20. Using Network Access Protection 1 Windows Client Policy Servers such as: Patch, AV MSFT NPS DHCP, VPN Switch/Router Client requests access to network and presents current health state 1 Corporate Network
21. Using Network Access Protection 1 Windows Client 2 Policy Servers such as: Patch, AV MSFT NPS DHCP, VPN Switch/Router Client requests access to network and presents current health state 1 2 Dynamic Host Configuration Protocol (DHCP), virtual private network (VPN) or Switch/Router relays health status to Microsoft Network Policy Server (RADIUS) Corporate Network
22. Using Network Access Protection 1 Windows Client 2 3 Policy Servers such as: Patch, AV MSFT NPS DHCP, VPN Switch/Router Client requests access to network and presents current health state 1 2 DHCP, VPN or Switch/Router relays health status to Microsoft Network Policy Server (RADIUS) 3 Network Policy Server (NPS) validates against IT-defined health policy Corporate Network
23. Using Network Access Protection 1 Windows Client 2 3 Policy Servers such as: Patch, AV Not policy compliant MSFT NPS 4 DHCP, VPN Switch/Router Restricted Network Client requests access to network and presents current health state 1 2 DHCP, VPN or Switch/Router relays health status to Microsoft Network Policy Server (RADIUS) 3 Network Policy Server (NPS) validates against IT-defined health policy 4 If not policy compliant, client is put in a restricted virtual local area network (VLAN) and given access to fix up resources to download patches, configurations, signatures (Repeat 1 - 4) Fix Up Servers Example: Patch Corporate Network
24. Using Network Access Protection 1 Windows Client 2 3 Policy Servers such as: Patch, AV Not policy compliant Policy compliant MSFT NPS 5 4 DHCP, VPN Switch/Router Restricted Network Client requests access to network and presents current health state 1 2 DHCP, VPN or Switch/Router relays health status to Microsoft Network Policy Server (RADIUS) 3 Network Policy Server (NPS) validates against IT-defined health policy 4 If not policy compliant, client is put in a restricted VLAN and given access to fix up resources to download patches, configurations, signatures (Repeat 1 - 4) Fix Up Servers Example: Patch 5 If policy compliant, client is granted full access to corporate network Corporate Network
35. Restricting services SCM computes service SID SCM adds the SID to service process’s token SCM creates write-restricted token SCM removes unneeded privileges from process token Service places ACL on resource—only service can write to it
36.
37. Windows Server 2008 Services Hardening Kernel Drivers User-mode Drivers D D D D D
47. Terminal Services Gateway Perimeter network Internet Corp LAN External Firewall Internal Firewall Hotel Tunnels RDP over HTTPS Home Terminal Server Internet Terminal Server Terminal Services Gateway Server E-mail Server Business partner / client site Roaming wireless