428
Chapter 8
Exercise 3
Configuring Windows Firewall and Network Access Protection
Configure NAP Client Group Policy Settings
After configuring the NPS server, you must configure client computers for NAP by following these steps: 1. Click Start, Administrative Tools, and then Group Policy Management. The Group Policy Management console appears. 2. Right-click Group Policy Management\Forest\Domains\<Domain Name>\Default Domain Policy, and then click Edit. The Group Policy Management Editor console appears. 3. Select the Computer Configuration\Policies\Windows Settings\Security Settings\Network Access Protection\NAP Client Configuration\Enforcement Clients node. 4. In the Details pane, double-click DHCP Quarantine Enforcement Client. Select the Enable This Enforcement Client check box, and then click OK. 5. Select the Computer Configuration\Policies\Windows Settings\System Services node. Then, in the Details pane, double-click Network Access Protection Agent. Select the Define This Policy Setting check box, and then select Automatic. Click OK. 6. Select the Computer Configuration\Policies\Administrative Templates\Windows Components\Security Center node. In the Details pane, double-click Turn On Security Center. Select Enabled, and then click OK.
Exercise 4
Test a Noncompliant Client
In this exercise, you will connect a noncompliant computer to the network and determine whether it receives an IP address intended for compliant or noncompliant computers. 1. On Boston, open a command prompt with administrative credentials and run the command gpupdate /force. This retrieves the updated Group Policy settings from the domain controller, verifying that the changes you made for NAP clients are applied correctly. Verify that the Network Access Protection Agent service is started. 2. On Boston, run the command netsh nap client show state to verify that the DHCP Quarantine enforcement agent is enabled. If it is not, run the command netsh nap client set enforcement 79617 enable to manually enable it. 3. Disable any DHCP servers other than Dcsrv1. If you are using virtual machines, you can create a virtual network and connect both Dcsrv1 and Boston to the virtual network. 4. Connect Boston to the same network as Dcsrv1. 5. On Boston, open a command prompt with administrative privileges. Then, run the following commands to retrieve new IP address settings from the DHCP server: ipconfig /release ipconfig /renew