phase is affected rather than all users
     • Using multiple phases makes dealing with user concerns and training more


    Enterprise Deployment Tools
  Previously discussed tools to deploy Windows 7 include:
   – Windows System Image Manager (WSIM)
   – Windows Easy Transfer
   – Windows PE
   – ImageX
   – Sysprep

  Additional tools used in enterprise deployments:
   – User State Migration Tool (USMT)
   – Windows Deployment Services (WDS)
   – System Center Configuration Manager (SCCM)
   – Microsoft Deployment Toolkit (MDT)

  There is an option to boot Windows 7 from a VHD file


  Enterprise Deployment Tools (cont.)
User State Migration Tool (USMT)
  Similar to Windows Easy Transfer
   – Migrates user settings, documents, and application settings
   – There are Command-line and a graphical interfaces
   – Configuration of USMT is done by editing XML files
     • MigApp.xml - Used to include/exclude settings for specific applications

     • MigUser.xml - Used to control which file types, user folders, and desktop
       settings are included in migration

     • MigSys.xml - Used only when migrating OS and browser settings to a
       Windows XP computer

     – Config.xml - Custom configuration file allows control of the migration
       process in detail. EX: Can control which OS component settings or which
       specific applications settings are migrated.


  Enterprise Deployment Tools (cont.)
User State Migration Tool (USMT)                           (cont.)

  USMT Migration steps
   – Use ScanState on source computer to collect settings / files
     • ScanState set of settings are stored in an intermediate location

   – Install Windows 7 on the destination computer
     • Settings cannot be directly transferred to existing Windows 7 computer

   – Use LoadState on destination PC to import settings / files
     • Apps should be installed on destination before LoadState is used


  Enterprise Deployment Tools (cont.)
User State Migration Tool (USMT)                           (cont.)

  Using Config.xml
   – Config.xml file does not exist by default
     • Generated by running ScanState.exe with the /genconfig option

   – Captures all of the settings that are being migrated
     • Can edit file to control which settings are actually migrated when
       ScanState.exe is run

   – Can use multiple Config.xml files to control the migration
     process in different ways for users with different needs


  Enterprise Deployment Tools (cont.)
Windows Deployment Services (WDS)
  WDS is an updated version of the Windows Server
   Remote Installation Services (RIS)
   – Automates the installation of Windows clients
   – Is part of Windows Server 2008 and 2008 R2
   – Managed using WDSmgmt or WDSUTIL command-line tool
  WDS Requirements
     • Active Directory: WDS server must be Member or DC server in AD domain
     • DHCP: Used by clients to obtain IP address to communicate with WDS server
     • DNS: Used by clients to resolve hostname of WDS server
     • NTFS partition on WDS server: Images must be stored on NTFS-formatted
       volume on WDS server

     • Windows Server 2003 SP1 with RIS installed: Only required when deploying
       WDS on Windows Server 2003

     • Administrative Credentials: Must be local administrator on server to install WDS


  Enterprise Deployment Tools (cont.)
Windows Deployment Services (WDS) (cont.)
  WDS Image Types
     • Install image: WIM images that include the OS and any applications
       deployed to workstations. Can use an unattend file to modify the OS as part
       of the deployment process.

     • Boot image: WIM images that includes Windows PE. Used to run ImageX
       and deploy install images. Default boot image (boot.wim) displays a menu
       allowing selection of which install image to deploy.

     • Capture image: Images used to automate collection of a deployment image
       from a PC configured as a reference image. Sysprep is run on the PC before
       image is captured. The capture image uses Windows PE as an OS and runs
       ImageX to collect the image.

     • Discover image: Used to deploy images on PCs not supporting PXE. Are
       ISO files that can be burned to CD/DVD. At the client, can boot from
       CD/DVD to connect to the WDS server and download images.


  Enterprise Deployment Tools (cont.)
Windows Deployment Services (WDS) (cont.)
  WDS Deployment Process
   – WDS uses a several technologies to load an image onto a
     workstation. Some of the technologies are PXE and DHCP


  Enterprise Deployment Tools (cont.)
Windows Deployment Services (WDS) (cont.)
  WDS Deployment Process (cont.)
   – Enable PXE from the client PC to boot from the network first
   – Reboot the workstation and press F12 to perform a PXE boot
   – Workstation obtains IP address from DHCP server and
     contacts WDS server
   – Select a PXE boot image if required
   – Boot image is downloaded to a RAM disk on the client
     computer and Windows PE is booted
   – Select an install image to deploy from the menu
   – ImageX runs to deploy the install image


  Enterprise Deployment Tools (cont.)
System Center Configuration Manager (SCCM)
  SCCM is a Microsoft solution to control the configuration
  of Windows computers
  Main tasks that can accomplish with SCCM:
   – Inventory
   – Standardized configuration
   – Software deployment
   – Operating System deployment
   – Software updates

  SCCM is a complete desktop management solution
   – Can completely automate system deployment where there is no
     need to physically touch the computer
   – After OS is deployed, can push out any required applications


  Enterprise Deployment Tools (cont.)
Microsoft Deployment Toolkit (MDT)
  Helps configure scripted install of OS and applications
  Can use MDT with SCCM or on its own
   – If MDT is used with SCCM, can perform zero touch installs that
     are completely scripted
   – If not used with SCCM, then MDT can configure light touch
     • Light Touch Installation requires someone to start remote computer from a
       boot image. However, after the boot image is started, the entire installation
       process for the OS and applications can be automated.

  MDT includes a wide range of documentation about the
   deployment Windows 7
   – This help on best practices for deployment is as valuable as
     the scripted installations


  Enterprise Deployment Tools (cont.)
Virtual Hard Disk (VHD) Boot
  Typical Windows 7 installation is on a hard drive partition.
  This works best for most Windows 7 installs
  New feature in Windows 7 allows the OS to be installed
  to and booted from a Virtual Hard Disk (VHD) file instead
  of a disk partition
   – Useful for power users in large enterprises with a virtualized
     desktop environment
   – VHD boot can also be used to simplify dual booting


Windows Server Update Services (WSUS)
  Keeping the OS patched and updated is the easiest and
  most effective way to secure Window 7
  Getting patches from Windows Automatic Updates from
  the web site is not inefficient for larger environments
  WSUS v3.0 is a service for Server 2003 SP1 and later
   – Very efficient from a network utilization standpoint
     • Each update is downloaded only once and stored on the WSUS server
     • Client computers are configured to contact a WSUS server for updates

   – Can be configured by editing the registry or using a GPO


Windows Server Update Services (WSUS)

WSUS Update Process
  Can organize computers into groups to:
   – Control the update process
   – Generate reports to view which computers have been updated
     and which have not
   – Test updates before they are applied to workstations, thus
     reducing the risk of an updates causing system down time

  The WSUS update process is as follows:
     1. Updates are downloaded by the WSUS server
     2. WSUS server notifies administrator by e-mail of available updates
     3. Administrator approves updates for test computer or group of computers
     4. Admin verifies correct application of updates to test PCs or group of PCs
     5. Administrator approves updates for the remaining computers
     6. Administrator verifies correct application of updates to remaining PCs


Windows Server Update Services (WSUS)

WSUS Update Process (cont.)
  WSUS update process
  still relies on client
  computers to trigger the
  installation of updates
  Can configure rules on
  the WSUS server to
  automatically approve
  some updates for
  specific computers


Windows Server Update Services (WSUS)

Types of WSUS Updates
  WSUS obtains updates for the following products:
   – Windows clients and servers (including 64-bit)
   – Exchange Server
   – SQL Server
   – Microsoft Office
   – Microsoft Data Protection Manager
   – Microsoft ForeFront
   – Windows Live
   – Windows Defender


  Network Access Protection (NAP)
  NAP is a system enforcing requirements for client health
  before allowing the computers to connect to the network
   – EX: Appropriate update levels or current antivirus signatures

  NAP is not intended to block intruders or protect the
  network from malicious users
  Client and Server components required for NAP are
  included in Windows XP SP3, Vista/7, Server 2008, and
  Server 2008 R2


Network Access Protection (NAP)                                                              (cont.)

Enforcement Mechanisms
  Client's configuration must match the requirements of
  applied health policies to gain unlimited network access
    – Clients not meeting the health policy are restricted
       • Restrictions can include IP filters, static routes, or being placed on a
         restricted network

  Enforcement mechanisms integrated with NAP
  • IPsec: Used to encrypt and authenticate network traffic. If IPsec is used as an enforcement
    mechanism, the ability to create an IPsec connection is denied until the health policy
    requirements are met.
  • 802.1X: Is an authentication mechanism used on switches and WAPs. Network access via
    802.1X devices is restricted until health policy is met.
  • VPN: VPN Access is restricted until the health policy requirements are met.
  • DHCP: An IP address on a restricted network is leased to client until the health policy is met.
  • RADIUS: Is an authentication mechanism used by devices and applications to authenticate
    users to AD. RADIUS can integrate with NAP to restrict access for any device authenticating
    users with RADIUS.



Shared By: