About Me

صورتي
Mansoura, Egypt
Ambitious person has the ability to confront and solve difficult problems and study hard to reach the highest levels

الاثنين، 31 أكتوبر 2011

NAP VPN ENFORCEMENT LAB


NAP VPN ENFORCEMENT LAB





3 machines : [DC  + VPN SERVER Domain Member + Client [WG]

LAB Steps :-
1- Add ENT Root CA on DC .
2- Cert templates --- r.click -- manage -- computer -- properties -- security -- read+Enroll --- ok .
3- On VPN -- MMC – Certificates [computer] --- request  certificate .
4- On VPN ----- add Roles ----- Network policy and Access ------------- choose NPS + RRAS [R.A] --- ok
5- start ----- programs ------ Administrative Tools -------- Open Network Policy Server  .
Windows Security  Health ----- default configuration --- allow only F.W + clear all other settings .
policies--- health policies -- create 2 policies
Compliant --- pass all SHV + select ...
Non Compliant --- fail one or more SHV + select ....
Network policies --- disable defaults --- NEW
** compliant full access ---  condition " health policy"[compliant] ----access granted --- allow full access ---- finish
** non compliant - limited access ----- condition " health policy"[non compliant] --- limited access + uncheck " enable auto   
      remediation" .
IP filters ----- input + output  " allow for one PC "
Input filters--- new DST Network --- add -- DC IP/32 mask --- permit only --- ok
Output filters--- new SRC Network --- add -- DC IP/32 mask --- permit only --ok  ---- then finish the policy

Connection request policy --- disable default --- create NEW
name ---- type[VPN] ---- condition "tunnel type" select pptp+l2tp+sstp --- auth method [override] --- EAP types --- add --- MS protected EAP + MS Secured password ... -- ok
MS protected EAP --- Edit -- ensure --- Enforce network access protection is selected ----- finish

NOW -- configure RRAS --- VPN --- finish  ---- then  go to NPS --- connection request policies  ------- disable MS RRAS + MOVE our policy into the  TOP ***

Administrative tools --------- Firewall with advanced sec  ------ Create Inbound Rule ------- ICMP V4 [Echo request] ------ Finish

Client :-
** Export CA cert --- import into computer trusted Root CA [MMC]
1- run --- napclcfg.msc --- Enforcement -- EAP --- Enable .
2- gpedit.msc ---- administrative  templates --- windows  components  --- security center -- turn on
3- Run --- services.msc --- network access protection --- Auto + start
4- Create VPN connection --- finish ---- properties --- security ----- Authentication ---- use EAP
Microsoft : Protected EAP [PEAP] (encryption Enabled) --- properties --- uncheck "connect to these ..." + check " Enforce network access protection" 




مرسلة بواسطة في

ليست هناك تعليقات:

إرسال تعليق

الاشتراك في: تعليقات الرسالة (Atom)