Windows Server 2008 R2 Unleashed (95 page)

tion, essentially ensuring that the IPSec key cannot be broken.

Exploring IPSec NAT Traversal

As previously mentioned, IPSec in Windows Server 2008 R2 supports the concept of

Network Address Translation Traversal (NAT-T). Understanding how NAT-T works first

requires a full understanding of the need for NAT itself.

Network Address Translation (NAT) was developed simply because not enough IP addresses

were available for all the clients on the Internet. Because of this, private IP ranges were

established (10.x.x.x, 192.168.x.x, and so on) to allow all clients in an organization to

have a unique IP address in their own private space. These IP addresses were designed to

not route through the public IP address space, and a mechanism was needed to translate

them into a valid, unique public IP address.

NAT was developed to fill this role. It normally resides on firewall servers or routers to

provide for NAT capabilities between private and public networks. Routing and Remote

Access Service (RRAS) for Windows Server 2008 R2 provides NAT capabilities as well.

Because the construction of the IPSec packet does not allow for NAT addresses, IPSec

traffic has, in the past, simply been dropped at NAT servers, as there is no way to physi-

cally route the information to the proper destination. This posed major barriers to the

widespread implementation of IPSec because many of the clients on the Internet today are

addressed via NAT.

456

CHAPTER 14

Transport-Level Security

NAT Traversal (or NAT-T), which was introduced in Windows Server 2008 and is available

in Windows Server 2008 R2’s IPSec implementation, was jointly developed as an Internet

standard by Microsoft and Cisco Systems. NAT-T works by sensing that a NAT connection

will need to be traversed and subsequently encapsulating the entire IPSec packet into a

UDP packet with a normal UDP header. NAT-T handles UDP packets flawlessly, and they

are subsequently routed to the proper address on the other side of the NAT.

NAT Traversal works well but requires that both ends of the IPSec transaction understand

the protocol so as to properly pull the IPSec packet out of the UDP encapsulation. With

the latest IPSec client and server, NAT-T becomes a reality and is positioned to make IPSec

into a much bigger success than it is today.

NOTE

NAT-T was developed to keep current NAT technologies in place without changes.

However, some implementations of NAT have attempted to make IPSec work natively

across the translation without NAT-T. Disabling this functionality with NAT-T might not be

wise, however—it might interfere with IPSec because both NAT-T and the NAT firewall

will be attempting to overcome the NAT barrier.

ptg

Summary

In today’s interconnected networks, transport-level security is a major, if not one of the

most important, security consideration for any organization. Securing the communica-

tions between users and computers on a network is vital, and in some cases required by

law. Windows Server 2008 R2 builds on the strong security base of Windows Server 2003

and Windows Server 2008 to include support for transport-level security mechanisms,

such as IPSec and PKI, using technologies such as AD CS and AD RMS. Proper configura-

tion and utilization of these tools can effectively lock down an organization’s transmission

of data and ensure that it is used only by the proper individuals.

Best Practices

The following are best practices from this chapter:

. To secure a networking environment, deploy some or many of the transport-level

security technologies available.

. Because even the most secure infrastructures are subject to vulnerabilities, it is

recommended to deploy multiple layers of security on critical network data.

. It is highly recommended to avoid installing the AD RMS database locally on the

RMS server. Instead, use a remote full SQL Server instance.

Best Practices

457

. Take strong care to secure the Active Directory Certificate Services root CA server, as

a security breach of this server would compromise the entire CA chain.

. Store a standalone root CA server in a physically locked location and shut it down

when not in use. This best practice does not apply to enterprise root CAs, which

cannot be shut down for long periods of time.

. Implement IPSec to secure the traffic generated in an environment and for securing

servers and workstations both in high-risk Internet access scenarios and also in pri-

vate network configurations.

14

ptg

This page intentionally left blank

ptg

CHAPTER 15

IN THIS CHAPTER

.

Security Policies, Network

Understanding Network Access

Protection (NAP) in Windows

Server 2008 R2

Policy Server, and Network

. Deploying a Windows Server

2008 R2 Network Policy Server

Access Protection

. Enforcing Policy Settings with a

Network Policy Server

. Deploying and Enforcing a

Windows Server 2008 R2 contains built-in support for a

Virtual Private Network (VPN)

new set of services and an application programming inter-

Using an RRAS Server

face (API) known as Network Access Protection (NAP). NAP

supports the ability to restrict network clients based on

the overall health of their systems. If, for example, the

client attempting to connect to the network does not have

the latest security patches or antivirus definitions

installed, the technology disallows those clients from

connecting to the network.

ptg

The Windows Server 2008 R2 NAP enforcement server role

is known as a Network Policy Server (NPS). An NPS system

controls and manages a series of defined health policies,

and enforces those policies on clients that have their own

local Windows System Health Agent. This chapter covers

this technology in Windows Server 2008 R2. Particular

attention is focused on the Network Policy Server role, and

how it can be used to restrict Dynamic Host Configuration

Protocol (DHCP), IPSec, 802.1X, and virtual private network

(VPN) access to an environment.

Understanding Network Access

Protection (NAP) in Windows

Server 2008 R2

NAP in Windows Server 2008 R2 is composed of a series of

components that provide for the ability to restrict client

access to networks through various mechanisms such as

controlling who gets an IP address from a DHCP server or

who issues an IPSec certificate. NAP itself was developed as

an industry-independent technology, and was made with a

published set of APIs that allow third-party vendors, such as

460

CHAPTER 15

Security Policies, Network Policy Server, and Network Access

Protection

network device makers and other software companies, to develop their own set of devices

that integrate together with Windows Server 2008 R2 devices.

Exploring the Reasons for Deploying NAP

Network Access Protection was developed as a technology in response to the threats faced

by computers that are not up to date with the latest security patches or do not have other

security controls in place, such as up-to-date versions of antivirus software or the lack of a

local software firewall. These systems are often the first to be compromised, and are often

the target of spyware attacks and are, subsequently, especially vulnerable.

Simply allowing these clients unfettered access to a network is no longer an option.

Compromised systems inside an internal network pose an especially strong security risk, as

they could easily be controlled by malicious entities and could compromise sensitive data.

Identifying a method for controlling these clients is becoming critical, which is why

Microsoft developed the NAP concept in Windows Server 2008 R2.

Outlining NAP Components

There are three main characteristics of NAP, all of which are included within Windows

ptg

Server 2008 R2 functionality. These characteristics are as follows:

.
Health policy compliance—
The ability to fix the problem is central to a NAP plat-

form. Subsequently, compliance mechanisms, such as Windows Server Update

Services (WSUS) servers, System Center Configuration Manager 2007 agents, and

other remediation services fill the health policy compliance space of a NAP platform.

Windows Server 2008 R2 can automatically refer clients to a remediation server

before granting full network access. For example, a client that is out of date with

patches can be referred to a WSUS server to have their patches installed.

.
Health state validation—
Through agents on the client systems, the specific state

of an individual client can be monitored and logged. The administrator of a NAP

platform will be able to tell how many systems on the network are out of date with

patches, don’t have their firewalls turned on, and many other health state statistics.

In some cases, health status is simply noted; in others, it is used to block access to

clients.

.
Access limitation—
The cornerstone to an effective NAP platform is the ability to

restrict access to networks based on the results of the health state validation. The

type of access granted can be very granular. For example, clients can have access to

specific systems for patching, but not to other clients. Windows Server 2008 R2

includes custom access limitation capabilities in NAP, allowing administrators to cre-

ate flexible policies.

Understanding Network Access Protection (NAP) in Windows Server 2008 R2

461

Understanding Windows Server 2008 R2 NAP Terminology

The following terms are useful to understand NAP concepts used in Windows

Server 2008 R2:

.
Enforcement Client (EC)—
A client that takes part in a NAP infrastructure.

Windows 7, Windows Vista, and Windows XP SP3 support NAP and can be an EC in

a NAP topology, as they all contain the System Health Agent component.

.
Enforcement Server (ES)—
A server that takes part in a NAP infrastructure and

enforces the policies. In Windows Server 2008 R2, this is the Network Policy Server

(NPS) role.

.
System Health Agent (SHA)—
The actual agent that sends health information to

the NAP ES servers. In Windows 7, Windows Vista, and Windows XP SP3, this is the

Windows System Health Validator SHA, which is a service that runs on each client

and monitors the local Windows Security Center on the machines.

.
System Health Validator (SHV)—
An SHV is the server-side component of NAP

that processes the information received from the SHAs and enforces policies. The

15

Windows Server 2008 R2 SHV can be fully integrated into NAP products from other

vendors, as it is based on open standards.

ptg

.
Remediation Server—
A server that is made accessible to clients that have failed the

NAP policy tests. These servers generally provide for services that clients can use to

comply with policies, such as WSUS servers, DNS servers, and System Center

Configuration Manager servers.

Changes in NAP and NPS in Windows Server 2008 R2

NAP and NPS concepts were originally built in to the original Windows Server 2008 oper-

ating system. Windows Server 2008 R2 adds a few changes and improvements to both

technologies, including the following:

.
Multiconfiguration Service Health Validators—
The biggest change to NAP in

Windows Server 2008 R2 is the ability to create multiple SHVs across a single set of

NAP health policy servers. This allows for multiple policies, creating some which

might be more or less restrictive and providing for the creation of exceptions.

.
NPS templates—
Templates are now provided for elements such as RADIUS clients

or shared secrets. These templates can be exported for use on other NPS servers.

.
Accounting improvements in NPS—
RADIUS accounting improvements have

been added to NPS along with full support for international character sets providing

better logging and tracking capabilities.

462

CHAPTER 15

Security Policies, Network Policy Server, and Network Access

Protection

Deploying a Windows Server 2008 R2 Network

Policy Server

The Windows Server 2008 R2 server role that handles NAP is the Network Policy Server

role. Installing this role on a server effectively makes it an SHV and an Enforcement

Server. The specific role added to the Server Role Wizard is called the Network Policy and

Access Services role, and includes the following components:

.
Routing and Remote Access Service (RRAS)—
The server role that provides for

virtual private network (VPN) capabilities, allowing for clients to “tunnel” their

communications in an encrypted fashion across an insecure network such as the

Internet. The role services included with this role include the Remote Access Service,

which provides VPN support, and the Routing service, which provides software-

based routing capabilities on the server itself.

Other books

The Darkroom of Damocles by Willem Frederik Hermans
Batter Off Dead by Tamar Myers
Oxfordshire Folktales by Kevan Manwaring
Texas Bride by Carol Finch
African Ice by Jeff Buick
The Big Fix by Linda Grimes
ONE WEEK 1 by Kristina Weaver