8.1. Network Location Profile

A network location profile is a classification assigned to a network connection that identifies the connection type. Security settings, firewall settings, and enabled services can then be automatically configured on the connection based on the profile (or location) type. Both Windows Vista/7/10 and Windows Server 2008/2012/2016 support network profiles.

The following table lists the network profile types.

Location Description The Domain network location is used automatically when the Domain computer is connected to an Active Directory domain. Security settings are controlled through Group Policy. A Public network is an untrusted network (such as when you are in an airport or library). Default settings keep your computer from being visible (Network Discovery is turned off) or sharing files. When connecting to a public network, consider the following:

 To avoid viruses, malicious hackers, and unwanted software, you should have up‐to‐date firewall and antivirus software installed Public and running on your computer.  When you connect to an unsecured wireless network, all that you do on the Internet can be monitored by someone with the correct equipment, including: o Web sites you visit. o Online documents you work on. o Usernames and passwords you use.

A Private network is a trusted local area network, such as a home or office network. Network Discovery is enabled by default. Even in a Private private network situation you should have up‐to‐date firewall and antivirus software enabled on your computer. Windows automatically assigns the profile type for a connection, and you can manually specify the profile or control it through the local security policy or Group Policy.

 Configure profile settings manually for a connection through the Network and Sharing Center.  Enforce settings in the local security policy or Group Policy through settings in the Network List Manager Policies. o Use the Identifying Networks setting to identify which profile is assigned to a connection while the operating system is still trying to classify the connection type. For example, you can apply Private or Public network settings to these networks until a classification has been assigned by Windows. o Use the Unidentified Networks setting to configure the location type to use when a network cannot be automatically classified. o Use the All Networks setting to configure whether users can manually change the network name, location designation, or network icon. o In addition to these global settings, each known network (such as a domain) will have an entry. You can control the name, and whether users can modify the name or the icon.

When implementing a wireless LAN, you have two choices for designing the network topology:

Configuration Description An infrastructure wireless network employs an access point (AP), also referred to as a wireless access point (WAP), that functions like a hub on an Ethernet network. With an infrastructure network:

 The network uses a physical star topology.  You can easily add hosts without increasing administrative Infrastructure efforts (scalable).  The AP can be easily connected to a wired network, allowing clients to access both wired and wireless hosts.  The placement and configuration of APs require planning to implement effectively.

You should implement an infrastructure network for all but the smallest of wireless networks. An ad hoc network works in peer‐to‐peer mode without an AP. Instead, the wireless NICs in each host communicate directly with one another. An ad hoc network:

 Uses a physical mesh topology. Ad Hoc  Is cheap and easy to set up.  Cannot handle more than four hosts.  Requires special modifications to reach wired networks.

You will typically only use an ad hoc network to create a direct, temporary connection between two hosts.

You should be aware of the following identifiers used with wireless networks: Identifier Description The Service Set Identifier (SSID), also called the network name, groups wireless devices together into the same logical network. Service Set  All devices on the same network must have the same SSID. Identifier Configure both the access point and each client computer (SSID) with the same SSID.  The SSID is a 32‐bit value that is inserted into each frame.

The Basic Service Set Identifier (BSSID) is a 48‐bit value that identifies an access point (AP) in an infrastructure network or a Basic Service host in an ad hoc network. The BSSID allows devices to find a Set Identifier specific AP on a network with multiple access points, and is used (BSSID) by computers to keep track of APs when roaming on a network with multiple access points.

Most wireless networks can transmit on one of multiple channels. When configuring the channel:

 On the AP, accept the default channel or change it to one of your choice. Choose a channel that is not used by any other wireless transmitting devices (such as phones or other APs).  When configuring multiple APs on a network, configure each AP to use a different channel but with the same SSID (Service Set Identifier).  On the NIC, the channel is typically detected automatically and is configured to match the channel used by the AP. On some NICs you can also set the channel to a specific channel. When doing so, use the same channel on which the AP transmits.

Authentication on a wireless network is provided by one of the following methods.

Method Description Open authentication requires that clients provide a MAC address to connect to the wireless network. Access can be controlled on a limited Open basis by performing MAC address filtering where devices whose addresses are listed can connect. Because MAC addresses are easily spoofed, this provides little practical security. Shared secret authentication, also called pre‐shared key Shared authentication, configures clients and access points with a shared key secret (or password). Only devices with the correct shared key can connect to the wireless network. 802.1x is an authentication standard for wired Ethernet networks that allows for user authentication. The 802.1x standards have been adapted for use in wireless networks to provide secure authentication. 802.1x authentication requires the following components:

 A RADIUS server to centralize user account and authentication information. A centralized database for user authentication is required to allow wireless clients to roam between cells but authenticate using the same account information.  A PKI for issuing certificates. At a minimum, the RADIUS server 802.1x must have a server certificate. To support mutual authentication, each client must also have a certificate.

802.1x supports Extensible Authentication Protocols (EAP) that allow for a wide range of authentication options including:

 MD5  TLS (uses certificates for client authentication)  MS‐CHAP v2 (uses passwords for client authentication)  PEAP (Protected EAP)  LEAP  TTLS

Note: When using PEAP, choose PEAP‐EAP‐TLS to use certificates, and PEAP‐EAP‐MSCHAP to use usernames and passwords for authentication.

Security for wireless networking is provided from the following implementations:

Method Description WEP is an optional component of the 802.11 specifications. WEP was designed to provide wireless connections with the same security as cable connections. WEP:

 Uses Rivest Cipher 4 (RC4) with a 40‐bit key and 24‐bit initialization vector (IV) for encryption. (Most implementations now use a 104‐bit key.)  Uses CRC‐32 for data integrity applied to the data only (not the header).  Supports open, shared key, and (recently) 802.1x authentication. Note: When configured for shared key authentication, WEP uses the WEP key as the shared secret. Wired  Requires that keys be manually configured on each device. Equivalent Privacy (WEP) WEP has the following weaknesses:

 CRC‐32 is susceptible to bit‐flipping attacks, where modifications in the frame result in the same hash value.  It uses a weak implementation of RC4 encryption.  The short initialization vector results in quick reuse of the initialization vector. This allows hackers to easily crack the key.  It is vulnerable to replay attacks.  Using the WEP key for shared secret authentication exposes the shared key to attack, effectively decreasing the security of WEP. (Ironically, open authentication with WEP is more secure than shared key authentication.) WPA is the implementation name for wireless security based on initial 802.11i drafts. It was intended as an intermediate measure to take the place of WEP while a fully secured system named 802.11i (WPA2) was prepared. WPA:

 Uses the Temporal Key Integrity Protocol (TKIP) protocol.  Uses RC4 with a 128‐bit key and a 48‐bit initialization vector (IV) for encryption.  Uses the Message Integrity Check (MIC) algorithm (also called Michael) for data integrity applied to both the data and the header.  Supports both Pre‐Shared Key (referred to as WPA‐PSK or WPA Personal) and 802.1x (referred to as WPA Enterprise) Wi‐Fi authentication. (Use WPA‐Personal for home or small Protected office networks that do not have a domain controller, Access (WPA) RADIUS server, or PKI required by 802.1x authentication. Use WPA when you have a domain controller and a RADIUS server that is a domain member.)  Was designed such that it could be implemented on most existing wireless hardware through a firmware update.

WPA attempts to address the weaknesses of WEP in the following ways:

 Encryption key and initialization vectors were increased.  TKIP provides for dynamic key rotation which also helps protect against IV reuse.  IVs are sequenced to prevent against replay attacks.

WPA2 is the implementation name for wireless security that adheres to the 802.11i specifications. It is built upon the idea of Wi‐Fi Robust Secure Networks (RSN). Like WPA, it resolves the Protected weaknesses inherent in WEP, and is intended to eventually Access 2 replace both WEP and WPA. WPA2: (WPA2)  Uses Counter Mode with CBC‐MAC Protocol (CCMP), also known as AES‐CCMP.  Uses Advanced Encryption Standard (AES) with a 128‐bit key and a 48‐bit initialization vector for encryption.  Uses Cipher Block Chaining Message Authentication Code (CBC‐MAC) for data integrity applied to both the data and the header.  Supports both Pre‐Shared Key (referred to as WPA2‐PSK or WPA2 Personal) and 802.1x (referred to as WPA2 Enterprise) authentication.  Provides for dynamic key generation and rotation through the CCMP protocol.

WPA2 has the same advantages over WEP as WPA. While more secure than WPA, its main disadvantage is that it requires new hardware for implementation. You can provide data encryption and session authentication by implementing a VPN or IPSec over a wireless connection (this is more secure than static WEP and less secure than dynamic WEP):

 The wireless connection is established just like any other wireless connection. Then a VPN or IPSec tunnel is VPN or IPSec established between the two communicating devices.  Use to protect data when communicating over an insecure network, such as when connecting through a public access point.  VPN or IPSec protects the session but does not protect the network infrastructure.

Access to a wireless network is controlled by configuring wireless profiles. You can configure wireless profiles for clients using one of the following methods:

 Configure a wireless policy in Group Policy. Link the GPO to the domain or OUs where you want the policy enforced.  Manually create wireless profiles on each client.  Use the Connection Manager Administration Kit (CMAK) to define wireless network settings and import onto each client.

Note: On a Windows Server 2008 system, you must add the Wireless LAN Service feature to support wireless connections. Wireless is automatically supported on Vista clients.

The following table lists various settings you can control through Group Policy.

Setting Description The wireless profile identifies pre‐configured wireless networks. When specifying the profile:

 Choose Infrastructure or Ad Hoc  Configure the SSID used by the network  Configure the authentication and encryption settings (such as WEP, WPA, WPA2)

Additional settings include: Profiles  Select Connect automatically when this network is in range to connect to the network without user intervention.  Select Connect even if the network is not broadcasting to allow the connection when SSID broadcast has been disabled on the access point.  Select Connect to a more preferred network if available to automatically connect to a higher‐priority profile when it comes in range. When multiple profiles are in the list, the client connects first to the profile at the top of the list (if available).

You can export and import profile settings to quickly add pre‐ defined configuration values. Using permissions, you can allow or deny access to specified networks by name (SSID) or type.

 Add an SSID to the list to allow or deny access. When you add a profile, those networks are automatically added to the list to allow access.  You can prevent ad‐hoc or infrastructure connections. Network  Disable the Allow user to view denied networks setting to Permissions hide disallowed networks. Users will not be able to see these networks in the list of available networks, even if SSID broadcast is enabled on the access point.  Selecting Only use Group Policy profiles for allowed networks prevents users from adding their own network profiles. Only those delivered through Group Policy are allowed.

When using 802.1x authentication (using WEP with 802.1x, WPA‐Enterprise, or WPA2‐Enterprise):

 The following server components are required: o A domain controller for managing wireless users. o A RADIUS server that authenticates wireless users. o When using certificates, a certificate server for issuing client and server certificates.  Configure the wireless access point as a RADIUS client. Configure network policies on the RADIUS server.  Wireless access must be enabled for users, either through the network policy, or by allowing access through the user account properties.  Windows XP SP2 or higher on the client is required for 802.1x support.  When using certificates, you must provide a way for client computers to get certificates. o Connect the client to the wired network, and use manual or autoenrollment to request and install a certificate. o Save the certificate request as a file, issue the certificate from the CA as a file, then import the certificate on the client. o Configure a Bootstrap profile. This profile allows the client to connect to the network once in order to obtain a certificate. After the computer is joined to the domain, the certificate and regular profiles are used.  Fast Reconnect allows clients that roam between access points to quickly connect without going through the full authentication process. This feature is only available when using 802.1x authentication with PEAP, and must be enabled on both the client and the RADIUS server. In Group Policy, edit the PEAP authentication settings to enable Fast Reconnect for clients.  Authentication for wireless clients can use computer credentials, user credentials, or a combination of both. When only user credentials are used, the network connection initiates only after domain logon, which can prevent the wireless connection from authenticating, and therefore prevent the user from being able to log on. To correct this problem, enable single sign on for wireless connections. The logon screen appears earlier in the process, allowing user credentials to be used for 802.1x authentication and domain logon together.

The following table outlines methods you can use to improve the security of wireless access points.

Method Description The access point typically comes configured with a default username and password that is used to configure the access Change the point settings. If possible, it is important to change the administrator administrator account name and password from the account and defaults. This will help prevent outsiders from breaking into password your system by guessing the default username and password. Update the firmware on the access point from the Update the manufacturer's Web site frequently to prevent your system firmware from being exposed to known bugs and security holes. Enable the Most wireless access points come with a built‐in firewall that firewall connects the wireless network to a wired network. The SSID is a very basic security measure that acts as an identifier for the wireless access point. Many manufacturers Change the SSID use a default SSID, so it is important to change your SSID from the defaults from the defaults. Serious hackers will still be able to find the SSID, but turning off broadcasting prevents the casual user from seeing and attempting to connect to the network. By default, the access point broadcasts its SSID, advertising to clients that it is in range and available. For a level of Disable SSID security, you can disable broadcasts so that only those who broadcast know the SSID can create a profile to connect to the access point. DHCP servers dynamically assign IP addresses, gateway addresses, subnet masks, and DNS addresses whenever a computer on the wireless network starts up. Disabling DHCP Disable DHCP on the wireless access points will help prevent unauthorized users from connecting to your network. If DHCP is disabled, clients must use a static IP address and only those who know the IP address range and other parameters will be able to connect. Every network board has a unique code assigned to it called a MAC address. By specifying which MAC addresses are allowed to connect to your network, you can prevent any Enable MAC outside MAC address from connecting to the access point. address filtering Configuring a MAC address filtering system is very time consuming and demands upkeep, but it keeps the casual hacker from connecting to the network. Serious hackers will be able to clone a valid MAC address to connect. Implementing encryption greatly lowers the chances of successful snorting. There are two main encryption options for a wireless network:

 Wired Equivalent Privacy (WEP) used to be the default way to encrypt data on a wireless network. o WEP is considered a "mostly" secure network encryption. o WEP uses a key to encrypt data before it is transmitted over a signal. o WEP uses open authentication. o A weakness of WEP is that it includes small parts Encryption of the key at the beginning of every packet that is transmitted. If a shorter is diligent enough, they can capture enough of the key that they can then decrypt all of your network transmissions. o Another weakness of WEP is that it does not rotate the key.  Wi‐Fi Protected Access (WPA) was designed to address most of the weaknesses of WEP. o WPA is considered a secure network encryption. o WPA does not include part of the key in transmitted packets. o WPA requires user authentication. o WPA automatically rotates and updates the key frequently.

With a normal network access solution, network policies are stored on individual network access servers (e.g., wireless access points, VPN servers, dial‐up network access servers). This means that if you want the same policy to be used on different servers, you must create it on each server. You can consolidate network policies by using a Remote Authentication Dial‐In User Service (RADIUS) server. Authentication requests are passed from the network access server to the RADIUS server. Network policies stored on the RADIUS server is used to authenticate remote access clients from multiple servers.

A RADIUS solution uses the following components.

Component Description Remote access clients initiate connections to the remote access Remote access servers. Authentication credentials are supplied by the client to clients the remote access server. The remote access client is unaware that a RADIUS server is being used. A RADIUS client is a remote access server that is configured to forward authentication requests to a RADIUS server. Remote access clients connect to the RADIUS client (the remote access RADIUS client server), and the logon credentials supplied are forwarded to the RADIUS server for authentication. A RADIUS client is also called an access server. A RADIUS server is a special remote access server that provides authentication for multiple remote access servers. The RADIUS server accepts authentication credentials from the RADIUS RADIUS server clients (remote access servers), and uses network policies stored on the server to authenticate users. The RADIUS server notifies the RADIUS client whether the connection should be allowed or denied. A RADIUS proxy forwards or routes connection requests and accounting data between RADIUS clients (which may include RADIUS proxy other RADIUS proxies) and RADIUS servers. It does this by using information from the RADIUS message itself (e.g., the User‐ Name or Called‐Station‐ID attributes) to send the message to the appropriate RADIUS server. RADIUS proxies are particularly useful when authentication, authorization, and accounting occur on multiple RADIUS servers.

Note: A RADIUS proxy is configured as a RADIUS client to a RADIUS server, and is configured as a RADIUS server for other RADIUS clients. The proxy can process authentication requests as a RADIUS server, or forward requests to another RADIUS server. A remote RADIUS server group is a group of RADIUS servers Remote configured on a RADIUS proxy. Authentication requests received RADIUS server by the proxy are forwarded to the server(s) defined in one of the group remote server groups. Network policies are configured on the RADIUS server to identify users who can connect to the network and the conditions that Network must be met for the connection to succeed. Without a RADIUS policies server, network policies are configured on each remote access server; with a RADIUS server, network policies are configured only on the RADIUS server. Connection request policies are configured on a RADIUS proxy, and are used to determine whether the authentication request Connection is forwarded to a RADIUS server, or is processed locally on the request RADIUS proxy. A connection request policy is similar to a policies network policy, but is used to identify which server or server group will be used for authentication, not to provide the authentication conditions. The user account database contains the list of user accounts and their properties that a RADIUS server can use to verify authentication and authorization. NPS can use the following User account databases: databases  Security Accounts Manager (SAM)  Windows NT 4.0 domain  Active Directory Domain Services (AD DS) When using AD DS, NPS can provide authentication and authorization for user and computer accounts in the following domains:

 The domain in which the NPS server is a member.  Two‐way trusted domains.  Trusted forests if the DCs are running Windows Server 2008 or Windows Server 2003.

RADIUS messages are the actual communications exchanged between RADIUS clients, proxies, and servers. RADIUS messages contain attributes that are used during the authentication process. Attributes include:

 User name  User password  Type of service requested by user RADIUS  Access server's IP address messages The attributes can change according to the type of RADIUS message. An Access‐Request message, for example, contains attributes that specify user credentials and requested connection parameters, and an Access‐Accept message contains attributes that specify the allowed connection and its constraints. RADIUS messages are sent as UDP (User Datagram Protocol) messages. RADIUS authentication messages use UDP port 1812; RADIUS accounting messages use port 1813.

To configure a RADIUS solution, complete the following:

Component Configuration Tasks To configure a RADIUS server:

1. Install the Network Policy and Access Services role with the Network Policy Server (NPS) service. RADIUS 2. Identify all allowed RADIUS clients. Provide the server name server or IP address and the shared secret that will be used to authenticate the RADIUS clients. 3. Configure network policies on the RADIUS server.

To configure a RADIUS client:

1. Install the Network Policy and Access Services role with Routing and Remote Access Services. 2. In the Routing and Remote Access console, edit the RADIUS properties of the remote access server. Configure the server client to use the RADIUS server for authentication and (optionally) accounting. Be sure to use the same shared secret to authenticate to the RADIUS server. 3. Configure the remote access connection for the remote clients.

Remote To configure remote access clients, configure a normal remote access client access connection to the remote access server (the RADIUS client). To configure a RADIUS proxy:

1. Install the Network Policy and Access Services role with the RADIUS Network Policy Server (NPS) service. proxy 2. Configure RADIUS clients to identify the remote access servers that will forward authentication requests to the proxy. 3. Create one or more remote RADIUS server groups. Messages received by the proxy will be forwarded to the servers identified in the group. 4. Configure connection request policies on the proxy. The connection request policy identifies the RADIUS server group that will be used for incoming requests from RADIUS clients. The proxy server reads information in the RADIUS message and compares that with the policy, and uses that information to forward authentication requests to the appropriate group. 5. (Optional) If the proxy will also act as a RADIUS server (providing authentication), configure network policies on the proxy. 6. On each RADIUS server, create a RADIUS client to identify the proxy server.

You should know the following best practices for configuring NPS for RADIUS:

 Use local authentication methods to test each network access server before turning them into RADIUS clients.  Use Netsh nps commands to manage RADIUS servers from the command prompt.  Save your NPS configuration file using the following command: Netsh nps show config > file_path\filename.txt. Do this after your initial installation and each time you change the NPS configuration.  Install NPS on a domain controller for optimal authentication and authorization response times.  If your user accounts database is stored on a domain controller running Windows Server 2003/2008/2012/2016, configure your NPS and Routing and Remote Access servers as members of the domain to prevent LDAP query failures (these occur if the NPS or RRAS server runs in an NT 4.0 domain and the user accounts database runs on Server 2003/2008/2012/2016).  When using a RADIUS proxy, you can configure connection request policies to process authentication requests on the proxy server, or forward those requests to a remote RADIUS group. 8.8. What is a NAP?

Network Access Protection (NAP) is a collection of components that allow administrators to regulate network access or communication based on a computer's compliance with health requirement policies. NAP gives you the ability to restrict access for non‐compliant computers as well as to provide access to updates or health update resources to allow computers to become compliant.

NAP has three features:

Feature Description When a computer attempts to connect to the network, its health is checked against an administrator‐defined health requirement policy. The results of the health check can be used in one of two ways:

 With monitoring only, a computer's health state is checked, Health state and the compliance level is logged. Access is allowed even validation if all of the conditions in the health policy are not met.  With limited access, computers that meet the health policy requirements are given full access to the network, while those that do not meet the requirements are denied access or given limited access to a restricted network.

When a non‐compliant computer connects to the network, it can be automatically updated with software updates and Health policy configuration changes using management software. With the compliance computer now compliant with the health policy, it can be granted full access. Administrators can define exceptions for computers that are not NAP compatible. Limited For computers that are non‐compliant, you can define a physical access or logical network. You can define only specific resources that network clients can access, or allow access for a limited period of time.

Note: A computer that is not compliant with the heath requirements does not mean that the computer is a security threat. Non‐compliance means that the computer does not meet the necessary requirements that protect it from known vulnerabilities. For example, a non‐compliant computer might not be infected with a virus, but instead might lack up‐to‐date virus definition files. Just because a computer is compliant does not guarantee that it does not pose a security risk.

The table below describes the components that comprise the NAP system.

Component Description Client computers must have NAP‐aware software, either through the operating system or other components. This software allows the client to report its health to NAP servers, and also prevents the system from accessing the network if the system is not in compliance with health requirements. NAP client components include the following:

 The System Health Agent (SHA) is client software that NAP Client gathers health information for the client.  The SHA compiles a report of the health state of the client and creates a Statement of Health (SoH).  The Enforcement Client is a service that communicates with network access servers.  The NAP Agent is a service that receives the SoH from the SHA and sends it to the NAP servers for validation. Replies are returned to the client through the NAP Agent.

The NAP server is responsible for keeping track of health requirements and verifying that clients meet those requirements before gaining access. A Windows server running the Network Protection Service role is a NAP server. The NAP server has the following components: NAP Server  The Health Policy is the set of requirements that must be met to connect to the network.  The System Health Validator (SHV) runs on the server, and compares the SoH submitted by the client to the Health Policy defined on the server. Windows servers come with a default Windows SHV.  The SHV returns a State of Health Response (SoHRs) to the NAP client.

An Enforcement Server (ES), also called an enforcement point, is the connection point for clients to the network. Clients connect to the ES, submitting the SoH for validation. The ES forwards the SoH to the NAP server, and returns the corresponding SoHR. There are five different types of enforcement servers, each for a different kind of connection type:

Enforcement  DHCP Server (ES)  Remote access/VPN  802.1x (EAP)  Terminal Services Gateway  IPSec

Client computers have a corresponding component, the Enforcement Client. Clients run the EC type that corresponds to the ES type to which they are connecting. Remediation servers are the set of resources that a non‐ compliant computer can access on the limited‐access network. Remediation The purpose of a remediation server is to provide the resources Server necessary to help non‐compliant clients become compliant. For example, you might identify servers that hold operating system patches or antivirus definition files as remediation servers.

Configuring NAP requires configuration of the NAP server, the client, and the enforcement point. To configure the NAP server:

1. Install the NPS role with the Network Policy Server service. 2. Configure the System Health Validator (SHV). o Configure the client state for various error codes (either compliant or noncompliant). o Enable the health checks that will be used by the SHV. Health checks include checking for the firewall, antivirus software, antispyware, automatic updates, and presence of operating system security updates. 3. Configure Remediation Server Groups. Identify the servers that hold resources that clients can use to become compliant. 4. Create Health Policies. For example, you might define two policies, one for compliant computers, and another for non‐compliant computers. In the Health Policy: o Select the SHV to use. o Specify the client state, such as passing all checks, failing all checks, failing one or more checks, or the client reports a specific condition (such as being infected, transitional, or unknown). 5. Create Network Policies. Create one Network Policy for each Health Policy you defined. When configuring the Network Policy: o For the network access server type, select the type of enforcement point server you are using. o For a condition, identify the Health Policy you defined earlier. o Make sure the policy allows access. o For authentication, select Perform machine health check only. o For settings, configure the NAP Enforcement action to take (allow full, timed, or limited access). For limited access, you can configure: . The Remediation Server Group that clients can use to become compliant. . A Troubleshooting URL. The troubleshooting URL is shown on the client in the Network Access Protection dialog box when a client is non‐compliant. You can use this URL to provide a link to additional resources that users can use to make the workstation compliant. . Auto‐remediation so that client computers automatically take corrective action to become compliant. 6. Change the order of Network Policies so they are applied appropriately.

Complete the following steps on the client computer. Note: Use Group Policy to enforce these settings so that users cannot manually disable NAP on the client computer.

1. Start the Network Access Protection Agent service. Configure the service to auto‐start. 2. Enable the enforcement client that corresponds to the type of enforcement point you are using: o DHCP Quarantine Enforcement Client o Remote Access Quarantine Enforcement Client (for VPN enforcement) o IPsec Relying Party o TS Gateway Quarantine Enforcement Client o EAP Quarantine Enforcement Client (for 802.1x enforcement)

In addition to these basic steps on the client and the NAP server, you will need to take additional steps on the enforcement point or the NPS server based on the enforcement type you are using.

Enforcement Configuration Steps Point To configure the DHCP server for NAP:

1. Enable Network Access Protection on the scope. 2. Configure scope options to deliver limited network DHCP configuration parameters. These are the resources that limited access clients will use. Configure Advanced options with the Default Network Access Protection Class user class. Configuring NAP with VPN requires no additional actions on the VPN server. However, you must configure the NAP server settings as follows:

 When configuring the Network Policy for non‐compliant computers, you can define IP filters as a setting to limit VPN resource access for non‐compliant computers.  After defining the Network Policies, create a Connection Request Policy. Enable PEAP authentication, and make sure that the Enable Quarantine checks option is enabled.

Use 802.1x as an enforcement point for both wireless and wired clients. When configuring 802.1x:

 Configure the enforcement point as a RADIUS client to the NAP server.  On an 802.1x switch, define VLANs to create compliant 802.1x and non‐compliant networks. Client computers are assigned to the appropriate VLAN based on health compliance.  In the Network Policies on the NAP server, identify the VLAN that corresponds to the compliant and non‐ compliant networks.

When using the RDS Gateway enforcement point:

 Install the latest Remote Desktop client (6.0 or later) on the client computer. Remote Desktop  On the RDS Gateway server, Services o Enable NAP enforcement by editing the properties Gateway for the server and selecting Request clients to send a statement of health. o Configure Connection Authorization Policies.

IPsec enforcement uses three logical networks for enforcement:

 The restricted network is the network where IPsec is not enforced. IPsec is not required for communicating on the restricted network.  The boundary network contains the enforcement point and remediation servers. IPsec is requested but not required to communicate between hosts in the restricted network and hosts in the boundary network.  The secure network is the private network. IPsec is required for communication between hosts on the secure network.

Using IPsec requires the following additional components:

IPsec  Active Directory Domain Services (AD DS) and Group Policy is configured to allow certificate autoenrollment, and to identify a security group for computers that are exempt from health checks.  Active Directory Certificate Services is configured to issue Workstation Authentication certificates.  The NAP server is made a member of the exempted health group so that it receives a certificate immediately without going through health checks.  The NAP server is configured with the Health Registration Authority (HRA) service and as a subordinate CA so that it can issue certificates to compliant computers.  Configure client computers with the URL to the enforcement server. This URL will be used by the client to request a certificate.

8.10. LAN Authentication

Windows Server 2008 (and above: 2008 R2, 2012, 2012 R2, 2016) supports two authentication mechanisms for logging on to the server or domain: Kerberos and NTLM.

Method Description Kerberos is used for both authentication and authorization to services. Kerberos authentication and authorization involves the following process:

1. The client sends logon information to the domain controller. 2. The DC validates the credentials and returns a ticket that identifies the user as authenticated. 3. When the client wants to use a service, it submits its authentication ticket to the DC and requests the service. 4. The DC locates the service, verifies that the client has permission to use the service, and returns a ticket authorizing it Kerberos to use the service. 5. The client submits its authorization ticket to the service and access is granted. The ticket is good only for that specific service, but is valid during the entire logon session. When the client needs to access the service again, it does not have to request permission from the domain controller. It simply shows its ticket and is allowed access.

The process of using tickets to validate permissions is called delegated authentication. Tickets are valid during the entire session and do not need to be re‐requested. With NT LAN Manager (NTLM), permissions are verified by the service each time access is needed. For this reason, NTLM is slower and less efficient than Kerberos. NTLM authentication and authorization NTLM involves the following process:

1. The client sends logon information to the domain controller. 2. The domain controller authenticates the user and allows access. 3. When the client wants to use a service, it requests access from the service. 4. The service contacts the domain controller to verify that the client has sufficient permissions.

Because of its advantages, you should use Kerberos for authentication whenever possible. The following table lists when to use each authentication method:

Protocol Use when... You can use Kerberos when the following conditions are met:

 All computers must support Kerberos v5 (Windows 2000, XP Pro, Vista, 7, 10, 2003/2008/2012/2016, or other operating Kerberos systems with Kerberos v5 support).  Active Directory domains must be running in native mode.  Trusts must be established for access between domains.

You can use NTLM v2 under the following conditions:

 Client computers are running Windows NT, Windows 9x with the Active Directory client, Windows Vista/7/10, Windows XP (Home and Professional), Windows Server NTLM v2 2000/2003/2008/2012/2016.  Domains are running in mixed mode, you need to connect to Windows NT domains, or you need to connect to standalone or workgroup servers.

NTLM or LM should only be used if clients do not support NTLM v2.

 If clients are running Windows 9x, install the Active Directory NTLM or client and use NTLM v2. LM  If clients are running Windows for Workgroups (3.11), NTLM is your only option.

Be aware of the following facts regarding domain authentication:  For best security, use the highest method supported by clients and servers. For Windows 9x clients, you should install the Active Directory client to enable the use of NTLM v2 instead of using NTLM or LM.  By default, Kerberos will be used if the necessary conditions are met.  To control which levels of NTLM are supported, configure the Network security: LAN Manager authentication level policy. Because this setting affects domain logon, a typical practice is to configure it in a GPO linked to the Domain Controllers OU.  Kerberos doesn't work between forests or between domains connected with an external trust. In cases such as this, you should use certificates.  You can configure Kerberos settings through the Kerberos Policies. Like Account Policies, these settings are effective only at the domain.  By setting the LM Compatibility to 4 at the domain level you are configuring both the clients and servers to only use NTLM or Kerberos.

Kerberos uses tickets to identify authenticated users. The ticket includes the user's encrypted authenticated identity, and can be presented to other servers in order to access network resources. The Kerberos policy settings allow you to control ticket duration, renewal, and enforcement. However, you should only change the default settings in the rarest of circumstances.

Setting Description Enabled by default, this setting does the following:

 Enforces restrictions on user accounts Enforce user logon  Verifies user rights to log on locally and access restrictions network resources  Verifies account validity

This setting allows you to determine how long a Maximum lifetime for service ticket is valid. By default, the policy is set to service ticket 600 minutes. A value of 0 (zero) disables expiration. This setting allows you to determine how long a user Maximum lifetime for ticket is valid. By default, the policy is set to 10 hours. user ticket A value of 0 (zero) disables expiration. A ticket can be renewed as long as it is renewed within Maximum lifetime for the time allotted by this setting. By default, the policy user ticket renewal is set to 7 days. By default, domain‐based computers must Maximum tolerance for synchronize within five minutes of each other. A client computer clock does not receive a ticket if the client/server clocks are synchronization not synchronized closely enough.

Note: Kerberos policy settings should be edited in a GPO linked to the domain.

8.12. Windows Firewall

Windows Firewall is software that provides real‐time protection from unwanted access such as hackers, viruses, and worms. By default, all outbound traffic is allowed (as are inbound responses to those requests), and all unsolicited, incoming traffic is blocked. There are two tools you can use to manage the firewall:

Tool Description Using the basic firewall, you can:

 Block all incoming traffic, while allowing responses to outgoing traffic.  Add exceptions to allow inbound traffic from specific Basic Windows protocols, applications, or ports. Firewall  Filter traffic by scope (this allows you to restrict exceptions to specific IP addresses).  Create custom application exceptions by specifying the program executables that can traverse the firewall.

The advanced firewall provides all the features of the basic firewall, but additionally allows you to:

 Manage the firewall from a GUI interface inside an MMC snap‐in. Windows  Filter both outbound and inbound traffic. Firewall with  Configure advanced firewall rules (exceptions) for Active Advanced Directory user and computer accounts, source and Security destination IP addresses, protocols, ports, ICMP packets, and IPv6 traffic (among other components for which you can configure exceptions).  Use a single interface to configure firewall rules and IPsec encryption configurations.

The table below describes the components of the Windows Firewall with Advanced Security features. Feature Description A firewall profile is a way of grouping settings (i.e., firewall rules and/or connection security rules) applied to the computer depending on where the computer is connected. The Network Location Awareness Service determines which profile to apply depending on the type of network connection you've made. While only one profile is Profiles applied at a time, there are three types of profiles:

 Domain  Private  Public

Firewall rules determine whether traffic is allowed or blocked. There are two types of rules:

 Inbound rules block or allow inbound traffic that matches the rule criteria. By default, inbound traffic is blocked when Windows is installed. You must create inbound rules to allow inbound traffic.  Outbound rules block or allow outbound traffic that originates from the computer that matches the criteria in the rule. By default, outbound traffic is not blocked. You must create outbound rules to block outbound traffic. Firewall Each incoming packet is inspected and compared to criteria in the rules firewall rule. If the packet matches the rule, the specified action is taken: allow the connection, block the connection, or allow the connection if it is secured through IPsec.

You can also specify the type of network adapter to which to apply the rule. Rules are applied in the following order:

 Authenticated bypass (rules that override block rules)  Block connection  Allow connection  Default profile behavior Note: Creating a firewall rule to allow traffic does not secure that traffic. You must use connection security rules (IPsec) to secure the traffic. A policy is a combination of Windows Firewall with Advanced Security settings that you have configured (including profiles) and stored in a file.

 You can export a policy configured on one system and import it on another system. Policies  An imported policy overwrites and is applied in place of the current policy.  Policies are saved with the .wfw extension.  You can import policies into Group Policy objects to apply those policies to multiple computers.

You should know the following facts about the basic Windows Firewall:

 The Block all incoming connections check box prevents the firewall from allowing exceptions to flow through the firewall.  You can use the Exceptions tab to allow unsolicited traffic into your network. In addition to the built‐in exceptions that you can configure, you can add exceptions for either programs or ports.  The Change Scope feature allows you to restrict client behavior according to IP addresses.  Under the Advanced tab, you can select the interfaces on which to block externally initiated traffic.  You can restore the basic default firewall settings using the Restore Defaults button.  Basic Windows Firewall settings are configured in the Control Panel or from the command line using the netsh firewall command‐line context.

You should know the following facts about the Windows Firewall with Advanced Security:

 You can manage Windows Firewall with Advanced Security through the MMC snap‐in, or you can use the Netsh advfirewall command‐line context.  Windows Firewall with Advanced Security runs on Windows Server 2008/2012/2016 and Windows Vista/7/10 machines.  To import or export a policy, right‐click the Windows Firewall with Advanced Security folder and select either Import Policy or Export Policy.  As a best practice, give each firewall rule a unique name to make working with rules at the command line easier.  You can apply firewall rules to the following objects: o Programs o Ports o System services o Computers o Users o Custom settings  When you add roles, role services, or features to a server, the corresponding firewall ports are usually opened automatically.  The Windows firewall includes predefined rules that are disabled, but which are used by common applications or services. If possible, simply enable these default rules instead of defining your own.  Each setting that you add to a rule makes it progressively more restrictive.  When adding a program to the rules list, specify the full path to the executable (.exe) file. Also specify the full path to the executable (.exe) file in the case of a system service that uses its own .exe file rather than running in its own container, or in the case of a program that acts like a system service but runs whether a user is logged in or not (as long as it, too, runs in its own container).  If you wish to add a service to the rules list, add the service with its associated service security identifier (SID). This provides more security than adding the service process or container to the list.  For programs on the rules list, Windows Firewall with Advanced Security dynamically blocks and unblocks the ports the program uses according to the following criteria: o If the program is running and listening, the ports are open. o If the program is not running, the ports are blocked.  If you are not able to add the program or service, manually identify the port or ports associated with the program or service. After the port is added to the list, it is open (unblocked) when Windows Firewall with Advanced Security is running, whether it should be or not. For this reason, it is best practice to create a program rule rather than a port rule.  You can set an option to use Edge Traversal if you are using Teredo to avoid the use of NAT.  If logging is enabled, an entry in the firewall log file is created (the log file is found in tag">C:\Windows\system32\LogFiles\Firewall\pfirewall.log).

Port numbers identify a specific service running on a computer. As a best practice, configure your firewall to allow only the ports for the services provided on your network (and block all others). The following table lists port numbers for common services.

Port(s) Service 20, 21 File Transfer Protocol (FTP) 23 Telnet 25 Simple Mail Transfer Protocol (SMTP) 50, 51 IPSec 53 Domain Name Server (DNS) 67, 68 Dynamic Host Configuration Protocol (DHCP) 69 Trivial File Transfer Protocol (TFTP) 80 HyperText Transfer Protocol (HTTP) 88, 749 Kerberos 110 Post Office Protocol (POP3) 119 Network News Transport Protocol (NNTP) 137‐139 NetBIOS 143 Internet Message Access Protocol (IMAP4) 161, 162 Simple Network Management Protocol (SNMP) 389 Lightweight Directory Access Protocol (LDAP) 443 HTTP with Secure Sockets Layer (SSL) 500 (UDP), 1701 Layer Two Tunneling Protocol (L2TP) 1723 Point‐to‐point Tunneling Protocol (PPTP)

For example, to allow HTTP traffic (both normal and secure traffic), open ports 80 and 443.

8.15. IPsec

Internet Protocol Security (IPsec) is a tunneling protocol that protects IP packets during transmission. Use IPsec to secure host‐to‐host and site‐to‐site communications, or to require only encrypted communications with specific servers or hosts. IPSec is also used with L2TP. IPSec includes the following protocols:

Protocol Description Authentication Header (AH) provides authentication. It performs the following functions:

 Provides integrity validation for layers 4, 5, 6, 7, and the payload. Authentication  Provides data integrity for the IP header. Header (AH)  Uses symmetric key (HMAC) for weak authentication replay.  Does not work through NAT.

AH does not encrypt data, so it does not provide confidentiality. Encapsulating Security Payload (ESP) provides encryption and a weak form of authentication. It performs the following functions: Encapsulating Security Payload  Encrypts layers 4, 5, 6, 7, and the payload. (ESP)  Symmetric key weak authentication.  Sequencing with anti‐replay capabilities.  Works through NAT.

The Internet Key Exchange (IKE) negotiates the connection. As two end points are securing an IPSec network, they have Internet Key to negotiate what is called a security association (SA). An Exchange (IKE) inbound and outbound SA is necessary for each connection with a remote endpoint. The SAs are stored in a database that holds every security association that a machine has ever negotiated called a Security Parameter Index (SPI). IKE uses the following functions:

 Internet Security Association Key Management Protocol (ISAKMP) establishes a framework for the negotiation.  Oakley uses Diffie‐Hellman to generate symmetric keys used for the encryption of the negotiation of the SA and for all data encryption that follows.

IKE supports certificate or pre‐shared key authentication. Authenticated IP (AuthIP) are extensions to IKE that adds support for additional authentication methods. AuthIP adds support for:

 User authentication (IKE supports only computer authentication) Authenticated IP  Kerberos v5 support (AuthIP)  NTLMv2 support  Certificates, including user, computer, and health certificates issued by a Health Registration Authority (HRA)

AuthIP is only supported on Windows Vista/Windows 7/ /Windows 10 or Windows Server 2008/2012/2016.

Establishing the IPsec connection uses two phases:

 In phase 1 (Main Mode), clients use clear text communications to establish a secure communication channel.  In phase 2 (Quick Mode), clients use the secure channel established in phase 1 to negotiate communication parameters including the authentication and encryption protocols to use.

Windows Vista/Windows 7/Windows 10 and Server 2008/2012/2016 support the following protocols for configuring IPsec (protocols are listed in order, from most secure to least secure).

Setting Protocol Support Data integrity ensures that packets have not been altered during transmission. Hashing algorithms provide data integrity. Protocols supported are:

Integrity  SHA1 is the default and recommended hashing method. It uses more resources than MD5, but is more secure.  MD5 is supported but should only be used for backwards compatibility.

Encryption provides confidentiality, which means that only the intended recipient can read the packet contents. Asymmetric key cryptography provides encryption services. Protocols supported are:

Encryption  AES‐256 (supported on Vista and later)  AES‐192 (supported on Vista and later)  AES‐128 (supported on Vista and later) this is the default  3DES (Triple‐DES)  DES (supported for backwards compatibility)

The key exchange algorithm identifies the protocol used for exchanging keys used for encryption. Protocols supported are:

 Elliptic Curve Diffie‐Hellman P‐384 (supported on Vista and later)  Elliptic Curve Diffie‐Hellman P‐256 (supported on Vista and later) Key exchange  Diffie‐Hellman Group 14  Diffie‐Hellman Group 2 (this is the default)  Diffie‐Hellman Group 1

In addition to setting the key exchange protocol, you also configure the key lifetime. This determines how often new keys must be generated for the communication session. Authentication provides either computer and/or user authentication. User authentication requires AuthIP support, provided with Vista and later. Supported authentication methods with AuthIP support are:

 Kerberos Authentication  NTLMv2  Computer certificates, including health certificates  Pre‐shared key

You can configure computer authentication, user authentication, or both.

For Vista and Windows Server 2008, IPsec is configured through the Windows Firewall with Advanced Security console.

Configuration Description Global settings apply to the entire computer and define supported protocols or default values that are used. Configure global settings by editing the properties of the Windows Firewall with Advanced Security node. Global settings you configure are:

 Main Mode settings, which include the key exchange protocol and the integrity (hashing) and encryption protocols used during key exchange. Global settings  Quick Mode settings, which select either AH or ESP (or both), along with the integrity and encryption protocols used during regular communications.  Default authentication methods supported. You can choose to accept user and/or computer authentication, along with the supported authentication protocol (such as Kerberos, NTLMv2, certificates, or pre‐shared key).  Whether ICMP messages are exempt from IPsec.

A Connection Security rule identifies settings for authenticating two computers before communications begin. Connection Security rules include the following settings:

 Endpoints identify individual computers, subnets, IP Connection address ranges, or all computers that can create a Security Rule connection. The settings in the rule are applied to the pair of computers defined by the two endpoints. Settings are applied to any computer in Endpoint 1 and any other computer in Endpoint 2 (settings are not applied between two computers defined in a single endpoint).  Authentication settings that will be enforced for the connection. You specify the authentication mode (whether authentication is required for inbound or outbound communications) along with the authentication method.  Profile settings identify which network profile (domain, private, or public) that the rule will be enforced on.  Interface types allow you to select an interface classification (local area network, remote access, or wireless) to which the rule will apply.  Tunnel endpoints define gateway servers that are used for communicating with the specified endpoints. Tunnel endpoints are used for gateway‐to‐gateway, server‐to‐ server, or server‐to‐gateway communications.

Be aware of the following when configuring IPsec:

 Connection Security rules can be enabled or disabled. Rule settings allow you to apply the rule to specific network locations or network interface classifications.  When you create a new Connection Security rule, a wizard guides you through the process of creating the rule. You begin by select a rule type. The rule type sets some default settings based on the intended use of the rule, and prompts you to modify the settings necessary for the intended use. o Choose an isolation rule to restrict access based on authentication type and network profile (location). o Choose an authentication exemption to identify computers for which authentication is not required. You can exclude computers by name, IP address, or role type (such as default gateway, DHCP, or DNS servers). o Choose a server‐to‐server rule to define the endpoint computers, along with the required authentication method and profile setting. o Choose a tunnel rule to set up authentication settings between gateway computers. o Choose a custom rule to configure all wizard settings. Note: The rule type you select in the wizard determines the settings you can configure using the wizard. After configuring the rule, you can modify any setting in the rule. The rule type only has meaning within the wizard to configure basic rule settings based on the intended use for the rule.

 Within the rule, you define the authentication requirements, described in the table below.

Option Description This option allows you to ask for Request authentication for authentication for all outbound and inbound and outbound inbound traffic, but you can still allow the connections connection if authentication fails. Require authentication for This option allows you to block all traffic, inbound and outbound inbound or outbound, that cannot be connections authenticated. This option allows you to block inbound Require authentication for traffic from computers that cannot inbound connections and authenticate. Outbound traffic can request authentication for authenticate, but if authentication fails, outbound connections the traffic is still allowed. Do not authenticate Authentication is not required.

 When configuring authentication, be aware of the following: o To use user authentication, computers must be running Windows Vista or later. o To use Kerberos, computers must be members of the same forest and must be running Windows 2000 or later. o If Kerberos is not supported, you can authenticate using certificates. Using certificates requires a PKI and computers that can be issued a certificate. Computers do not need to be members of the same forest. o If Kerberos or certificates cannot be used, use pre‐shared keys. The same key value must be configured on both computers. o When using IPsec for an L2TP VPN, you must use certificates (Kerberos is not supported). o Pre‐shared keys are configured on each device, but the key itself is never transmitted over the network. However, the key is saved unencrypted on the computer and can be viewed if local access to the computer is obtained.  Configuring a Connection Security rule secures traffic but does not allow that traffic through the firewall. You must configure a firewall rule to allow IPsec traffic. o Allow UDP port 500 for IKE o Allow IP protocol 51 for AH o Allow IP protocol 50 for ESP  When you configure global key exchange, IPsec, integrity, encryption, and advanced authentication protocols, you can specify multiple combinations that are supported by the computer. During the connection phases, computers will negotiate the protocols to use. Computers will attempt to use protocols at the top of each list. A connection will be possible only if both computers share at least one common protocol for each setting type.  The use of AH and/or ESP can only be configured using the global settings, not as properties of a specific Connection Security rule. o Do not use AH when the solution must work through NAT. o To provide integrity for both the packet contents and the IP header, use both AH and ESP when configuring data integrity and encryption settings. o Choose the Require encryption for all connection security rules that use these settings option to require data encryption (not just packet integrity). When requiring encryption, ESP is used, either alone or in conjunction with AH.  Use the netsh advfirewall context to manage IPsec settings from the command prompt.  Previous Windows versions used IPsec policies configured through the Local Security Policy or Group Policy. You can still use these tools to manage IPsec on Windows Vista/7/10/ and Server 2008/2012/2016 systems, but IPsec policies don't include the additional features included with Vista/2008.  You can monitor IPsec from the Windows Firewall with Advanced Security by using the monitoring node.