###BeginCaseStudy###
Case Study: 8
Graphic Design Institute, Case A
Scenario
COMPANY OVERVIEW
Graphic Design Institute is a training company that has a main office and 10 branch offices.
The main office is located in Bangalore.
PLANNED CHANGES
Graphic Design Institute plans to implement the following changes:
• Deploy a new two-node failover cluster that runs the Hyper-V server role on each
node.
• Ensure that intra-cluster network traffic is isolated from all other network traffic.
• Implement Network Access Protection (NAP) for all of the client computers on the
internal network and for all of the client computers that connect remotely.
EXISTING ENVIRONMENT
The relevant servers in the main office are configured as shown in the following table.
The server has the following configurations:
• NPAS1 contains a static IP address pool,
• Web1, Web2, and Web3host a copy of the corporate Web site.
• Web1, Web2, and Web3 are located in the perimeter network and belong to a
workgroup.
All client computers run Windows XP Professional, Windows Vista Enterprise, or Windows
7 Enterprise, All client computers are members of the domain.
Some users work remotely. To access the company’s internal resources, the remote users use
a VPN connection to NPAS1.
Existing Active Directors/Directory Services
The network contains a single-domain Active Directory forest named
graphicdesigninstitute.com. The Active Directory Recycle Bin is enabled.
Existing Network Infrastructure
Graphic Design Institute has an internal network and a perimeter network.
The network contains network switches and wireless access points (WAPs) from multiple
vendors. Some of the network devices are more than 10 years old and do not support portbased authentication.
TECHNICAL REQUIREMENTS
All of the accounts used for administration must be assigned the minimum amount of
permissions.
Web1, Web2, and Web3 must have the identical configurations for the corporate Web site.
The Web servers must contain a local copy of all the Web pages in the Web site. When a
Web page is modified on any of the Web servers, the modifications must be copied
automatically to all of the Web servers.
A user named Admin1 must be responsible for performing the following tasks:
• Restarting all of the Web servers.
• Backing up and restoring the files on all of the Web servers.
A user named Admin2 must be responsible for performing the following tasks:
• Backing up the Active Directory database.
• Recovering deleted objects from the Active Directory Recycle Bin.
###EndCaseStudy###
Which NAP enforcement method should you recommend?
A.
802.1x
B.
DHCP
C.
IPSec
D.
VPN
Explanation:
Requirements/information:
Implement Network Access Protection (NAP) for all of the client computers on the internal network
and for all of the client computers that connect remotely
Some users work remotely. To access the company’s internal resources, the remote users use a VPN
connection to NPAS1.
The network contains network switches and wireless access points (WAPs) from multiple vendors
Some of the network devices are more than 10 years old and do not support portbased
authentication.
Network Access Protection (NAP) is a feature in Windows Server 2008 that controls access to
network resources based on a client computer’s identity and compliance with corporate governance
policy. NAP allows network administrators to define granular levels of network access based on who
a client is, the groups to which the client belongs, and the degree to which that client is compliant
with corporate governance policy. If a client is not compliant, NAP provides a mechanism to
automatically bring the client back into compliance and then dynamically increase its level of
network access.
NAP Enforcement Methods
When a computer is found to be noncompliant with the enforced health policy, NAPenforces limited
network access. This is done through an Enforcement Client (EC). Windows Vista, Windows XP
Service Pack 3, and Windows Server 2008 include NAPEC support for IPsec, IEEE 802.1X, Remote
Access VPN, and DHCP enforcement methods. Windows Vista and Windows Server 2008 also
support NAP enforcement for Terminal Server Gateway connections.
NAP enforcement methods can either be used individually or can be used in conjunction with each
other to limit the network access of computers that are found not to be in compliance with
configured health policies. Hence you can apply the remote access VPN and IPsec enforcement
methods to ensure that internal clients and clients coming in from the Internet are only granted
access to resources if they meet the appropriate client health benchmarks.
802.1X step-by-step guide.
http ://www.microsoft.com/downloads/en/details.aspx?FamilyID=8a0925ee-ee06-4dfbbba2-07605eff0608&displaylang=en
802. 802.1X Enforcement
When 802.1X is used—over either wired or wireless networks—the client device’s access is
restricted by network infrastructure devices such as wireless connection points and switches. Until
the device has demonstrated its compliance, client access is restricted.
Restriction is enforced on the network access device using an access control list (ACL) or by placing
the client device on restricted virtual local area networks (VLANs). The 802.1X standard is more
complex to deploy than DHCP, but it provides a high degree of protection.
as a requirement of 802.1 is port authentication and some of the devices ate 10+ years old and do
not support this then then this rules out this method
IPSEC ENFORCEMENT
IPsec enforcement works by applying IPsec rules. Only computers that meet health compliance
requirements are able to communicate with each other. IPsec enforcement can be applied on a perIP address, per-TCP port number, or per-UDP port number basis. For example: You can use IPsec
enforcement to block RDP access to a web server so that only computers that are healthy can
connect to manage that server but allow clients that do not meet health requirements to connect to
view Web pages hosted by the same web server.
IPsec is the strongest method of limiting network access communication through NAP. Where it
might be possible to subvert other methods by applying static addresses or switching ports, the
IPsec certificate used for encryption can be obtained by a host only when it passes the health check.
No IPsec certificate means that communication with other hosts that encrypt their communications
using a certificate issued from the same CA is impossible.
VPN Enforcemement
VPN enforcement is used on connecting VPN clients as a method of ensuring that clients granted
access to the internal network meet system health compliance requirements. VPN enforcement
works by restricting network access to noncompliant clients through the use of packet filters. Rather
than being able to access the entire network, incoming VPN clients that are noncompliant have
access only to the remediation server group.
As is the case with 802.1X enforcement, the health status of a connected client is monitored
continuously. If a client becomes noncompliant, packet filters restricting network access will be
applied. If a noncompliant client becomes compliant, packet filters restricting network access will be
removed. VPN enforcement requires an existing remote access infrastructure and an NPS server. The
enforcement method uses the VPN EC, which is included with Windows 7, Windows Vista, Windows
Server 2008, Windows Server 2008 R2, and Windows XP SP3.
DHCP NAP Enforcement
DHCP NAP enforcement works by providing unlimited-access IPv4 address information to compliant
computers and limited-access IPv4 address information to noncompliant computers. Unlike VPN and
802.1X enforcement methods, DHCP NAP enforcement is applied only when a client lease is
obtained or renewed. Organizations using this method of NAP enforcement should avoid configuring
long DHCP leases because this will reduce the
frequency at which compliance checks are made.
To deploy DHCP NAP enforcement, you must use a DHCP server running Windows Server 2008 or
Windows Server 2008 R2 because this includes the DHCP Enforcement Service (ES). The DHCP EC is
included in the DHCP Client service on Windows 7, Windows Vista, Windows Server 2008, Windows
Server 2008 R2, and Windows XP SP3.
The drawback of DHCP NAP enforcement is that you can get around it by configuring a client’s IP
address statically. Only users with local administrator access can configure a manual IP, but if yourorganization gives users local administrator access, DHCP NAP enforcement may not be the most
effective method of keeping these computers off the network until they are compliant.