Setting up Network Access Protection in Windows Server 2022
Posted on 19th June 2023
Introduction
Network Access Protection (NAP) is a security feature in Windows Server that allows you to control access to your network based on the health of the client computer. NAP can be used to help protect your network from viruses and other malware by ensuring that only healthy computers are allowed to access the network. In this article, we will show you how to set up NAP in Windows Server 2022.
Prerequisites
Before you begin, you will need to have the following:
- A Windows Server 2022 machine.
- An active Directory Domain.
Setting up Network Policy Server
The first thing you need to do is set up the Network Policy Server (NPS) role on your Windows Server machine. To do this, open the Server Manager and click on “Add roles and features”. On the “Before you begin” page, click “Next”. On the “Installation Type” page, select “Role-based or feature-based installation” and click “Next”. On the “Server Selection” page, select your server from the list and click “Next”. On the “Server Roles” page, select “Network Policy Server” and click “Next”. On the “Features” page, click “Next”. On the “Confirm installation selections” page, click “Install”. Once the installation is complete, click “Close”.
Configuring Network Policy Server
Now that you have the NPS role installed, you need to configure it. To do this, open the NPS console and click on “Network Policies”. On the “Network Policies” page, click “New”. On the “Create New Network Policy” page, enter a name for the policy and description (optional) and click “Next”. On the “Conditions” page, select the “Windows Groups” condition and click “Add”. On the “Select Groups” page, select the group that you want to allow access to the network and click “Add”. Once you have added the group, click “Next”. On the “Constraints” page, select the “EAP Types” constraint and click “Add”. On the “EAP Types” page, select the “Smart Card or other certificate” EAP type and click “OK”. Once you have added the EAP type, click “Next”. On the “Settings” page, select the “Grant access” radio button and click “Next”. On the “Summary” page, review the settings and click “Finish”.
Creating a Certificate Template
The next thing you need to do is create a certificate template. To do this, open the Certificate Templates console and click on “New”. On the “Welcome to the Certificate Template Wizard” page, click “Next”. On the “Select a Certificate Template” page, select the “User” template and click “Open”. On the “Specify Certificate Template Information” page, enter a name for the template and click “Next”. On the “Cryptography” page, select the “Minimum key size” and “Provider” options and click “Next”. On the “Security” page, add the “Authenticated Users” group and give it the “Read” permission. Click “Add” and then “Next”. On the “ Subject Name” page, select the “Supply in the request” option and click “Next”. On the “Extensions” page, select the “Application Policies” extension and click “Edit”. On the “Edit Application Policies” page, click “Add”. On the “Select Application Policy” page, select the “Client Auth” policy and click “OK”. Once you have added the policy, click “OK”. On the “Extensions” page, click “Next”. On the “Request Handling” page, select the “Allow private key to be exported” option and click “Next”. On the “Cryptography” page, select the “Minimum key size” and “Provider” options and click “Next”. On the “Summary” page, review the settings and click “Finish”.
Requesting a Certificate
Now that you have created the certificate template, you need to request a certificate. To do this, open the Certificate Authority console and click on “Request a Certificate”. On the “Request a Certificate” page, click “Advanced Certificate Request”. On the “Advanced Certificate Request” page, select the “Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file” option and click “Next”. On the “Certificate Template” page, select the template that you created and click “Submit”. On the “Certificate Issued” page, click “Download Certificate”. Save the certificate to your computer.
Installing the Certificate
Now that you have downloaded the certificate, you need to install it. To do this, open the Certificates console and click on “Import”. On the “Certificate Import Wizard” page, click “Next”. On the “File to Import” page, browse to the certificate that you downloaded and click “Open”. On the “Password” page, enter the password for the certificate and click “Next”. On the “Certificate Store” page, click “Next”. On the “Completion” page, click “Finish”.
Configuring NAP Client Settings
The next thing you need to do is configure the NAP client settings. To do this, open the NPS console and click on “NAP Client Configuration”. On the “NAP Client Configuration” page, select the “Windows 7 and later” option and click “Configure”. On the “Configure NAP Client Settings” page, select the “Smart card or other certificate” option and click “OK”. On the “NAP Client Configuration” page, click “OK”.
Testing NAP
To test NAP, you will need to have a client computer that is not compliant with the health policy. To do this, you can install a virus on the computer or disable the firewall. Once you have done this, try to access the network from the client computer. You should see that the client is not able to access the network. To fix this, you will need to fix the issues on the client computer and then try to access the network again. You should now be able to access the network.
Conclusion
In this article, we have shown you how to set up NAP in Windows Server 2022. We have also shown you how to create a certificate template and request a certificate. We have also shown you how to install the certificate and configure the NAP client settings. Finally, we have shown you how to test NAP.
