DHCP enforcement is deployed with a DHCP Network Access Protection (NAP) enforcement server component, a DHCP enforcement client component, and Network Policy Server (NPS). Using DHCP enforcement, DHCP servers and NPS can enforce health policy when a computer attempts to lease or renew an IP version 4 (IPv4) address. However, if client computers are configured with a static IP address or are otherwise configured to circumvent the use of DHCP, this enforcement method is not effective.
In above diagram server1 is main.server.com will be configured as a Domain controller with AD and DNS. Server2 is nps.server.com that will be configured as NAP and DHCP Server. CLIENT1 is a client computer running Windows Vista or Windows 7. CLIENT1 will be configured as a DHCP and NAP client.
Note: You must be logged on as a member of the Domain Admins group or a member of the Administrators group on each computer to perform the tasks.
CONFIGURE DC ON SERVER1:
Step1: Configure server1 as a domain controller and TCP/IP as given below.
Step2: Create user1 account in Active Directory
This account will be used when logging in to NPS and CLIENT1.
Step3: Add user1 to the Domain Admins group
Step4: Create a security group for NAP client computers
Step5: Add CLIENT1 to the NAP client computers security group
Step7: Install DHCP and Network Policy Service:
log on to SERVER domain with the User1 account you created.
Go to start >server manager > Under Roles Summary, click Add roles, and then click Next > On the Select Server Roles page, select the DHCP Server and Network Policy and Access Services check boxes, and then click Next twice.
On the Select Role Services page, select the Network Policy Server check box, and then click Next twice.
On the Select Network Connection Bindings page, verify that 10.10.10.1 is selected, and then click Next.
On the Specify IPv4 DNS Server Settings page, verify that srver.com is listed under Parent domain.
Type 10.10.10.1 under Preferred DNS server IP address, and click Validate. Verify that the result returned is Valid, and then click Next.
On the Specify WINS Server Settings page, accept the default setting of WINS is not required on this network, and then click Next.
On the Add or Edit DHCP Scopes page, click Add.
In the Add Scope dialog box, type Scope1 next to Scope Name. Next to Starting IP Address, type 10.10.10.12, next to Ending IP Address, type 10.10.10.51, and next to Subnet Mask, type 255.255.255.0.
Select the Activate this scope check box, click OK, and then click Next.
On the Configure DHCPv6 Stateless Mode page, select Disable DHCPv6 stateless mode for this server, and then click Next
On the Authorize DHCP Server page, select Use current credentials. Verify that SERVER\user1 is displayed next to Username, and then click Next.
On the Confirm Installation Selections page, click Install.
Verify the installation was successful, and then click Close.
Step8: Install the Group Policy Management feature by using servermanagercmd command:
Step9: Configure NPS as a NAP health policy server:
Click Start, click Run, type nps.msc, and then press ENTER> In the details pane, under Standard Configuration, click Configure NAP.
On the Select Network Connection Method for Use with NAP page, under Network connection method, select Dynamic Host Configuration Protocol (DHCP), and then click Next.
On the Specify NAP Enforcement Servers Running DHCP page, click Next. Because this NAP health policy server has DHCP installed locally, we do not need to add RADIUS clients.
On the Specify DHCP Scopes page, click Next
On the Configure User Groups and Machine Groups page, click Next.
On the Specify a NAP Remediation Server Group and URL, click Next. Remediation servers will be configured later.
On the Define NAP Health Policy page, verify that Windows Security Health Validator and Enable auto-remediation of client computers check boxes are selected, and then click Next.
On the Completing NAP Enforcement Policy and RADIUS Client Configuration page, click Finish.
Step10: Configure WSHV:
SHVs define configuration requirements for computers that attempt to connect to your network. Here, the WSHV will be configured to require only that Windows Firewall is enabled.
Go to Network Policy Server console > Network Access Protection > System Health Validators > under Name, double-click Windows Security Health Validator > In the Windows Security Health Validator Properties dialog box, click Configure.
Clear all check boxes except A firewall is enabled for all network connections, click apply and then click ok.
Step 11: Configure server1 as a remediation server:
A remediation server hosts the updates that NAP agent can use to bring noncompliant client computers into compliance with health policy, as defined in Network Policy Server (NPS).
click Start, click Run, type nps.msc> policies \ network policies \NAP DHCP Non-Capable properties > NAP enforcement under setting tab > click configure under remediation server group option > click new group > add group name and server name and click ok thrice.
click Start, click Run, type nps.msc> policies \ network policies \NAP DHCP Noncomplient properties > NAP enforcement under setting tab > click configure under remediation server group option > click new group > add group name and server name and click ok thrice.
Step112: Enable DHCP scope for NAP:
Click Start, click Run, type dhcpmgmt.msc > nps.server.com > IPv4 > Right-click Scope [10.10.10.0] Scope1, and then click Properties > On the Network Access Protection tab, under Network Access Protection Settings, choose Enable for this scope, verify that Use default Network Access Protection profile is chosen, and then click OK.
Configure the default user class:
In the DHCP console tree, under Scope [10.10.10.0] Scope1, right-click Scope Options, and then click Configure Options. On the Advanced tab, verify that Default User Class is chosen next to User class.
Select the 006 DNS Servers check box, in IP Address, under Data entry, type 10.10.10.1, and then click Add.
Select the 015 DNS Domain Name check box, in String value, under Data entry, type server.com, and then click OK. The server.com domain is a full-access network assigned to compliant NAP clients.
Configure the default NAP class:
On the Advanced tab, next to User class, choose Default Network Access Protection Class.
Select the 006 DNS Servers check box, in IP Address, under Data entry, type 10.10.10.1, and then click Add.
Select the 015 DNS Domain Name check box, in String value, under Data entry, type restricted.server.com, and then click OK. The restricted.server.com domain is a restricted-access network assigned to noncompliant NAP clients.
Step 13: Configure NAP client settings in Group Policy:
click Start, click Run, type gpme.msc > In the Browse for a Group Policy Object dialog box, next to server.com, click the icon to create a new GPO, type NAP client settings for the name of the new GPO, and then click OK.
The Group Policy Management Editor window will open. Navigate to Computer Configuration/Policies/Windows Settings/Security Settings/System Services/ Network Access Protection Agent > select the Define this policy setting check box, choose Automatic, and then click OK.
In the console tree, open Network Access Protection\NAP Client Configuration\Enforcement Clients > right-click DHCP Quarantine Enforcement Client, and then click Enable.
right-click NAP Client Configuration, and then click Apply.
In the console tree, navigate to Computer Configuration\Policies\Administrative Templates\Windows Components\Security Center > Turn on Security Center (Domain PCs only), choose Enabled, and then click OK.
Step14: Configure security filters for the NAP client settings GPO
click Start, click Run, type gpmc.msc> navigate to Forest: Server.com\Domains\server.com\Group Policy Objects\NAP client settings.
In the details pane, under Security Filtering, click Authenticated Users, and then click Remove and then add Nap client computers group.
Step15: Join client1 to the server.com domain and then log on to the server.com domain with the User1 account you created.
Step 16: Configure Local Area Connection Properties to obtain an IP address automatically and Obtain DNS server address automatically.
Step 17: Verify Group Policy settings
In the command window, type netsh nap client show grouppolicy, and then press ENTER.
In the command output, under Enforcement clients, verify that the Admin status of the DHCP Quarantine Enforcement Client is Enabled.
In the command window, type netsh nap client show state, and then press ENTER.
In the command output, under Enforcement client state, verify that the Initialized status of the DHCP Quarantine Enforcement Client is Yes.
Step18: VERIFYING NAP FUNCTIONALITY
obtain a new IP address profile for CLIENT1 from DHCP, type ipconfig /renew, and then press ENTER.
Step19: Verification of NAP auto-remediation
Turn Off the Windows Firewall, In Windows Security Center, you will see that the status of Windows Firewall is displayed as Off and is then displayed as On.
You might see a message in the notification area that indicates the computer does not meet health requirements. This message is displayed because Windows Firewall has been turned off.
The NAP client will automatically turn Windows Firewall on to become compliant with network health requirements. The following message will appear in the notification area: This computer meets the requirements of this network. See the following example.
Because auto-remediation occurs rapidly, you might not see one or both of these messages.
VERIFICATION OF HEALTH POLICY ENFORCEMENT
Step20: Login to server2> Network Policy Server console > Network Access Protection > System Health Validators > under Name, double-click Windows Security Health Validator > In the Windows Security Health Validator Properties dialog box, click Configure.
In the Windows Security Health Validator dialog box, under Virus Protection, select the An antivirus application is on check box
Step21: Now log in to client1, Release and renew the IP address .
In the command output, verify that the value of Connection-specific DNS Suffix is restricted.server.com and that the value of Subnet Mask is 255.255.255.255. Because the NAP Agent service is not running on CLIENT1, restricted access to the network is still enforced.
Because the client computer is in a noncompliant state, the DHCP server will assign an IP address to the client computer for the restricted network. You can tell that the client is on the restricted network because the DHCP server assigns a connection-specific DNS suffix of restricted.server.com. The following figure shows an example.
You might see a message in the notification area that indicates the computer does not meet the corporate security requirements as given below.
Step22: View the client’s restriction state with Netsh:
At the command prompt, type netsh nap client show state, and then press ENTER.
Scroll up the command window to display the Client state section. The Restriction state should be “Restricted.”