Wednesday, January 25, 2012

Using Network Access Protection

Network Access Protection (NAP) has become the standard when protecting your environment. It is not just a policy to restrict infected computers from the network. But a policy to encourage computers to comply with security and health requirement policies and reduce the risk of malware spreading.  Non-compliant clients can be restricted from accessing intranet resources or communicating with compliant computers. Using Network Access Protection (NAP), IT administrators can require client computers to be healthy and comply with corporate health requirement policies. For example, client computers can obtain a full connection to the intranet only if they have recent security updates, anti-malware definitions, and other security settings.

Using NAP requires that NAP-enabled clients submit a health certificate for authentication when creating the initial connection with the Network Policy server. The health certificate contains the computer’s identity and proof of system health compliance. A NAP-enabled client obtains a health certificate by submitting its health state information, either to a Health Registration Authority (HRA) that is located on the Internet, or to an internal HRA server accessible using the infrastructure tunnel.

By using NAP, a non-compliant client computer that becomes infected with malware can still connect to all the specified management servers (for example, DNS, DC, HRA, and remediation servers) through the infrastructure tunnel, but it cannot connect to all other intranet resources. Access to the remediation servers is crucial to remediate the non-compliant state of the client.

The video installation tutorial and lab is available for viewing at

By: Adnan Cartwright

Thursday, January 5, 2012

Some New Features of a Windows 8 Environment

We took a little time in lab to identify some of the new features that are included in the Developer Preview of Windows Server. So we configured a small lab detailed below in Figure 1.

Figure 1

This early release of the new Windows Server looks to be promising. The quick of ease of configuration and navigation was instantly recognized even to our new added IT Professionals. The Server Manager has been outfitted with a new dashboard as show in Figure 2.

Figure 2

Server Manager is where Network Administrators will be spending most of their time when installing, configuring and evaluating a network. So what’s new in Server Manager and why the big hype? For starters you can perform tasks on multiple servers at one time, deploy roles and features remotely, get current status of your servers and roles and add remote servers and create custom server groups. Giving an Admin more control over the environment that they are managing.
Adding a role in the Developers Preview of Server can be easily navigated even if you have never used Server 2008 or Server 2008 R2 before. There is now a pool that identifies the servers on your networks that you have added. As you can see in Figure 3 we have only our PDC ready to go so far.
Figure 3

The same lists of roles are readily available with the Volume Activation Service and Remote Desktop Services newly added. Figure 4 shows an outline of available roles to install in this release.
Figure 4

The features that are now available are numerous and too many to mention. Seeing is believing and pictures are worth more than a thousand words. Figure 5 and 6 shows the complete list of features.

Figure 5

Figure 6

The installation and straight forward and once completed the role that has been installed needs to be configured. The ease of the navigation we just could not get over. The walkthrough is so easy that a newbie to Active Directory Domain Services. We are still eager to know what functionality does the Windows Server 8 functional level bring and will keep you posted. The best practices analyzer (BPA) has been added to the role installation wizard. The job of this tool is to verify that all necessary and required components are met before the role goes on to be installed. If this feature is kept in the final version it will prove to be a valuable asset to ensure that roles are setup and configured correctly. Figure 7 shows the prerequisite check for the install for Active Directory.

Figure 7

Installing a role from any server to any server is indeed a new nice feature. Given the Server Core installations in a branch office. The addition and removal of roles can be done once the servers of choice have been added to the server manager group. This feature will indeed prove to be very helpful when managing different boxes. At the time of this review only Windows Developer computers were able to utilize this feature. Server 2008 R2 and below cannot. I am hoping that they add it to final version. Figure 8-11 shows DC1 preparing MEM1 for role install and completion.

Figure 8

Figure 9

Figure 10

Figure 11

As seen in Figure 11. The post installation of a role can be done from the remote computer. And Figure 12 shows the final result on Mem1 with DHCP and NPS ready to go.

Figure 12

So far we can expect some great new features to make our admin job a little less stressful and more productive. Be sure to be on the lookout for Window Server Developer Preview NAP enforcement of a Windows 8 client.

By Adnan Cartwright
Florida IT Server Group