How to apply Network Health Policy to single machine as test

I think I have created a network health policy using NPS but I need to test it. Rather than discover that I am denying access to all my machines, I would like to apply to one machine only - how do I do this in Windows 2008?
LVL 4
fuzzyfreakAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

btanExec ConsultantCommented:
You can create a user or computer group in AD DS and then add the group as a condition in a NPS network policy.
https://technet.microsoft.com/en-us/library/cc732449(v=ws.10).aspx

Here is one old article but pretty good read overall and the configuration example described is sound. Key is to ensure the client machine chosen is NPS capable e.g. XP3 above and decide the enforcement methods with reporting first then test.
For this example deployment the following steps are required:

-Install NAP SHA components on NAP clients.
-Install SHVs on NPS server.
-Configure SHVs for the desired health policy.
-Run the New Network Policy Wizard to create NAP health policies. Configure the policy such that it is not restricting network access and is operating in reporting mode.
-Enable the network policy and set the policy to grant access.
-Monitor the NAP health of the clients and address any problems to reduce the number of noncompliant clients to the desired level.
-In the network policy, enable network restriction using a desired grace time to allow clients time to attain compliance before being restricted (probation mode).
-Monitor the NAP health of the network running in probation mode for a period of time until satisfied that operations are performing as expected.
-In the network policy, eliminate the grace period and implement enforcement mode--where noncompliant clients are given restricted access at the time of health check until they undergo remediation and are returned to a compliant state.

Plan to enable the two types of logging in Network Policy Service (NPS) during lab testing and your pilot deployment.

-Event logging for NPS: Records NPS events in the system event log. This is used primarily for auditing and troubleshooting connection attempts.
-Logging user authentication and accounting requests: Logs user authentication and accounting requests to log files in text or database format, or in a stored procedure in a SQL Server 2000 or SQL Server2005 database.
http://blogs.technet.com/b/nap/archive/2007/07/28/network-access-protection-deployment-planning.aspx
btanExec ConsultantCommented:
Also from sharing
You can save NAP client settings in a configuration file that you can then apply to other computers. You need to be a member of the local Administrators group on the computer to import a configuration file. To import a configuration file, type NAPCLCFG.MSC at the command line or in the Run box to open the NAP Client Configuration console. Right click the top level node, NAP Client Configuration (Local Computer) in the left pane, and select Import. Navigate to the location where the file is stored, type the file name for the configuration file and select Open.

Alternatively, you cantype netsh nap client import filename = <file name>
http://www.windowsecurity.com/articles-tutorials/Windows_Server_2012_Security/understanding-configuring-network-policy-access-services-server-2012-part2.html
fuzzyfreakAuthor Commented:
Thanks very much guys, I will try this on Monday. (not sure why this question has been labelled as neglected?)
Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

fuzzyfreakAuthor Commented:
Hello, so I managed to look at this yesterday and must thank you for pointing me towards GROUPS - I did not know about these.  Only problem is, when I activated the NHP, I get a red X and nothing tells me why this is (I am expecting a green tick).

thanks
btanExec ConsultantCommented:
seems like the discovery of the machine is not available.
>> If the machine is domain joined, if machine has NAP agent, if you are admin in the setup in the console, ...
>> If all of your NAP clients are experiencing problems for all types of NAP enforcement methods, there may be configuration issues on your NAP health policy servers.
>> If all of your NAP clients are experiencing problems with a specific NAP enforcement method, configuration issues might exist for the Group Policy settings for NAP clients or with the health requirement policies for the specific NAP enforcement method on your NAP health policy servers.
>> If only specific NAP clients are experiencing NAP enforcement problems, configuration issues for NAP enforcement might exist for those NAP clients.
Some useful command - https://msdn.microsoft.com/en-us/library/dd348461(v=ws.10).aspx

You can configure NAP client settings in one of three ways:
•NAP Client Configuration Console gives you a graphical UI for configuring the NAP client settings.
•Netsh gives you a way to configure NAP client settings from the command line.
•Group Policy Management Console allows you to configure NAP client settings in Group Policy on clients that are domain members.

save NAP client settings in a configuration file that you can then apply to other computers. You need to be a member of the local Administrators group on the computer to import a configuration file. To import a configuration file, type NAPCLCFG.MSC at the command line or in the Run box to open the NAP Client Configuration console. Right click the top level node, NAP Client Configuration (Local Computer) in the left pane, and select Import.

clients need to be enabled as Remote Access clients so health policies will be enforced when they attempt to access the network through the NAP-enabled VPN server. The NAP enforcement clients are enabled and disabled through the NAP Client Configuration console or the netsh command.
http://www.windowsecurity.com/articles-tutorials/Windows_Server_2012_Security/understanding-configuring-network-policy-access-services-server-2012-part2.html
fuzzyfreakAuthor Commented:
Slightly overwhelmed with info here.  Is all the above relevant to my policy not being enabled?
btanExec ConsultantCommented:
First off, no they are policy setting but I coming more from to make sure client is NAP capable since it is single machine you wanted to test. Hence going with local setting configuration (implemented with policy) within that machine to test out instead. It can get complex with troubleshooting when going into GPO like what you facing now...Eventually we will still need GPO for that big rollout. These command line using Netsh is specific for local setting only in https://msdn.microsoft.com/en-us/library/dd348461(v=ws.10).aspx e.g show status of the client machine etc to make sure all pre-req is ready first before importing policy setting locally. Why go local setting first...
You should use NAP Client Configuration on a local computer when any of the following are true:
You want to use a graphical user interface to configure NAP settings on a local computer instead of using the Netsh commands for NAP client.

Your organization uses Group Policy to manage domain member client computers and you want to create an .xml configuration file that you can use to configure the NAP Group Policy settings.

You have a small number of computers that require custom configuration settings and you want to configure each computer individually.

You want to configure all of your client computers in exactly the same way, but you cannot automate or manage the configuration process by using scripts or Group Policy.
Otherwise, specific to the "GROUPS" setting, you need to have Domain Admin or equv rights to create the create a user or computer group in AD DS and then add the group as a condition in a NPS network policy as per guided in
Configure Network Policies
-Add a Network Policy
-Add a Condition to a Network Policy
-Add a Constraint to a Network Policy
-Add a Setting to a Network Policy
-Configure a Network Policy to Grant or Deny Access
-Create Policies for Dial-Up or VPN with a Wizard
-Create Policies for 802.1X Wired or Wireless with a Wizard...
https://technet.microsoft.com/en-us/library/cc732449(v=ws.10).aspx

Pardon me as I know it is hard to ingest all these
fuzzyfreakAuthor Commented:
Again, struggling to relate your information to my issue.
I am running Windows 8 machine so, yes, it is NAP capable.
btanExec ConsultantCommented:
Your AD need to create the group created for those Win8 machine in the computer group inside the Active Directory Users and Computers console. Then from the Network Policy Server console, create a new policy and under Specify Conditions, you should be able to added the created computer group. That is stated in prev posted link. Also make sure you are domain admin rights to perform these task. If throughout these steps are not possible, the setup to AD and NPS should be having some issue comms issue, then need to troubleshoot from there..
fuzzyfreakAuthor Commented:
OK, let me explain again where I am -

Group created
Network Health Policy Created and configured with above group
Right click NHP to enable, policy appears to enable but with a red X
What does that mean?
btanExec ConsultantCommented:
I supposed there are need for at least two policy configured to start the enabling e.g. need a compliant policy and non-compliant policy to enable (see "To verify network policies")
In the details pane, verify that you have at least one policy for compliant computers and one policy for noncompliant computers, and that these policies have a Status of Enabled . To enable a policy, right-click the policy name, and then click Enable . If these policies are not present...
https://msdn.microsoft.com/en-us/library/cc772246.aspx
fuzzyfreakAuthor Commented:
Right, I think I have discovered what the red X means, it simply shows a Deny.
I created a pass policy and I get a green tick on that one.
So I am afraid I do not agree that you need an opposing policy - I have another policy for our wireless network which has a pass policy with a green tick.
Having just tested this, it does not seem to work, so I need to investigate why.
btanExec ConsultantCommented:
noted - misunderstood that as disabled state. Likely for deny state, the NPS Policy Server is going to throw event id such as 6273 source "Microsoft-Windows-Security-Auditing" events when it denies access to a user, along with some verbose information about the failure.
fuzzyfreakAuthor Commented:
My test machine can still happily access network resources, yet it has no AV installed and is in the group that should deny it!
btanExec ConsultantCommented:
Also to see if event viewer at the NAP server has any log for this "success validation" since the machine can pass the policy (assuming that is in place). To enable success and failure event auditing
1.On a server running NPS, click Start, right-click Command Prompt, and then click Run as administrator.
2.At the command prompt, type auditpol /set /subcategory:"Network Policy Server" /success:enable /failure:enable, and press ENTER.
For policy pass (comply all), it is 6278
For probation pass (did not meet full), it is 6277
For quarantine user, it is 6276
For denial to user, it is 6273
btanExec ConsultantCommented:
If after enabling the log and see no other event for this machine as it passes through the check then I suspect the NAP client configuration is not readily done. We will then have to work on the client NAP configuration, it is either local (Netsh command-line tool) or GPO push down (for domain member 802.1X client computers ) too.

Pardon me, I am thinking to relook at the client and server checks to syn up as well...

>For client
(i) Checklist guide the NAP configuration (either we import the setting into the machine) https://msdn.microsoft.com/en-us/library/cc732527.aspx,
(ii) one mandatory is to enable the NAP client
Under "NAPCLCFG.MSC" for that machine, the "Enforcement Clients" should already be enabled.
(iii) under Admin tool, the Network Access Protection Agent Properties also has Startup Type to Automatic.

>For server
(i) For the NPS console, the type of client system health validator (SHV) check (in Client SHV checks setting) is set to "Client passes all SHV checks" meaning must match all SHVs that are configured in the policy. This will need to be one SHV used in this health policy.
(ii) Look for Windows Security Health Validator (WSHV) that requires Windows Security Center be present on the client computer. Under this, Virus protection set to "An antivirus application is on", the WSHA on the client computer will check to see if antivirus software is running on the client computer.
(iii) All these should be inside the Network policy, which you create by adding one or more SHVs to the health policy, and add the health policy to the network policy and enable NAP enforcement in the policy. Specifically it is to In network policy conditions, add the health policy to the network policy
(iv) To configure of NAP conditions in network policy, we need to
(v) state the "Identity Type", and specify the method in which clients are identified in this policy, either DHCP, IPsec, 802.1x enforcement.
(vi) Thereafter, under "Health Policies", to state condition restricts the policy to clients that meet the health criteria in the policy.
(vii) to configure the NAP-capable Computers condition, having the "NAP-capable Computers" to apply to Only computers that are NAP-capable.
(viii) to configure the Policy Expiration condition, state the date and time when you want the network policy to expire for this testing.
Full steps in https://technet.microsoft.com/en-us/library/cc731560(v=ws.10).aspx 

Apologies, it has been lengthy ...just trying to ascertain any steps in particular we missed out..
fuzzyfreakAuthor Commented:
Thanks, I'll take a look at this next week.
fuzzyfreakAuthor Commented:
Dear btan I have been working on this all day now and I am going to try and respond to your post as best I can -

>For client
(i) Checklist guide the NAP configuration (either we import the setting into the machine) https://msdn.microsoft.com/en-us/library/cc732527.aspx,
"Right-click NAP Client Management , and then click Import" - this does not exist!
(ii) one mandatory is to enable the NAP client
Under "NAPCLCFG.MSC" for that machine, the "Enforcement Clients" should already be enabled.
I see 4 Enforcement clients and none are enabled (or refer to Health policy)
(iii) under Admin tool, the Network Access Protection Agent Properties also has Startup Type to Automatic.
I am lost here I am afraid - what admin tool?  do you mean "NAPCLCFG.MSC"?  If so, I do not see the above option, remember I am doing this on the client machine not on the server.

>For server
(i) For the NPS console, the type of client system health validator (SHV) check (in Client SHV checks setting) is set to "Client passes all SHV checks" meaning must match all SHVs that are configured in the policy. This will need to be one SHV used in this health policy.
Yes, that is set.
(ii) Look for Windows Security Health Validator (WSHV) that requires Windows Security Center be present on the client computer. Under this, Virus protection set to "An antivirus application is on", the WSHA on the client computer will check to see if antivirus software is running on the client computer.
Yes, that is set.
(iii) All these should be inside the Network policy, which you create by adding one or more SHVs to the health policy, and add the health policy to the network policy and enable NAP enforcement in the policy. Specifically it is to In network policy conditions, add the health policy to the network policy
I think I understand your grammar here and yes, this is set.
(iv) To configure of NAP conditions in network policy, we need to
(v) state the "Identity Type", and specify the method in which clients are identified in this policy, either DHCP, IPsec, 802.1x enforcement.
where do I do this?
(vi) Thereafter, under "Health Policies", to state condition restricts the policy to clients that meet the health criteria in the policy.
My Health Policy states "Client Passes All SHV Checks" WSHV is ticked.
(vii) to configure the NAP-capable Computers condition, having the "NAP-capable Computers" to apply to Only computers that are NAP-capable.
Not relevant to me as all clients are Windows 7 (or 8)
(viii) to configure the Policy Expiration condition, state the date and time when you want the network policy to expire for this testing.
Not relevant either

One thing of note is that I followed a video that told me I had to install the "Health Registration Authority" - or did I?  Even though I had everything configured, this was not installed - I have now installed it but still nothing works.

I am going to have to review this next week.
btanExec ConsultantCommented:
Thanks for sharing ... trying best too ...
=Client

..."Right-click NAP Client Management , and then click Import" - this does not exist!
...I see 4 Enforcement clients and none are enabled (or refer to Health policy)
...I am lost here I am afraid - what admin tool?  do you mean "NAPCLCFG.MSC"?  If so, I do not see the above option, remember I am doing this on the client machine not on the server.
To verify the NAP enforcement client, you can find it below.
1.Click Start, point to All Programs, click Accessories, and then click Run.
2.Type napclcfg.msc, and press ENTER.
3.Click Enforcement Clients .
You can use NAP Client Configuration console, NAP client configuration settings in Group Policy, or Netsh commands for NAP client configuration to enable and disable NAP enforcement clients. Do also see each NAP agent description (has to check which is enabled)
To deploy NAP in your organization, you must enable at least one NAP enforcement client on client computers. You might also need to enable additional enforcement clients as your network health requirements change and you want to enforce health policies through other network access mechanisms.
https://msdn.microsoft.com/en-us/library/cc770670.aspx

=Server
where do I do this?
See step (5) in https://technet.microsoft.com/en-us/library/cc731560(v=ws.10).aspx
One thing of note is that I followed a video that told me I had to install the "Health Registration Authority" - or did I?  
You need a HRA only if you use IPsec enforcement client to enforce health policies. And this requires to configure a trusted server group which is an ordered list of one or more HRA servers. The IPsec enforcement client relies on health certificates and HRA servers to enforce health policies. If you are not using the IPsec enforcement client, you do not need to configure trusted server groups.
fuzzyfreakAuthor Commented:
I am going round and round and round in circles here. Spent the best part of the day trying to make this work.  I have even tried to deny a certain group of computers access to the network but it does not enforce.  I can only assume there are other sections to this policy that I have not switched on or enabled. I am currently running through this article https://technet.microsoft.com/en-us/magazine/2009.05.goat.aspx
But I am at the section in para 18 that starts "Configure your DHCP scopes" - which you don't appear to have mentioned....anyway, it states that I can right click my scope and I will see a "Network Access Protection tab" - this is not the case. I will continue scrabbling for articles to help me implement this - I know there is something missing (I have a wireless network access policy that works fine).
btanExec ConsultantCommented:
Thought that applies if you enable client health checks when you deploy NAP with the IPsec and DHCP enforcement methods.

Checklist to Configure NAP Enforcement for DHCP under the "Enable DHCP Scopes for NAP"
https://technet.microsoft.com/en-us/library/cc772356(v=ws.10).aspx

That is as per last post to Configure NAP Enforcement Clients which has six available enforcement clients inclusive of DHCP type...pardon me if this is going round
fuzzyfreakAuthor Commented:
I am struggling to understand these Technet articles. I always have done, they are most unfriendly.
btanExec ConsultantCommented:
roger fuzzyfreak. Let hear more then from your findings ...
fuzzyfreakAuthor Commented:
It is talking about configuring a Radius Server Group - are you sure this is necessary?
fuzzyfreakAuthor Commented:
Hold up a second. You said you sent this link to me before?
I think I need to start right from the beginning here - I need a step by step guide on achieving what I wish to achieve.
btanExec ConsultantCommented:
to quote
To verify the NAP enforcement client, you can find it below.
1.Click Start, point to All Programs, click Accessories, and then click Run.
2.Type napclcfg.msc, and press ENTER.
3.Click Enforcement Clients .
You can use NAP Client Configuration console, NAP client configuration settings in Group Policy, or Netsh commands for NAP client configuration to enable and disable NAP enforcement clients. Do also see each NAP agent description (has to check which is enabled)
To deploy NAP in your organization, you must enable at least one NAP enforcement client on client computers. You might also need to enable additional enforcement clients as your network health requirements change and you want to enforce health policies through other network access mechanisms.
https://msdn.microsoft.com/en-us/library/cc770670.aspx
http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/Windows_Server_2008/Q_28686164.html#a40877257
fuzzyfreakAuthor Commented:
As I say, I have already done that - I did it manually on the client.
btanExec ConsultantCommented:
noted i understand as shared for sanity check. back to DHCP enforcement client checks - the technet possible checklist is as shared but as you mentioned too hard to follow through...we hear more then
fuzzyfreakAuthor Commented:
I found exactly what I was after here -
http://blog.ittoby.com/2013/06/windows-2012-nap-nps-with-dhcp.html

I followed through the steps and thought I'd solved the issue but it turned out that on enabling Network Access Protection on my DHCP scope, I stopped all clients getting an IP address!!  Even though I only enabled DHCP Quarantine Enforcement on my test machine...I'll have to give this some more thought tomorrow.
btanExec ConsultantCommented:
My thought is using DHCP enforcement, as desired, the DHCP servers and NPS can enforce health policy when your client PC attempts to lease or renew an IP version 4 (IPv4) address. However, if those client PC are already configured with a static IP address or are otherwise configured to circumvent the use of DHCP, this enforcement method may not be effective and likely operational constraint (even though can leverage on GPO) to reset the PC configuration. It may need different enforcement type for different use case
-  IPsec policies for Windows Firewall on client computers.
- 802.1X port-based wired and wireless network access control.
- Terminal Server Gateway (TS Gateway) connections with Terminal Services.
- VPN with Routing and Remote Access.

(pardon me) MS TechNet listed consideration in choosing an Enforcement Method
• Infrastructure. How well does your current network support the enforcement method?
• Cost. Which aspect of your NAP deployment is more important: cost or flexibility?
• Complexity. Do you have the expertise to implement and maintain your deployment?
• Security. How secure is the enforcement method?
https://msdn.microsoft.com/en-us/library/dd125350(v=ws.10).aspx
fuzzyfreakAuthor Commented:
Hi btan, the important thing right now is to figure out why the Network Access Protection stopped all my clients from getting an IP.
btanExec ConsultantCommented:
If the client trying to receive an IP address does not pass the health validation check, it is not allowed to receive an IP address and therefore is not able to connect to the network. The event viewer should gives the message at client and server end. e.g. to check for whether the NAP client can exchange DHCP messages with a DHCP server.
https://technet.microsoft.com/en-us/magazine/2008.04.cableguy.aspx

If all of your NAP clients are experiencing problems for all types of NAP enforcement methods, there may be configuration issues on your NAP health policy servers.

If all of your NAP clients are experiencing problems with a specific NAP enforcement method, configuration issues might exist for the Group Policy settings for NAP clients or with the health requirement policies for the specific NAP enforcement method on your NAP health policy servers.

If only specific NAP clients are experiencing NAP enforcement problems, configuration issues for NAP enforcement might exist for those NAP clients.
btanExec ConsultantCommented:
Example screenshot of dhcp enforcement including the gpo, dhcp srv end checks (have minimally one scope and have dns srv setting included) and quarantine setup http://blog.windowsserversecurity.com/2011/04/18/network-access-protection-with-dhcp-step-by-step-guide/
fuzzyfreakAuthor Commented:
Hi btan, you are sending me lots of links and it is hard for me to figure out what you are referring to.
In my mind, I have already followed a good article but my completed configuration raises some questions -

1. Why did switching on NAP block mine and a colleague's machine from getting an IP address when as far as I can tell,w e are complaint AND none of us are running the DHCP Enforcement Client.
2. Why does it appear that my test machine is picking up the first part of of the Group Policy but not switching on the enforcement client part?
3. What happens if the machine needs access to the network to update its AV and MS updates?
4. How can I actually tell if a machine has been quarantined or blocked?
5. How does the auto remediation server work for non domain devices connecting to the network?

Unfortunately I am now in a situation where I cannot test this safely without the risk of blocking all clients again.
btanExec ConsultantCommented:
better to get the log to drill to error. The first link is on the troubleshooting which has steps. The second is the rationale of the configuration - so it is the same as I cannot access the other link form my machine (as lockdown). The past correspondence was already discussed and can be shelved aside since we are into the DHCP enforcement.

The questions are starting off another round into the basic again since you are asking on the existence of SHV, quarantine groups, Evaluation of health, etc. Will be more worth to go into the reading though I know it is not worthy of the effort but it seems we are all in the basic ground.
fuzzyfreakAuthor Commented:
I am now working with Microsoft on this. Without trawling back over the details on this question, I believe I had set up the NAP Policy correctly but just needed to create a group policy to switch on the DHCP Enforcement Client, otherwise when turning on NAP on DHCP,  you are blocked.
Problem now is, I am concerned that all my MAC and Linux machines are being blocked because they are non-NAP Compliant.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
btanExec ConsultantCommented:
Sure and I do see your points. The implication is big and to take managed risk, the single machine is desired. Not having to proof one machine is not good ground to say that it will impact all. So MS say the setting regime we gone through is appropriate as if MS say or see no wrong - I do suggest re-setup one new one to join the existing infra (supposed to be setup correctly too) for re-validate the claims as well.
fuzzyfreakAuthor Commented:
Apologies btan, struggling to understand you.
btanExec ConsultantCommented:
Hear out from MS since the step configured is assumed to be right. We can (re)setup brand new client to go through the step that they advocate - sorry for not being clear
btanExec ConsultantCommented:
pardon me as not being able to have the full solution in this long journey since it is not "doable"
fuzzyfreakAuthor Commented:
Semi resolved with MS - it seems there is no proper way to do this at all. I have now abandoned the whole idea and looking at other solutions to the problem.
btanExec ConsultantCommented:
Noted thanks for sharing
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2008

From novice to tech pro — start learning today.