To accomplish the assigned task, you need to perform the following tasks:
Install the DHCP and Network Policy Server (NPS) server roles.
Configure the Image_SVR1 virtual machine as a NAP health policy server.
Configure the DHCP service for NAP enforcement.
Configure the Image_Win8_CL1 virtual machine as the DHCP and NAP client.
Test the NAP enforcement.
Task 1: Installing the DHCP and NPS Server Roles To install the DHCP and NPS server roles,page is displayed.you need to perform the following steps in the Image_SYR1 virtual machine:
1. Switch to the Image_SVR1 virtual machine.
2. Ensure that the Server Manager window is open and active.
3 Click the Add roles and features link in the right pane.
4. Click the Next button. The Select installation type page is displayed.
5. Click the Next button. The Select destination server page is displayed.
6. Click the Next button. The Select server roles.
7. Select the DHCP Server check box in the Roles list box_ The Add Roles and Features Wizard dialog box is displayed.
8. Click the Add Features button. The Select server roles page is displayed.
9. Select the Network Policy and Access Services check box. The Add Roles and Features Wizard dialog box is displayed.
10. Click the Add Features button. The Select server roles page is displayed.
11. Click the Next button. The Select features page is displayed.
12. Click the Next button. The DHCP Server page is displayed.
13. Click the Next button. The Network Policy and Access Services page is displayed.
14. Click the Next button. The Select role services page is displayed.
15. Ensure that the Network Policy Server check box is selected in the right pane.
16. Click the Next button. The Confirm installation selections page is displayed.
17. Select the Restart the destination server automatically if required check box. The Add Roles and Features Wizard dialog box is displayed.
18. Click the Yes button. The Confirm installation selections page is displayed.
19. Click the Install button. The Installation progress page is displayed. After a few minutes, the Configuration required message is displayed in the right pane.
20. Click the Complete DHCP configuration link. The Description page of DHCP Post-Install configuration wizard is displayed.
21. Click the Next button. The Authorization page is displayed.
22. Click the Commit button. The Summary page is displayed.
23. Click the Close button. The Installation progress page is displayed.
24. Click the Close button. The Server Manager window is displayed.
25. Select DHCP in the left pane.
26. Right-click the 1MAGE_SVR1 server under the Server Name column in the right pane, and then select the DHCP Manager option. The DHCP window is displayed.
27. Maximize the DHCP window.
28. Expand the Image_SVR1Adatum.com-.IPv4 nodes in the left pane.
29. Right-click the IPv4 node in the left pane, and then select the New Scope option. The Welcome to the New Scope Wizard page of New Scope Wizard is displayed.
30. Click the Next button. The Scope Name page is displayed.
31. Type N.-11:' Scope in the Name text box.
32. Click the Next button. The IP Address Range page is displayed.
33. Type 172.16.0.25 in the Start IP address text box.
34. Type 172.16.0.254 in the End IP address text box.
35. Click the Next button. The Add Exclusions and Delay page is displayed.
36. Click the Next button. The Lease Duration page is displayed.
37. Click the Next button. The Configure DHCP Options page is displayed.
38. Select the No, I will configure these options later option.
39. Click the Next button. The Completing the New Scope Wizard page is displayed.
40. Click the Finish button.
41. Select the Scope node in the left pane.
42. Right-click the Scope node in the left pane, and then select the Activate option.
43. Select the Server Options node in the left pane.
44. Right-click the Server Options node in left pane, and then select the Configure Options option. The Server Options dialog box is displayed.
45. Scroll down and select the 006 DNS Servers check box under the Available Options column.
46. Type 172.16.0.10 in the IP address text box.
47. Click the Add button. The DNS Validation message box is displayed for a few moments. After this, the address is added to the list box below the IP address text box.
48. Scroll down and select the 015 DNS Domain Name check box under the Available Options column.
49. Type Adatam.com in the String value text box.
50. Click the OK button.
51. Close the DHCP window.
52. Press the Windows+I keys. The Settings pane is displayed.
53. Select Power-tRestart.
54. Click the Continue button. After a few moments, the Press Ctrl+Alt+Delete to sign in screen is displayed.
55. Press the Ctrl+Alt+End keys.
56. Type PaSSwOrd in the Password text box.
57. Press the Enter key. After a few moments, the Server Manager window is displayed.
Task 2: Configuring the Image_SVR1 Virtual Machine as a NAP Health Policy Server To configure the Image_SVR1 virtual machine as a NAP health policy server, you need to perform the following tasks:
1. Configure Security Health Validator (SHV).
2. Configure remediation server groups.
3. Configure health policies.
4. Configure a network policy for compliant clients.
5. Configure a network policy for non compliant clients.
Task 2.1: Configuring SHV
To configure SHV, you need to perform the following steps in the Image_SVR1 virtual machine:
1. Press the Windows key. The Stan screen is displayed.
2. Click the Network Policy Server tile. The Network Policy Server window is displayed.
3. Expand the Network Access Protection->System Health Validators->Windows Security Health Validator nodes in the left pane.
4. Select the Settings node.
5. Right-click the Default Configuration option under the Name column in the right pane, and then select the Properties option. The Windows Security Health Validator dialog box is displayed.
6. Ensure that the Windows 8/Windows 7/Windows Vista option is selected in the left pane.
7. Clear all the check boxes except the A firewall is enabled for all network connections check box in the right pane. For this, you can perform the following steps:
a. Clear the Antivirus is up to date check box.
b. Clear the An antivirus application is on check box.
c. Clear the Antispyware is up to date check box.
d. Clear the An antispnvare application is on check box.
e. Clear the Automatic updating is enabled check box.
8. Click the OK button. The Network Policy Server window is displayed.
Task 2.2: Configuring Remediation Server Groups
To configure remediation server groups, you need to perform the following steps in the Image_SVR1 virtual machine:
1. Right-click the Remediation Server Groups node in the left pane, and then select the New option.
2. Type the Groupl in the Group Name text box.
3. Click the Add button. The Add New Server dialog box is displayed.
4. Type 172.16.0.10 in the IP address or DNS name text box.
5. Click the OK button_ The New Remediation Server Group dialog box is displayed.
6. Click the OK button_ The Network Policy Server window is displayed.
Task 2.3: Configuring Health Policies
To configure health policies, you need to perform the following steps in the Image_SVR1 virtual machine:
1. Expand the Policies node in the left pane.
2. Select the Health Policies node in the left pane.
3. Right-click the Health Policies node in the left pane, and then select the New option.
4. Type Compliant in the Policy name text box.
5. Ensure that the Client passes all SHV checks option is selected in the Client SHV checks drop-down list.
6. Select the Windows Security Health Validator check box under the SEM used in this health policy section.
7. Click the OK button. The Network Policy Server window is displayed.
8. Right-click the Health Policies node in the left pane, and then select the New option.
9. Type Non Compliant in the Policy name text box.
10. Select the Client fails one or more SHV checks option from the Client SHV checks drop-down list.
11. Select the Windows Security Health Validator check box under the SHVs used in this health policy section.
12. Click the OK button. The Network Policy Server window is displayed.
Task 2.4: Configuring a Network Policy for Compliant Clients
To configure a network policy for compliant clients, you need to perform the following steps in the Image_SVR1 virtual machine:
1. Select the Network Policies node under the Policies node in the left pane.
2. Right-click the Connections to Microsoft Routing and Remote Access server option under the Policy Name column in the right pane, and then select the Disable option.
3. Right-click the Connections to other access servers option under the Policy Name column in the right pane, and then select the Disable option.
4. Right-click the Network Policies node in the left pane, and then select the New option. The Specify Network Policy Name and Connection Type page of the New Network Policy wizard is displayed.
5. Type Compliant-Full-Access in the Policy name text box.
6. Click the Next button. The Specify Conditions page is displayed.
7. Click the Add button. The Select condition dialog box is displayed.
8. Scroll down the Select a condition, and then click Add list to locate the Network Access Protection section.
9. Double-click the Health Policies icon. The Health Policies dialog box is displayed.
10. Select the Compliant option under the Health policies drop-down list.
11. Click the OK button. The Specify Conditions page is displayed.
12. Ensure that the Health Policy option is displayed under the Condition column displaying the Compliant text under the Value column.
13. Click the Next button. The Specify Access Permission page is displayed.
14. Ensure that the Access granted option is selected.
15. Click the Next button. The Configure Authentication Methods page is displayed.
16. Clear all the check boxes.
17. Select the Perform machine health check only check box.
18. Click the Next button. The Configure Constraints page is displayed.
19. Click the Next button. The Configure Settings page is displayed.
20. Select the NAP Enforcement option under the Network Access Protection section in the left pane.
21. Ensure that the Allow full network access option is selected in the right pane.
22. Scroll down and clear the Enable auto-remediation of client computers check box.
23. Click the Next button. The Completing New Network Policy page is displayed.
24. Click the Finish button. The Network Policy Server window is displayed.
Task 2.5: Configuring a Network Policy for Non Compliant Clients
To configure a network policy for non compliant clients, you need to perform the following steps in the Image_SVR1 virtual machine:
1. Right-click the Network Policies node in the left pane, and then select the New option. The Specify Network Policy Name and Connection Type page of the New Network Policy wizard is displayed.
2. Type Non Compliant-Restricted in the Policy name text box.
3. Click the Next button. The Specify Conditions page is displayed.
4. Click the Add button. The Select condition dialog box is displayed.
5. Scroll down the Select a condition, and then click Add list to locate the Network Access Protection section.
6. Double-click the Health Policies icon. The Health Policies dialog box is displayed.
7. Select the Non Compliant option in the Health policies drop-down list.
8. Click the OK button. The Specify Conditions page is displayed.
9. Ensure that the Health Policy option is displayed under the Condition column displaying the Non Compliant text under the Value column.
10. Click the Next button. The Specify Access Permission page is displayed.
11. Ensure that the Access denied option is selected.
12. Click the Next button. The Configure Authentication Methods page is displayed.
13. Clear all the check boxes.
14. Select the Perform machine health check only check box.
15. Click the Next button. The Configure Constraints page is displayed.
16. Click the Next button. The Configure Settings page is displayed.
17. Select the NAP Enforcement option under the Network Access Protection section in the left pane.
18. Select the Allow limited access option.
19. Scroll down and clear the Enable auto-remediation of client computers check box.
20. Click the Next button. The Completing New Network Policy page is displayed.
21. Click the Finish button. The Network Policy Server window is displayed.
22. Close the Network Policy Server window.
Task 3: Configuring the DHCP Service for NAP Enforcement To configure the DHCP service for NAP enforcement, you need to perform the following steps in the Image_SVR1 virtual machine:
1. Ensure that the Server Manager window is open and active.
2. Ensure that DHCP is selected in the left pane.
3. Right-click the 1MAGE_SVR1 option under the Server Name column in the right pane, and then select the DHCP Manager option.
4. Expand the Image_SVR1Adatam.com-APv4 nodes in the left pane.
5. Select the Scope [172.16.0.0] NAP Scope node in the left pane.
6. Right-click the Scope [172.16.0.0] NAP Scope node in the left pane, and then select the Properties option.
7. Click the Network Access Protection tab.
8. Select the Enable for this scope option under the Network Access Protection Settings section.
9. Ensure that the lise default Network Access Protection profile option is selected.
10. Click the OK button. The DHCP window is displayed.
11. Ensure that the Scope [172.16.0.0] NAP Scope node is expanded in the left pane.
12. Select the Scope Options node in the left pane.
13. Right-click the Scope Options node in the left pane, and then select the Configure Options option.
14. Click the Advanced tab.
15. Ensure that the DHCP Standard Options option is selected in the Vendor class drop-down list.
16. Select the 003 Router check box under the Available Options column.
17. Type 172.16.0.10 in IP address text box.
18. Click the Add button.
19. Scroll down and select the 015 DNS Domain Name option under the Available Options column.
20. Ensure that the adatum.com text is displayed in the String value text box.
21. Click the OK button. The DHCP window is displayed.
22. Close the DHCP window.
Task 4: Configuring the Image_VVin8_CL1 Virtual Machine as the DHCP and NAP Client To configure the Image_Win8_CL1 virtual machine as the DHCP and NAP client,
you need to perform the following tasks-
1. Enable security center.
2. Enable the DHCP enforcement client.
3. Enable and start the NAP agent service.
4. Configure the Image Nirin8_CL1virtual machine for the DHCP address assignment.
Task 4.1: Enabling Security Center
To enable security center, you need to perform the following steps in the Image_Win8_CL1 virtual machine:
1. Ensure that the Image_Win8_CL1 virtual machine is running and active and you are logged on with Adatum\Administrator as the usemame and PaSSwOrd as the password.
2. Ensure that the Start screen is displayed.
3. Type Control Panel.
4. Press the Enter key. The Control Panel window is displayed.
5. Click the Network and Internet link. The Network and Internet window is displayed.
6. Click the Network and Sharing Center link in right pane. The Network and Sharing Center window is displayed.
7. Click the Windows Firewall link under the See also section in the left pane.
8. Click the Turn Windows Firewall on or off link in the left pane.
9. Select the Turn off Windows Firewall (not recommended) option under the Domain network settings, Private network settings, and Public network settings sections.
10. Click the OK button.
11. Close the Windows Firewall window.
12. Press the Windows key. The Start screen is displayed.
13. Type mmc.
14. Press the Enter key. The Consolel - [Console Root] window is displayed.
15. Select File->Add/Remove Snap-in. The Add or Remove Snap-ins dialog box is displayed.
16. Select the Group Policy Object Editor option under the Available Snap-ins column in the left pane.
17. Click the Add button. The Welcome to the Group Policy Wizard page is displayed.
18. Click the Finish button. The Add or Remove Snap-ins dialog box is displayed.
19. Click the OK button. The Consolel - [Console Root] window is displayed.
20. Expand the Local Computer Policy->Computer Configuration-'Administrative Templates-ANindows Components nodes in the left pane.
21. Select the Security Center node in the left pane.
22. Double-click Turn on Security Center (Domain PCs only) under the Setting column in the middle pane. After a few moments, the Turn on Security Center (Domain PCs only) window is displayed.
23. Select the Enabled option.
24. Click the OK button. The Consolel-[Console Root] window is displayed.
25. Close the Consolel-[Console Root] window. The Microsoft Management Console dialog box is displayed.
26. Click the No button to close the window without saving the settings.
Task 4.2: Enabling the DHCP Enforcement Client
To enable the DHCP enforcement client, you need to perform the following steps in the Image_Win8_CL1 virtual machine:
1. Press the Windows key. The Start screen is displayed.
2. Type napckfg.msc.
3. Press the Enter key. The NAP Client Configuration window is displayed.
4. Select the Enforcement Clients node in the left pane.
5. Right-click the DHCP Quarantine Enforcement Client option under the Name column in the right pane, and then select the Enable option.
6. Close the NAP Client Configuration window.
Task 4.3: Enabling and Starting the NAP Agent Service
To enable and start the NAP agent service, you need to perform the following steps in the Image_Win8_CLI virtual machine:
1. Press the Windows key. The Start screen is displayed.
2. Type services.msc.
3. Press the Enter key. The Services window is displayed-
4. Scroll down and double-click the Network Access Protection Agent service under the Name column in the right pane. The Network Access Protection Agent Properties (Local Computer) dialog box is displayed.
5. Select the Automatic option in the Startup type drop-down list.
6. Click the Start button to start the service.
7. Click the OK button. The Services window is displayed.
8. Close the Services window.
Task 4.4: Configuring the Image_Wm8_CL1 Virtual Machine for the DHCP Address Assignment
To configure the Image_Win8_CLI virtual machine for the DHCP address assignment, you need to perform the following steps in the Image_WinS_CL1 virtual machine:
1. Press the Windows key. The Start screen is displayed.
2. Type Control Panel.
3. Click the Control Panel tile. The Control Panel window is displayed.
4. Click the Network and Internet link. The Network and Internet window is displayed.
5. Click the Network and Sharing Center link in the right pane. The Network and Sharing Center window is displayed.
6. Click the Local Area Connection link under the View your active networks section. The Local Area Connection Status dialog box is displayed.
7. Click the Properties button. The Local Area Connection Properties dialog box is displayed.
8. Clear the Internet Protocol Version 6 (TCP/ IPv6) check box in the This connection uses the following items list box.
9. Select the Internet Protocol Version 4 (TCP/ IPv4) option in the This connection uses the following items list box.
10. Click the Properties button. The Internet Protocol Version 4 (TCP/IPv4) Properties dialog box is displayed.
11. Select the Obtain an IP address automatically and Obtain DNS server address automatically options.
12. Click the OK button.
13. Click the Close button and wait for a few moments while configurations are done on the virtual machine.
14. Click the Close button.
15. Close the Network and Sharing Center window
16. Press the Windows-I keys. The Settings pane is displayed.
17. Select Power-*Restart. After a few moments, the lock screen is displayed.
18. Press the Enter key. The log in screen is displayed.
19. Type PaSSwOrd in the Password text box.
20. Press the Enter key. The Start screen is displayed.
Task 5: Testing the NAP Enforcement To test the NAP enforcement, you need to perform the following wits-
1. Verify the DHCP assigned address and the current quarantine state.
2. Configure the network policy to grant restricted access.
3. Configure the network policy to remediate the non compliant computers.
Task 5.1: Verifying the DHCP Assigned Address and the Current Quarantine State
To verify the DHCP assigned address and the current quarantine state, you need to perform the following steps in the Image Win8_CL1 virtual machine:
1. Ensure that the Start screen is displayed.
2. Type Command Prompt.
3. Press the Enter key. The Administrator: Command Prompt window is displayed.
4. Type ipconfig /release, and then press the Enter key.
5. Type ipconfig /renew, and then press the Enter key.
6. Wait for some time and notice that the client machine is unable to obtain an IP address from the DHCP server. After a few moments, unable to contact your DHCP server message is displayed.
7. Press the Windows key. The Start screen is displayed.
8. Type Control Panel.
9. Press the Enter key. The Control Panel window is displayed.
10. Click the System and Security link The System and Security window is displayed.
11. Click the Windows Firewall link in right pane. The Windows Firewall window is displayed.
12. Click the Turn Windows Firewall on or off link in the left pane.
13. Select the Turn on Windows Firewall option under the Domain network settings, Private network settings, and Public network settings sections.
14. Click the OK button.
15. Switch to the Administrator: Command Prompt window
16. Type ipconfig /renew, and then press the Enter key.
17. Type ipconfig/all, and then press the Enter key.
18. Scroll up and observe that adatum.com is displayed against Connection-specific DNS Suffix under the Ethernet adapter Local Area Connection section and Not Restricted is displayed against System Quarantine State under the Windows IP Configuration section.
19. Switch to the Windows Firewall window.
20. Click the Turn Windows Firewall on or off link in the left pane.
21. Select the Turn off Windows Firewall (not recommended) option under the Domain network settings, Private network settings, and Public network settings sections.
22. Click the OK button.
Task 5.2: Configuring the Network Policy to Grant Restricted Access
To configure the network policy to grant restricted access, you need to perform the following steps in the Image_SVR1 virtual machine:
1. Switch to the Image_SVR1 virtual machine.
2. Press the Windows key. The Start screen is displayed.
3. Click the Network Policy Server tile. The Network Policy Server window is displayed.
4. Expand the Policies node in the left pane.
5. Select the Network Policies node in the left pane.
6. Right-click the Non Compliant-Restricted option under the Policy Name column in the right pane, and then select the Properties option.
7. Select the Grant access.
8. Click the OK button. The Network Policy Server window is displayed.
9. Switch to the Image_Winti_CL1 virtual machine.
10. Switch to the Administrator: Command Prompt window.
11. Type ipconfig /release, and then press the Enter ke3'.
12. Type ipconfig /renew, and then press the Enter key.
13. Type ipconfig /all, and then press the Enter key.
14. Scroll up and observe that adatum.com is displayed against Connection-specific DNS Suffix under the Ethernet adapter Local Area Connection section and Restricted is displayed against System Quarantine State under the Windows IP Configuration section.
Task 5.3: Configuring the Network Policy to %mediate the Non Compliant Computers
To configure the network policy to renaediate the non compliant computers, you need to perform the following steps in the Image_SVR1 virtual machine:
1. Switch to the Image_SVR1 virtual machine.
2. Ensure that the Network Policy Server window is open and active.
3. Ensure that the Policies node is expanded in the left pane.
4. Right-click the Non Compliant-Restricted option under the Policy Name column in the right pane, and then select the Properties option.
5. Click the Settings tab.
6. Select NAP Enforcement under the Network Access Protection section in the left pane.
7. Select the Enable auto-remediation of client computers check box under the Auto remediation section.
8. Click the OK button. The Network Policy Server window is displayed.
9. Switch to the Image_Win8_CL1 virtual machine.
10. Ensure that the Administrator: Command Prompt window is open and active.
11. Type ipconfig /release, and then press the Enter key to release the current IP address.
12. Type ipconfig /renew, and then press the Enter key to renew the current IP address.
13. Type ipconfig /all, and then press the Enter key.
14. Scroll up and observe that adatum.com is displayed.
Install the DHCP and Network Policy Server (NPS) server roles.
Configure the Image_SVR1 virtual machine as a NAP health policy server.
Configure the DHCP service for NAP enforcement.
Configure the Image_Win8_CL1 virtual machine as the DHCP and NAP client.
Test the NAP enforcement.
Task 1: Installing the DHCP and NPS Server Roles To install the DHCP and NPS server roles,page is displayed.you need to perform the following steps in the Image_SYR1 virtual machine:
1. Switch to the Image_SVR1 virtual machine.
2. Ensure that the Server Manager window is open and active.
3 Click the Add roles and features link in the right pane.
4. Click the Next button. The Select installation type page is displayed.
5. Click the Next button. The Select destination server page is displayed.
6. Click the Next button. The Select server roles.
7. Select the DHCP Server check box in the Roles list box_ The Add Roles and Features Wizard dialog box is displayed.
8. Click the Add Features button. The Select server roles page is displayed.
9. Select the Network Policy and Access Services check box. The Add Roles and Features Wizard dialog box is displayed.
10. Click the Add Features button. The Select server roles page is displayed.
11. Click the Next button. The Select features page is displayed.
12. Click the Next button. The DHCP Server page is displayed.
13. Click the Next button. The Network Policy and Access Services page is displayed.
14. Click the Next button. The Select role services page is displayed.
15. Ensure that the Network Policy Server check box is selected in the right pane.
16. Click the Next button. The Confirm installation selections page is displayed.
17. Select the Restart the destination server automatically if required check box. The Add Roles and Features Wizard dialog box is displayed.
18. Click the Yes button. The Confirm installation selections page is displayed.
19. Click the Install button. The Installation progress page is displayed. After a few minutes, the Configuration required message is displayed in the right pane.
20. Click the Complete DHCP configuration link. The Description page of DHCP Post-Install configuration wizard is displayed.
21. Click the Next button. The Authorization page is displayed.
22. Click the Commit button. The Summary page is displayed.
23. Click the Close button. The Installation progress page is displayed.
24. Click the Close button. The Server Manager window is displayed.
25. Select DHCP in the left pane.
26. Right-click the 1MAGE_SVR1 server under the Server Name column in the right pane, and then select the DHCP Manager option. The DHCP window is displayed.
27. Maximize the DHCP window.
28. Expand the Image_SVR1Adatum.com-.IPv4 nodes in the left pane.
29. Right-click the IPv4 node in the left pane, and then select the New Scope option. The Welcome to the New Scope Wizard page of New Scope Wizard is displayed.
30. Click the Next button. The Scope Name page is displayed.
31. Type N.-11:' Scope in the Name text box.
32. Click the Next button. The IP Address Range page is displayed.
33. Type 172.16.0.25 in the Start IP address text box.
34. Type 172.16.0.254 in the End IP address text box.
35. Click the Next button. The Add Exclusions and Delay page is displayed.
36. Click the Next button. The Lease Duration page is displayed.
37. Click the Next button. The Configure DHCP Options page is displayed.
38. Select the No, I will configure these options later option.
39. Click the Next button. The Completing the New Scope Wizard page is displayed.
40. Click the Finish button.
41. Select the Scope node in the left pane.
42. Right-click the Scope node in the left pane, and then select the Activate option.
43. Select the Server Options node in the left pane.
44. Right-click the Server Options node in left pane, and then select the Configure Options option. The Server Options dialog box is displayed.
45. Scroll down and select the 006 DNS Servers check box under the Available Options column.
46. Type 172.16.0.10 in the IP address text box.
47. Click the Add button. The DNS Validation message box is displayed for a few moments. After this, the address is added to the list box below the IP address text box.
48. Scroll down and select the 015 DNS Domain Name check box under the Available Options column.
49. Type Adatam.com in the String value text box.
50. Click the OK button.
51. Close the DHCP window.
52. Press the Windows+I keys. The Settings pane is displayed.
53. Select Power-tRestart.
54. Click the Continue button. After a few moments, the Press Ctrl+Alt+Delete to sign in screen is displayed.
55. Press the Ctrl+Alt+End keys.
56. Type PaSSwOrd in the Password text box.
57. Press the Enter key. After a few moments, the Server Manager window is displayed.
Task 2: Configuring the Image_SVR1 Virtual Machine as a NAP Health Policy Server To configure the Image_SVR1 virtual machine as a NAP health policy server, you need to perform the following tasks:
1. Configure Security Health Validator (SHV).
2. Configure remediation server groups.
3. Configure health policies.
4. Configure a network policy for compliant clients.
5. Configure a network policy for non compliant clients.
Task 2.1: Configuring SHV
To configure SHV, you need to perform the following steps in the Image_SVR1 virtual machine:
1. Press the Windows key. The Stan screen is displayed.
2. Click the Network Policy Server tile. The Network Policy Server window is displayed.
3. Expand the Network Access Protection->System Health Validators->Windows Security Health Validator nodes in the left pane.
4. Select the Settings node.
5. Right-click the Default Configuration option under the Name column in the right pane, and then select the Properties option. The Windows Security Health Validator dialog box is displayed.
6. Ensure that the Windows 8/Windows 7/Windows Vista option is selected in the left pane.
7. Clear all the check boxes except the A firewall is enabled for all network connections check box in the right pane. For this, you can perform the following steps:
a. Clear the Antivirus is up to date check box.
b. Clear the An antivirus application is on check box.
c. Clear the Antispyware is up to date check box.
d. Clear the An antispnvare application is on check box.
e. Clear the Automatic updating is enabled check box.
8. Click the OK button. The Network Policy Server window is displayed.
Task 2.2: Configuring Remediation Server Groups
To configure remediation server groups, you need to perform the following steps in the Image_SVR1 virtual machine:
1. Right-click the Remediation Server Groups node in the left pane, and then select the New option.
2. Type the Groupl in the Group Name text box.
3. Click the Add button. The Add New Server dialog box is displayed.
4. Type 172.16.0.10 in the IP address or DNS name text box.
5. Click the OK button_ The New Remediation Server Group dialog box is displayed.
6. Click the OK button_ The Network Policy Server window is displayed.
Task 2.3: Configuring Health Policies
To configure health policies, you need to perform the following steps in the Image_SVR1 virtual machine:
1. Expand the Policies node in the left pane.
2. Select the Health Policies node in the left pane.
3. Right-click the Health Policies node in the left pane, and then select the New option.
4. Type Compliant in the Policy name text box.
5. Ensure that the Client passes all SHV checks option is selected in the Client SHV checks drop-down list.
6. Select the Windows Security Health Validator check box under the SEM used in this health policy section.
7. Click the OK button. The Network Policy Server window is displayed.
8. Right-click the Health Policies node in the left pane, and then select the New option.
9. Type Non Compliant in the Policy name text box.
10. Select the Client fails one or more SHV checks option from the Client SHV checks drop-down list.
11. Select the Windows Security Health Validator check box under the SHVs used in this health policy section.
12. Click the OK button. The Network Policy Server window is displayed.
Task 2.4: Configuring a Network Policy for Compliant Clients
To configure a network policy for compliant clients, you need to perform the following steps in the Image_SVR1 virtual machine:
1. Select the Network Policies node under the Policies node in the left pane.
2. Right-click the Connections to Microsoft Routing and Remote Access server option under the Policy Name column in the right pane, and then select the Disable option.
3. Right-click the Connections to other access servers option under the Policy Name column in the right pane, and then select the Disable option.
4. Right-click the Network Policies node in the left pane, and then select the New option. The Specify Network Policy Name and Connection Type page of the New Network Policy wizard is displayed.
5. Type Compliant-Full-Access in the Policy name text box.
6. Click the Next button. The Specify Conditions page is displayed.
7. Click the Add button. The Select condition dialog box is displayed.
8. Scroll down the Select a condition, and then click Add list to locate the Network Access Protection section.
9. Double-click the Health Policies icon. The Health Policies dialog box is displayed.
10. Select the Compliant option under the Health policies drop-down list.
11. Click the OK button. The Specify Conditions page is displayed.
12. Ensure that the Health Policy option is displayed under the Condition column displaying the Compliant text under the Value column.
13. Click the Next button. The Specify Access Permission page is displayed.
14. Ensure that the Access granted option is selected.
15. Click the Next button. The Configure Authentication Methods page is displayed.
16. Clear all the check boxes.
17. Select the Perform machine health check only check box.
18. Click the Next button. The Configure Constraints page is displayed.
19. Click the Next button. The Configure Settings page is displayed.
20. Select the NAP Enforcement option under the Network Access Protection section in the left pane.
21. Ensure that the Allow full network access option is selected in the right pane.
22. Scroll down and clear the Enable auto-remediation of client computers check box.
23. Click the Next button. The Completing New Network Policy page is displayed.
24. Click the Finish button. The Network Policy Server window is displayed.
Task 2.5: Configuring a Network Policy for Non Compliant Clients
To configure a network policy for non compliant clients, you need to perform the following steps in the Image_SVR1 virtual machine:
1. Right-click the Network Policies node in the left pane, and then select the New option. The Specify Network Policy Name and Connection Type page of the New Network Policy wizard is displayed.
2. Type Non Compliant-Restricted in the Policy name text box.
3. Click the Next button. The Specify Conditions page is displayed.
4. Click the Add button. The Select condition dialog box is displayed.
5. Scroll down the Select a condition, and then click Add list to locate the Network Access Protection section.
6. Double-click the Health Policies icon. The Health Policies dialog box is displayed.
7. Select the Non Compliant option in the Health policies drop-down list.
8. Click the OK button. The Specify Conditions page is displayed.
9. Ensure that the Health Policy option is displayed under the Condition column displaying the Non Compliant text under the Value column.
10. Click the Next button. The Specify Access Permission page is displayed.
11. Ensure that the Access denied option is selected.
12. Click the Next button. The Configure Authentication Methods page is displayed.
13. Clear all the check boxes.
14. Select the Perform machine health check only check box.
15. Click the Next button. The Configure Constraints page is displayed.
16. Click the Next button. The Configure Settings page is displayed.
17. Select the NAP Enforcement option under the Network Access Protection section in the left pane.
18. Select the Allow limited access option.
19. Scroll down and clear the Enable auto-remediation of client computers check box.
20. Click the Next button. The Completing New Network Policy page is displayed.
21. Click the Finish button. The Network Policy Server window is displayed.
22. Close the Network Policy Server window.
Task 3: Configuring the DHCP Service for NAP Enforcement To configure the DHCP service for NAP enforcement, you need to perform the following steps in the Image_SVR1 virtual machine:
1. Ensure that the Server Manager window is open and active.
2. Ensure that DHCP is selected in the left pane.
3. Right-click the 1MAGE_SVR1 option under the Server Name column in the right pane, and then select the DHCP Manager option.
4. Expand the Image_SVR1Adatam.com-APv4 nodes in the left pane.
5. Select the Scope [172.16.0.0] NAP Scope node in the left pane.
6. Right-click the Scope [172.16.0.0] NAP Scope node in the left pane, and then select the Properties option.
7. Click the Network Access Protection tab.
8. Select the Enable for this scope option under the Network Access Protection Settings section.
9. Ensure that the lise default Network Access Protection profile option is selected.
10. Click the OK button. The DHCP window is displayed.
11. Ensure that the Scope [172.16.0.0] NAP Scope node is expanded in the left pane.
12. Select the Scope Options node in the left pane.
13. Right-click the Scope Options node in the left pane, and then select the Configure Options option.
14. Click the Advanced tab.
15. Ensure that the DHCP Standard Options option is selected in the Vendor class drop-down list.
16. Select the 003 Router check box under the Available Options column.
17. Type 172.16.0.10 in IP address text box.
18. Click the Add button.
19. Scroll down and select the 015 DNS Domain Name option under the Available Options column.
20. Ensure that the adatum.com text is displayed in the String value text box.
21. Click the OK button. The DHCP window is displayed.
22. Close the DHCP window.
Task 4: Configuring the Image_VVin8_CL1 Virtual Machine as the DHCP and NAP Client To configure the Image_Win8_CL1 virtual machine as the DHCP and NAP client,
you need to perform the following tasks-
1. Enable security center.
2. Enable the DHCP enforcement client.
3. Enable and start the NAP agent service.
4. Configure the Image Nirin8_CL1virtual machine for the DHCP address assignment.
Task 4.1: Enabling Security Center
To enable security center, you need to perform the following steps in the Image_Win8_CL1 virtual machine:
1. Ensure that the Image_Win8_CL1 virtual machine is running and active and you are logged on with Adatum\Administrator as the usemame and PaSSwOrd as the password.
2. Ensure that the Start screen is displayed.
3. Type Control Panel.
4. Press the Enter key. The Control Panel window is displayed.
5. Click the Network and Internet link. The Network and Internet window is displayed.
6. Click the Network and Sharing Center link in right pane. The Network and Sharing Center window is displayed.
7. Click the Windows Firewall link under the See also section in the left pane.
8. Click the Turn Windows Firewall on or off link in the left pane.
9. Select the Turn off Windows Firewall (not recommended) option under the Domain network settings, Private network settings, and Public network settings sections.
10. Click the OK button.
11. Close the Windows Firewall window.
12. Press the Windows key. The Start screen is displayed.
13. Type mmc.
14. Press the Enter key. The Consolel - [Console Root] window is displayed.
15. Select File->Add/Remove Snap-in. The Add or Remove Snap-ins dialog box is displayed.
16. Select the Group Policy Object Editor option under the Available Snap-ins column in the left pane.
17. Click the Add button. The Welcome to the Group Policy Wizard page is displayed.
18. Click the Finish button. The Add or Remove Snap-ins dialog box is displayed.
19. Click the OK button. The Consolel - [Console Root] window is displayed.
20. Expand the Local Computer Policy->Computer Configuration-'Administrative Templates-ANindows Components nodes in the left pane.
21. Select the Security Center node in the left pane.
22. Double-click Turn on Security Center (Domain PCs only) under the Setting column in the middle pane. After a few moments, the Turn on Security Center (Domain PCs only) window is displayed.
23. Select the Enabled option.
24. Click the OK button. The Consolel-[Console Root] window is displayed.
25. Close the Consolel-[Console Root] window. The Microsoft Management Console dialog box is displayed.
26. Click the No button to close the window without saving the settings.
Task 4.2: Enabling the DHCP Enforcement Client
To enable the DHCP enforcement client, you need to perform the following steps in the Image_Win8_CL1 virtual machine:
1. Press the Windows key. The Start screen is displayed.
2. Type napckfg.msc.
3. Press the Enter key. The NAP Client Configuration window is displayed.
4. Select the Enforcement Clients node in the left pane.
5. Right-click the DHCP Quarantine Enforcement Client option under the Name column in the right pane, and then select the Enable option.
6. Close the NAP Client Configuration window.
Task 4.3: Enabling and Starting the NAP Agent Service
To enable and start the NAP agent service, you need to perform the following steps in the Image_Win8_CLI virtual machine:
1. Press the Windows key. The Start screen is displayed.
2. Type services.msc.
3. Press the Enter key. The Services window is displayed-
4. Scroll down and double-click the Network Access Protection Agent service under the Name column in the right pane. The Network Access Protection Agent Properties (Local Computer) dialog box is displayed.
5. Select the Automatic option in the Startup type drop-down list.
6. Click the Start button to start the service.
7. Click the OK button. The Services window is displayed.
8. Close the Services window.
Task 4.4: Configuring the Image_Wm8_CL1 Virtual Machine for the DHCP Address Assignment
To configure the Image_Win8_CLI virtual machine for the DHCP address assignment, you need to perform the following steps in the Image_WinS_CL1 virtual machine:
1. Press the Windows key. The Start screen is displayed.
2. Type Control Panel.
3. Click the Control Panel tile. The Control Panel window is displayed.
4. Click the Network and Internet link. The Network and Internet window is displayed.
5. Click the Network and Sharing Center link in the right pane. The Network and Sharing Center window is displayed.
6. Click the Local Area Connection link under the View your active networks section. The Local Area Connection Status dialog box is displayed.
7. Click the Properties button. The Local Area Connection Properties dialog box is displayed.
8. Clear the Internet Protocol Version 6 (TCP/ IPv6) check box in the This connection uses the following items list box.
9. Select the Internet Protocol Version 4 (TCP/ IPv4) option in the This connection uses the following items list box.
10. Click the Properties button. The Internet Protocol Version 4 (TCP/IPv4) Properties dialog box is displayed.
11. Select the Obtain an IP address automatically and Obtain DNS server address automatically options.
12. Click the OK button.
13. Click the Close button and wait for a few moments while configurations are done on the virtual machine.
14. Click the Close button.
15. Close the Network and Sharing Center window
16. Press the Windows-I keys. The Settings pane is displayed.
17. Select Power-*Restart. After a few moments, the lock screen is displayed.
18. Press the Enter key. The log in screen is displayed.
19. Type PaSSwOrd in the Password text box.
20. Press the Enter key. The Start screen is displayed.
Task 5: Testing the NAP Enforcement To test the NAP enforcement, you need to perform the following wits-
1. Verify the DHCP assigned address and the current quarantine state.
2. Configure the network policy to grant restricted access.
3. Configure the network policy to remediate the non compliant computers.
Task 5.1: Verifying the DHCP Assigned Address and the Current Quarantine State
To verify the DHCP assigned address and the current quarantine state, you need to perform the following steps in the Image Win8_CL1 virtual machine:
1. Ensure that the Start screen is displayed.
2. Type Command Prompt.
3. Press the Enter key. The Administrator: Command Prompt window is displayed.
4. Type ipconfig /release, and then press the Enter key.
5. Type ipconfig /renew, and then press the Enter key.
6. Wait for some time and notice that the client machine is unable to obtain an IP address from the DHCP server. After a few moments, unable to contact your DHCP server message is displayed.
7. Press the Windows key. The Start screen is displayed.
8. Type Control Panel.
9. Press the Enter key. The Control Panel window is displayed.
10. Click the System and Security link The System and Security window is displayed.
11. Click the Windows Firewall link in right pane. The Windows Firewall window is displayed.
12. Click the Turn Windows Firewall on or off link in the left pane.
13. Select the Turn on Windows Firewall option under the Domain network settings, Private network settings, and Public network settings sections.
14. Click the OK button.
15. Switch to the Administrator: Command Prompt window
16. Type ipconfig /renew, and then press the Enter key.
17. Type ipconfig/all, and then press the Enter key.
18. Scroll up and observe that adatum.com is displayed against Connection-specific DNS Suffix under the Ethernet adapter Local Area Connection section and Not Restricted is displayed against System Quarantine State under the Windows IP Configuration section.
19. Switch to the Windows Firewall window.
20. Click the Turn Windows Firewall on or off link in the left pane.
21. Select the Turn off Windows Firewall (not recommended) option under the Domain network settings, Private network settings, and Public network settings sections.
22. Click the OK button.
Task 5.2: Configuring the Network Policy to Grant Restricted Access
To configure the network policy to grant restricted access, you need to perform the following steps in the Image_SVR1 virtual machine:
1. Switch to the Image_SVR1 virtual machine.
2. Press the Windows key. The Start screen is displayed.
3. Click the Network Policy Server tile. The Network Policy Server window is displayed.
4. Expand the Policies node in the left pane.
5. Select the Network Policies node in the left pane.
6. Right-click the Non Compliant-Restricted option under the Policy Name column in the right pane, and then select the Properties option.
7. Select the Grant access.
8. Click the OK button. The Network Policy Server window is displayed.
9. Switch to the Image_Winti_CL1 virtual machine.
10. Switch to the Administrator: Command Prompt window.
11. Type ipconfig /release, and then press the Enter ke3'.
12. Type ipconfig /renew, and then press the Enter key.
13. Type ipconfig /all, and then press the Enter key.
14. Scroll up and observe that adatum.com is displayed against Connection-specific DNS Suffix under the Ethernet adapter Local Area Connection section and Restricted is displayed against System Quarantine State under the Windows IP Configuration section.
Task 5.3: Configuring the Network Policy to %mediate the Non Compliant Computers
To configure the network policy to renaediate the non compliant computers, you need to perform the following steps in the Image_SVR1 virtual machine:
1. Switch to the Image_SVR1 virtual machine.
2. Ensure that the Network Policy Server window is open and active.
3. Ensure that the Policies node is expanded in the left pane.
4. Right-click the Non Compliant-Restricted option under the Policy Name column in the right pane, and then select the Properties option.
5. Click the Settings tab.
6. Select NAP Enforcement under the Network Access Protection section in the left pane.
7. Select the Enable auto-remediation of client computers check box under the Auto remediation section.
8. Click the OK button. The Network Policy Server window is displayed.
9. Switch to the Image_Win8_CL1 virtual machine.
10. Ensure that the Administrator: Command Prompt window is open and active.
11. Type ipconfig /release, and then press the Enter key to release the current IP address.
12. Type ipconfig /renew, and then press the Enter key to renew the current IP address.
13. Type ipconfig /all, and then press the Enter key.
14. Scroll up and observe that adatum.com is displayed.
No comments:
Post a Comment