Enabling the System Health Validator for Microsoft Network Policy Server

[This topic is pre-release documentation and is subject to change in future releases. Blank topics are included as placeholders.]

Network Access Protection (NAP) is a policy enforcement technology in the Enterprise, Datacenter, and Standard editions of the Windows Server 2008 operating system. NAP provides components and an application programming interface (API) that help administrators enforce compliance with health requirements for network access and communication. Microsoft Network Policy Server (NPS) provides centralized health policy configuration and evaluation of the health state of the NAP client.

In order for Stirling to work with NAP, you need to enable the Microsoft Forefront System Health Validator (SHV) in the NPS console. Deploying NAP with Stirling is optional.

This section provides instructions on enabling the Forefront SHV on an existing NPS server. Before completing the tasks in this section, you need to complete the following tasks:

• Install Stirling.
• Set up your NAP environment on a computer running the Enterprise, Datacenter, or Standard edition of Windows Server 2008. The computer must be in the same domain as the Stirling server. For instructions on setting up NAP, see Network Access Protection (https://technet.microsoft.com/en-us/network/bb545879.aspx). For this beta release, use Dynamic Host Configuration Protocol (DHCP) enforcement instead of Internet Protocol security.
• Ensure that your client computers meet the minimum NAP system requirements.

To enable the Forefront SHV and deploy NAP policy to client computers

1. Using an account that has local administrative privileges, log on to the computer where you installed NPS services.

2. Insert the Microsoft Forefront codename Stirling CD into the CD drive.

3. On the CD, browse to the directory that contains the NAP server setup program for Stirling:

   For NAP server setup for Stirling x64 edition, use the following location:

   CD Drive \Forefront codename Stirling & Next Generation FCS\x64\npsserver

   For NAP server setup for Stirling x86 edition, use the following location:

   CD Drive \Forefront codename Stirling & Next Generation FCS\x86\npsserver

4. Double-click napserver.msi. The setup program installs the Forefront SHV and registers it with NPS services.

5. On the NPS console, enable and test the Forefront SHV by creating an NAP policy that uses the Forefront SHV, and then confirm the results. For more information, see Network Policy Server (https://technet2.microsoft.com/windowsserver2008/en/library/d80d8fd1-388f-49e1-8b32-855cf8fda1371033.mspx?mfr=true).

6. Set up Stirling client computers, and then deploy a policy, as described in Deploying Stirling client components.

   When you configure the settings for your policy, first ensure that NAP is globally enabled for Stirling, and then configure NAP requirements for additional policy units, as desired. NAP is globally enabled by default. For instructions on enabling NAP if it has been disabled, see Configuring global NAP settings in the Stirling console.

   Under Client Security, you can configure additional NAP settings for the following policy units:

   • In the Anti-Malware section, in the Network Access Protection policy unit.
   • In the Security Updates section.
   • In the Security State Assessment section, in the Services, Data Execution Prevention, File System Management, Internet Explorer Security, Microsoft Office Security, User Account Control, and Account Management policy units.
   • In the Firewall section, in the Network Access Protection for "Stirling" policy unit.

   For more information about the settings you can configure in each policy unit, see the Stirling Operations Guide (https://go.microsoft.com/fwlink/?LinkID=110489).

Configuring global NAP settings in the Stirling console

By default, when you enable the Forefront SHV, the NAP global policy setting is enabled. When the global setting is enabled, Stirling enforces any NAP requirements you set for each additional policy. If you disable the global NAP setting, Stirling will not enforce NAP settings you have set on individual policy units. You set the global NAP setting on the Network Access Policy section in the Stirling console. This section also provides a summary of NAP settings in your Stirling deployment.

To globally enable or disable NAP for all policy units in the Stirling console

1. Using an account that has Stirling console and server administrative privileges, log on to the computer where you installed Stirling console.

2. Click Start, point to All Programs, point to Microsoft Forefront, and then click Microsoft Forefront codename 'Stirling'. The console displays the logon page.

3. In the Management server name box, enter the name of the Stirling server. If you are running the console on the same computer where you installed Stirling server, you can enter localhost; otherwise, enter the name of the computer running Stirling server or click Browse to locate the server manually.

4. Select the Policy Management view. The policy tree appears. If the policy tree is not visible in the left pane, click the Policy Deployment icon (the top icon in the left pane).

5. In the left pane, in the tree, click the All Settings tab, expand Client Security, and then click the Network Access Protection node.

6. To globally enable NAP, select Enable policy settings that restrict network access. To globally disable NAP, select Do not enforce policy settings that restrict network access. When you are finished, click OK.

Related Topics

Other Resources

Step-by-Step Guide: Demonstrate NAP DHCP Enforcement in a Test Lab