What should you include in your plan?

Your network consists of a single Active Directory domain. The network is located on the 172.16.0.0/23 subnet.

The company hires temporary employees. You provide user accounts and computers to the temporary employees. The temporary employees receive computers that are outside the Active Directory domain. The temporary employees use their computers to connect to the network by using wired connections and wireless connections.
The company’s security policy specifies that the computers connected to the network must have the latest updates for the operating system.
You need to plan the network’s security so that it complies with the company’s security policy.

What should you include in your plan?

Your network consists of a single Active Directory domain. The network is located on the 172.16.0.0/23 subnet.

The company hires temporary employees. You provide user accounts and computers to the temporary employees. The temporary employees receive computers that are outside the Active Directory domain. The temporary employees use their computers to connect to the network by using wired connections and wireless connections.
The company’s security policy specifies that the computers connected to the network must have the latest updates for the operating system.
You need to plan the network’s security so that it complies with the company’s security policy.

What should you include in your plan?

A.
Implement a Network Access Protection (NAP) strategy for the 172.16.0.0/23 subnet.

B.
Create an extranet domain within the same forest. Migrate the temporary employees’ user accounts to the extranet domain. Install the necessary domain resources on the 172.16.0.0/23 subnet.

C.
Move the temporary employees’ user accounts to a new organizational unit (OU). Create a new Group Policy object (GPO) that uses an intranet Microsoft Update server. Link the new GPO to the new OU.

D.
Create a new subnet in a perimeter network. Relocate the wireless access point to the perimeter network. Require authentication through a VPN server before allowing access to the internal resources.

Explanation:
http://technet.microsoft.com/en-us/library/dd125338%28WS.10%29.aspx

Network Access Protection Design Guide

Updated: October 6, 2008

Applies To: Windows 7, Windows Server 2008, Windows Server 2008 R2, Windows Vista

Network Access Protection (NAP) is one of the most anticipated features of the WindowsServer2008 operating system. NAP is a new platform that allows network administrators to define specific levels of network access based on a clients identity, the groups to which the client belongs, and the degree to which the client complies with corporate governance policy. If a client is not compliant, NAP provides a mechanism for automatically bringing the client into compliance (a process known as remediation) and then dynamically increasing its level of network access. NAP is supported by Windows Server2008R2, Windows Server2008, Windows7, WindowsVista, and Windows XP with Service Pack 3 (SP3). NAP includes an application programming interface that developers and vendors can use to integrate their products and leverage this health state validation, access enforcement, and ongoing compliance evaluation. For more information about the NAP API, see Network Access Protection (http://go.microsoft.com/fwlink/?LinkId=128423).

The following are key NAP concepts:
NAP Agent. A service included with Windows Server2008, WindowsVista, and Windows XP with SP3 that collects and manages health information for NAP client computers.

NAP client computer. A computer that has the NAP Agent service installed and running, and is providing its health status to NAP server computers.

NAP-capable computer. A computer that has the NAP Agent service installed and running and is capable of providing its health status to NAP server computers. NAP-capable computers include computers running Windows Server2008, WindowsVista, and Windows XP with SP3.

Non-NAP-capable computer. A computer that cannot provide its health status to NAP server components. A computer that has NAP agent installed but not running is also considered non-NAP-capable.

Compliant computer. A computer that meets the NAP health requirements that you have defined for your network. Only NAP client computers can be compliant.

Noncompliant computer. A computer that does not meet the NAP health requirements that you have defined for your network. Only NAP client computers can be noncompliant.

Health status. Information about a NAP client computer that NAP uses to allow or restrict access to a network. Health is defined by a client computer’s configuration state. Some common measurements of health include the operational status of Windows Firewall, the update status of antivirus signatures, and the installation status of security updates. A NAP client computer provides health status by sending a message called a statement of health (SoH).

NAP health policy server. A NAP health policy server is a computer running Windows Server2008 with the Network Policy Server (NPS) role service installed and configured for NAP. The NAP health policy server uses NPS policies and settings to evaluate the health of NAP client computers when they request access to the network, or when their health state changes. Based on the results of this evaluation, the NAP health policy server instructs whether NAP client computers will be granted full or restricted access to the network.



Leave a Reply 0

Your email address will not be published. Required fields are marked *