How to Configure Network Access Protection Policies in Windows Server 2022
Posted on 15th June 2023
Overview
Network Access Protection (NAP) is a security feature in Windows Server that helps protect computers on a network by allowing administrators to define and enforce health policies. When a non-compliant computer attempts to connect to the network, NAP can block the connection or limit the access of the non-compliant computer to only a restricted network. This allows administrators to prevent non-compliant computers from accessing network resources and infecting other computers on the network.
NAP Policy Enforcement Methods
There are three enforcement methods you can use to enforce NAP policies on your network:
- IPsec
- 802.1X
- VPN
IPsec Enforcement
IPsec is a security protocol that can be used to authenticate and encrypt communications between computers. IPsec can be used to enforce NAP policies by requiring all computers on the network to authenticate themselves using a digital certificate before they are allowed to communicate with other computers on the network. Computers that do not have a valid certificate will be blocked from accessing the network.
802.1X Enforcement
802.1X is a security protocol that can be used to authenticate and encrypt communications between computers. 802.1X can be used to enforce NAP policies by requiring all computers on the network to authenticate themselves using a digital certificate before they are allowed to communicate with other computers on the network. Computers that do not have a valid certificate will be blocked from accessing the network.
VPN Enforcement
VPNs can be used to enforce NAP policies by requiring all computers that connect to the VPN to authenticate themselves using a digital certificate before they are allowed to access the network. Computers that do not have a valid certificate will be blocked from accessing the network.
Configuring NAP Policies
Create a NAP Policy
To create a NAP policy, open the NAP console and click the “Create Policy” button. In the “Create Policy” wizard, select the enforcement method you want to use and click “Next”.
Configure IPsec Enforcement
If you selected IPsec enforcement, you will need to configure the following settings:
- IPsec Settings
- Certificate Requirements
IPsec Settings
In the “IPsec Settings” section, you will need to specify the following settings:
- IPsec Policy Mode
- IPsec Encryption
- IPsec Authentication
- IKE Version
- PFS Group
Certificate Requirements
In the “Certificate Requirements” section, you will need to specify the following settings:
- Certificate Authority
- Certificate Store
Configure 802.1X Enforcement
If you selected 802.1X enforcement, you will need to configure the following settings:
- EAP Type
- Authentication Method
- Certificate Requirements
EAP Type
In the “EAP Type” section, you will need to specify the following settings:
- EAP Type
- Inner Authentication Method
Authentication Method
In the “Authentication Method” section, you will need to specify the following settings:
- Authentication Method
- PAP Username
- PAP Password
- MS-CHAPv2 Username
- MS-CHAPv2 Password
Certificate Requirements
In the “Certificate Requirements” section, you will need to specify the following settings:
- Certificate Authority
- Certificate Store
Configure VPN Enforcement
If you selected VPN enforcement, you will need to configure the following settings:
- VPN Type
- Authentication Method
- Certificate Requirements
VPN Type
In the “VPN Type” section, you will need to specify the following settings:
- VPN Type
- VPN Server
Authentication Method
In the “Authentication Method” section, you will need to specify the following settings:
- Authentication Method
- PAP Username
- PAP Password
- MS-CHAPv2 Username
- MS-CHAPv2 Password
Certificate Requirements
In the “Certificate Requirements” section, you will need to specify the following settings:
- Certificate Authority
- Certificate Store
Testing NAP Policies
After you have created and configured a NAP policy, you can test it by trying to connect to the network with a non-compliant computer. You should see that the computer is blocked from accessing the network or that its access is limited to only a restricted network.
Network Access Protection (NAP) is a security feature in Windows Server that allows you to control access to your network. NAP can help you to:
-Enforce security policies for devices that connect to your network
-Prevent malicious or unauthorized devices from accessing your network
-Isolate devices that do not meet your security policies
NAP consists of two main components:
-NAP Client: A software component that is installed on client computers. The NAP client enforces security policies for the device.
-NAP Server: A software component that is installed on the network server. The NAP server enforces security policies for the network.
Configuring NAP Policies
To configure NAP policies in Windows Server, you will need to use the NAP Policy console. To open the NAP Policy console, click Start, point to Administrative Tools, and then click Network Access Protection.
In the NAP Policy console, you will see two nodes:
-System Health Policies: These policies define the conditions that a device must meet in order to access the network.
-Network Policies: These policies define the actions that will be taken if a device does not meet the conditions defined in the system health policies.
To create a new NAP policy, right-click the appropriate node (System Health Policies or Network Policies), and then click New Policy.
You will then be prompted to select the type of policy that you want to create.
System Health Policies
There are two types of system health policies:
-System Health Validators (SHVs): SHVs are used to validate the health of a device. Windows Server includes several built-in SHVs, such as the Windows Firewall SHV and the Windows Update SHV.
-Network Policy Servers (NPSs): NPSs are used to enforce network policies. Windows Server includes several built-in NPSs, such as the DHCP NPS and the DNS NPS.
To create a new SHV, select System Health Validator from the list of policy types, and then click Next.
On the Specify Conditions page, you will need to specify the conditions that a device must meet in order to be considered healthy.
For example, you could create a condition that requires the Windows Firewall to be enabled on all devices that connect to the network.
To create a new NPS, select Network Policy Server from the list of policy types, and then click Next.
On the Specify Conditions page, you will need to specify the conditions that a device must meet in order to be allowed to connect to the network.
For example, you could create a condition that requires all devices to have a valid DHCP address.
Network Policies
There are two types of network policies:
-Connection Request Policies: Connection request policies are used to control which devices are allowed to connect to the network.
-Network Access Protection Policies: NAP policies are used to control which devices are allowed to access the network.
To create a new connection request policy, select Connection Request Policy from the list of policy types, and then click Next.
On the Specify Conditions page, you will need to specify the conditions that a device must meet in order to be allowed to connect to the network.
For example, you could create a condition that requires all devices to have a valid DHCP address.
To create a new NAP policy, select Network Access Protection Policy from the list of policy types, and then click Next.
On the Specify Conditions page, you will need to specify the conditions that a device must meet in order to be allowed to access the network.
For example, you could create a condition that requires all devices to have the latest security updates installed.
After you have created a NAP policy, you will need to configure the enforcement settings. Enforcement settings determine how NAP will be enforced on the network.
There are three enforcement methods:
-VPN: VPN enforcement requires all devices to connect to the network through a VPN.
-IPSec: IPSec enforcement requires all devices to use IPSec to connect to the network.
-802.1X: 802.1X enforcement requires all devices to use 802.1X to connect to the network.