Windows Server 2008 R2 Unleashed (95 page)
Read Windows Server 2008 R2 Unleashed Online
Authors: Noel Morimoto
tion, essentially ensuring that the IPSec key cannot be broken.
Exploring IPSec NAT Traversal
As previously mentioned, IPSec in Windows Server 2008 R2 supports the concept of
Network Address Translation Traversal (NAT-T). Understanding how NAT-T works first
requires a full understanding of the need for NAT itself.
Network Address Translation (NAT) was developed simply because not enough IP addresses
were available for all the clients on the Internet. Because of this, private IP ranges were
established (10.x.x.x, 192.168.x.x, and so on) to allow all clients in an organization to
have a unique IP address in their own private space. These IP addresses were designed to
not route through the public IP address space, and a mechanism was needed to translate
them into a valid, unique public IP address.
NAT was developed to fill this role. It normally resides on firewall servers or routers to
provide for NAT capabilities between private and public networks. Routing and Remote
Access Service (RRAS) for Windows Server 2008 R2 provides NAT capabilities as well.
Because the construction of the IPSec packet does not allow for NAT addresses, IPSec
traffic has, in the past, simply been dropped at NAT servers, as there is no way to physi-
cally route the information to the proper destination. This posed major barriers to the
widespread implementation of IPSec because many of the clients on the Internet today are
addressed via NAT.
456
CHAPTER 14
Transport-Level Security
NAT Traversal (or NAT-T), which was introduced in Windows Server 2008 and is available
in Windows Server 2008 R2’s IPSec implementation, was jointly developed as an Internet
standard by Microsoft and Cisco Systems. NAT-T works by sensing that a NAT connection
will need to be traversed and subsequently encapsulating the entire IPSec packet into a
UDP packet with a normal UDP header. NAT-T handles UDP packets flawlessly, and they
are subsequently routed to the proper address on the other side of the NAT.
NAT Traversal works well but requires that both ends of the IPSec transaction understand
the protocol so as to properly pull the IPSec packet out of the UDP encapsulation. With
the latest IPSec client and server, NAT-T becomes a reality and is positioned to make IPSec
into a much bigger success than it is today.
NOTE
NAT-T was developed to keep current NAT technologies in place without changes.
However, some implementations of NAT have attempted to make IPSec work natively
across the translation without NAT-T. Disabling this functionality with NAT-T might not be
wise, however—it might interfere with IPSec because both NAT-T and the NAT firewall
will be attempting to overcome the NAT barrier.
ptg
In today’s interconnected networks, transport-level security is a major, if not one of the
most important, security consideration for any organization. Securing the communica-
tions between users and computers on a network is vital, and in some cases required by
law. Windows Server 2008 R2 builds on the strong security base of Windows Server 2003
and Windows Server 2008 to include support for transport-level security mechanisms,
such as IPSec and PKI, using technologies such as AD CS and AD RMS. Proper configura-
tion and utilization of these tools can effectively lock down an organization’s transmission
of data and ensure that it is used only by the proper individuals.
The following are best practices from this chapter:
. To secure a networking environment, deploy some or many of the transport-level
security technologies available.
. Because even the most secure infrastructures are subject to vulnerabilities, it is
recommended to deploy multiple layers of security on critical network data.
. It is highly recommended to avoid installing the AD RMS database locally on the
RMS server. Instead, use a remote full SQL Server instance.
Best Practices
457
. Take strong care to secure the Active Directory Certificate Services root CA server, as
a security breach of this server would compromise the entire CA chain.
. Store a standalone root CA server in a physically locked location and shut it down
when not in use. This best practice does not apply to enterprise root CAs, which
cannot be shut down for long periods of time.
. Implement IPSec to secure the traffic generated in an environment and for securing
servers and workstations both in high-risk Internet access scenarios and also in pri-
vate network configurations.
14
ptg
This page intentionally left blank
ptg
IN THIS CHAPTER
.
Understanding Network Access
Protection (NAP) in Windows
Server 2008 R2
. Deploying a Windows Server
2008 R2 Network Policy Server
. Enforcing Policy Settings with a
Network Policy Server
. Deploying and Enforcing a
Windows Server 2008 R2 contains built-in support for a
Virtual Private Network (VPN)
new set of services and an application programming inter-
Using an RRAS Server
face (API) known as Network Access Protection (NAP). NAP
supports the ability to restrict network clients based on
the overall health of their systems. If, for example, the
client attempting to connect to the network does not have
the latest security patches or antivirus definitions
installed, the technology disallows those clients from
connecting to the network.
ptg
The Windows Server 2008 R2 NAP enforcement server role
is known as a Network Policy Server (NPS). An NPS system
controls and manages a series of defined health policies,
and enforces those policies on clients that have their own
local Windows System Health Agent. This chapter covers
this technology in Windows Server 2008 R2. Particular
attention is focused on the Network Policy Server role, and
how it can be used to restrict Dynamic Host Configuration
Protocol (DHCP), IPSec, 802.1X, and virtual private network
(VPN) access to an environment.
NAP in Windows Server 2008 R2 is composed of a series of
components that provide for the ability to restrict client
access to networks through various mechanisms such as
controlling who gets an IP address from a DHCP server or
who issues an IPSec certificate. NAP itself was developed as
an industry-independent technology, and was made with a
published set of APIs that allow third-party vendors, such as
460
CHAPTER 15
Security Policies, Network Policy Server, and Network Access
Protection
network device makers and other software companies, to develop their own set of devices
that integrate together with Windows Server 2008 R2 devices.
Exploring the Reasons for Deploying NAP
Network Access Protection was developed as a technology in response to the threats faced
by computers that are not up to date with the latest security patches or do not have other
security controls in place, such as up-to-date versions of antivirus software or the lack of a
local software firewall. These systems are often the first to be compromised, and are often
the target of spyware attacks and are, subsequently, especially vulnerable.
Simply allowing these clients unfettered access to a network is no longer an option.
Compromised systems inside an internal network pose an especially strong security risk, as
they could easily be controlled by malicious entities and could compromise sensitive data.
Identifying a method for controlling these clients is becoming critical, which is why
Microsoft developed the NAP concept in Windows Server 2008 R2.
Outlining NAP Components
There are three main characteristics of NAP, all of which are included within Windows
ptg
Server 2008 R2 functionality. These characteristics are as follows:
.
Health policy compliance—
The ability to fix the problem is central to a NAP plat-
form. Subsequently, compliance mechanisms, such as Windows Server Update
Services (WSUS) servers, System Center Configuration Manager 2007 agents, and
other remediation services fill the health policy compliance space of a NAP platform.
Windows Server 2008 R2 can automatically refer clients to a remediation server
before granting full network access. For example, a client that is out of date with
patches can be referred to a WSUS server to have their patches installed.
.
Health state validation—
Through agents on the client systems, the specific state
of an individual client can be monitored and logged. The administrator of a NAP
platform will be able to tell how many systems on the network are out of date with
patches, don’t have their firewalls turned on, and many other health state statistics.
In some cases, health status is simply noted; in others, it is used to block access to
clients.
.
Access limitation—
The cornerstone to an effective NAP platform is the ability to
restrict access to networks based on the results of the health state validation. The
type of access granted can be very granular. For example, clients can have access to
specific systems for patching, but not to other clients. Windows Server 2008 R2
includes custom access limitation capabilities in NAP, allowing administrators to cre-
ate flexible policies.
Understanding Network Access Protection (NAP) in Windows Server 2008 R2
461
Understanding Windows Server 2008 R2 NAP Terminology
The following terms are useful to understand NAP concepts used in Windows
Server 2008 R2:
.
Enforcement Client (EC)—
A client that takes part in a NAP infrastructure.
Windows 7, Windows Vista, and Windows XP SP3 support NAP and can be an EC in
a NAP topology, as they all contain the System Health Agent component.
.
Enforcement Server (ES)—
A server that takes part in a NAP infrastructure and
enforces the policies. In Windows Server 2008 R2, this is the Network Policy Server
(NPS) role.
.
System Health Agent (SHA)—
The actual agent that sends health information to
the NAP ES servers. In Windows 7, Windows Vista, and Windows XP SP3, this is the
Windows System Health Validator SHA, which is a service that runs on each client
and monitors the local Windows Security Center on the machines.
.
System Health Validator (SHV)—
An SHV is the server-side component of NAP
that processes the information received from the SHAs and enforces policies. The
15
Windows Server 2008 R2 SHV can be fully integrated into NAP products from other
vendors, as it is based on open standards.
ptg
.
Remediation Server—
A server that is made accessible to clients that have failed the
NAP policy tests. These servers generally provide for services that clients can use to
comply with policies, such as WSUS servers, DNS servers, and System Center
Configuration Manager servers.
Changes in NAP and NPS in Windows Server 2008 R2
NAP and NPS concepts were originally built in to the original Windows Server 2008 oper-
ating system. Windows Server 2008 R2 adds a few changes and improvements to both
technologies, including the following:
.
Multiconfiguration Service Health Validators—
The biggest change to NAP in
Windows Server 2008 R2 is the ability to create multiple SHVs across a single set of
NAP health policy servers. This allows for multiple policies, creating some which
might be more or less restrictive and providing for the creation of exceptions.
.
NPS templates—
Templates are now provided for elements such as RADIUS clients
or shared secrets. These templates can be exported for use on other NPS servers.
.
Accounting improvements in NPS—
RADIUS accounting improvements have
been added to NPS along with full support for international character sets providing
better logging and tracking capabilities.
462
CHAPTER 15
Security Policies, Network Policy Server, and Network Access
Protection
Deploying a Windows Server 2008 R2 Network
The Windows Server 2008 R2 server role that handles NAP is the Network Policy Server
role. Installing this role on a server effectively makes it an SHV and an Enforcement
Server. The specific role added to the Server Role Wizard is called the Network Policy and
Access Services role, and includes the following components:
.
Routing and Remote Access Service (RRAS)—
The server role that provides for
virtual private network (VPN) capabilities, allowing for clients to “tunnel” their
communications in an encrypted fashion across an insecure network such as the
Internet. The role services included with this role include the Remote Access Service,
which provides VPN support, and the Routing service, which provides software-
based routing capabilities on the server itself.
