Your network consists of a single Active Directory domain. The network is located on the
172.16.0.0/23 subnet. The company hires temporary employees. You provide user accounts and
computers to the temporary employees. The temporary employees receive computers that are
outside the Active Directory domain. The temporary employees use their computers to connect to
the network by using wired connections and wireless connections. The company’s security policy
specifies that the computers connected to the network must have the latest updates for the
operating system. You need to plan the network’s security so that it complies with the company’s
security policy. What should you include in your plan?
A.
Implement a Network Access Protection (NAP) strategy for the 172.16.0.0/23 subnet.
B.
Create an extranet domain within the same forest. Migrate the temporary employees’ user
accounts to the extranet domain. Install the necessary domain resources on the 172.16.0.0/23
subnet.
C.
Move the temporary employees’ user accounts to a new organizational unit (OU). Create a new
Group Policy object (GPO) that uses an intranet Microsoft Update server. Link the new GPO to the
new OU.
D.
Create a new subnet in a perimeter network. Relocate the wireless access point to the perimeter
network. Require authentication through a VPN server before allowing access to the internal
resources.
Explanation:
http ://technet.microsoft.com/en-us/library/dd125338%28WS.10%29.aspx
Network Access Protection Design Guide
Updated: October 6, 2008
Applies To: Windows 7, Windows Server 2008, Windows Server 2008 R2, Windows Vista
Network Access Protection (NAP) is one of the most anticipated features of the
WindowsServer®2008 operating system. NAP is a new platform that allows network administrators
to define specific levels of network access based on a client’s identity, the groups to which the client
belongs, and the degree to which the client complies with corporate governance policy. If a client is
not compliant, NAP provides a mechanism for automatically bringing the client into compliance (a
process known as remediation) and then dynamically increasing its level of network access. NAP is
supported by Windows Server2008R2, Windows Server2008, Windows7, WindowsVista®, and
Windows® XP with Service Pack 3 (SP3). NAP includes an application programming interface that
developers and vendors can use to integrate their products and leverage this health state validation,
access enforcement, and ongoing compliance evaluation. For more information about the NAP API,
see Network Access Protection (http ://go.microsoft.com/fwlink/?LinkId=128423).
The following are key NAP concepts:
NAP Agent.
A service included with Windows Server2008, WindowsVista, and Windows XP with SP3 that collects
and manages health information for NAP client computers.
NAP client computer.
A computer that has the NAP Agent service installed and running, and is providing its health status to
NAP server computers.
NAP-capable computer.
A computer that has the NAP Agent service installed and running and is capable of providing its
health status to NAP server computers. NAP-capable computers include computers running
Windows Server2008, WindowsVista, and Windows XP with SP3.
Non-NAP-capable computer. A computer that cannot provide its health status to NAP servercomponents. A computer that has NAP agent installed but not running is also considered non-NAPcapable.
Compliant computer.
A computer that meets the NAP health requirements that you have defined for your network. Only
NAP client computers can be compliant.
Noncompliant computer.
A computer that does not meet the NAP health requirements that you have defined for your
network. Only NAP client computers can be noncompliant.
Health status.
Information about a NAP client computer that NAP uses to allow or restrict access to a network.
Health is defined by a client computer’s configuration state. Some common measurements of health
include the operational status of Windows Firewall, the update status of antivirus signatures, and
the installation status of security updates. A NAP client computer provides health status by sending a
message called a statement of health (SoH).
NAP health policy server.
A NAP health policy server is a computer running Windows Server2008 with the Network Policy
Server (NPS) role service installed and configured for NAP. The NAP health policy server uses NPS
policies and settings to evaluate the health of NAP client computers when they request access to the
network, or when their health state changes. Based on the results of this evaluation, the NAP health
policy server instructs whether NAP client computers will be granted full or restricted access to the
network.