Your network contains a single Active Directory domain. All domain controllers run Windows Server 2008 R2. There are 1,000 client computers that run Windows 7 and that are connected to managed switches. You need to recommend a strategy for network access that meets the following requirements:
Users are unable to bypass network access restrictions.
Only client computers that have uptodate service packs installed can access the network.
Only client computers that have uptodate antimalware software installed can access the network.
What should you recommend?
A.
Implement Network Access Protection (NAP) that uses DHCP enforcement.
B.
Implement Network Access Protection (NAP) that uses 802.1x enforcement.
C.
Implement a Network Policy Server (NPS), and enable IPsec on the domain controllers.
D.
Implement a Network Policy Server (NPS), and enable Remote Authentication DialIn User Service (RADIUS) authentication on the managed switches.
Explanation:
MCITP Self-Paced Training Kit Exam 70-646 Windows Server Administration:Integration with network access protection (NAP)System Center Configuration Manager 2007 lets your organization enforce compliance of software updates on client computers. This helps protect the integrity of the corporate network through integration with the Microsoft Windows Server 2008 NAP policy enforcement platform. NAP policies enable you to define which software updates to include in your system health requirements. If a client computer attempts to access your network, NAP and System Center Configuration Manager 2007 work together to determine the clients health state compliance and determine whether the client is granted full or restricted network access. If the client is noncompliant, System Center Configuration Manager 2007 can deliver the necessary software updates so that the client can meet system health requirements and be granted full network access.
Restrict network accessSystem Center Configuration Manager 2007 NAPenables you to include software updates in your system health requirements.NAP policies define which software updates need to be included, and the System Center Configuration Manager 2007 System Health Validator point passes the clients compliant or noncompliant health state to the Network Policy Server, which determines whether to grant the client full or restricted network access. Noncompliant clients can be automatically brought into compliance through remediation. This requires the System Center Configuration Manager 2007 software updates feature to be configured and operational.
NAP Enforcement Methods
When a computer is found to be noncompliant with the enforced health policy, NAPenforces limited network access. This is done through an Enforcement Client (EC). Windows Vista, Windows XP Service Pack 3, and Windows Server 2008 include NAPEC support for IPsec, IEEE 802.1X, Remote Access VPN, and DHCP enforcement methods. Windows Vista and Windows Server 2008 also support NAP enforcement for Terminal Server Gateway connections.
NAP enforcement methods can either be used individually or can be used in conjunction with each other to limit the network access of computers that are found not to be in compliance with configured health policies. Hence you can apply the remote access VPN and IPsec enforcement methods to ensure that internal clients and clients coming in from the Internet are only granted access to resources if they meet the appropriate client health benchmarks.802.1X NAP Enforcement
802.1X enforcement makes use of authenticating Ethernet switches or IEEE 802.11 Wireless Access Points. These compliant switches and access points only grant unlimited network access to computers that meet the compliance requirement. Computers that do not meet the compliance requirement are limited in their communication by a restricted access profile. Restricted access profiles work by applying IP packet filters or VLAN (Virtual Local Area Network) identifiers. This means that hosts that have the restricted access profile are allowed only limited network communication. This limited network communication generally allows access to remediation servers. You will learn more about remediation servers later in this lesson.
An advantage of 802.1X enforcement is that the health status of clients is constantly assessed. Connected clients that become noncompliant will automatically be placed under the restricted access profile. Clients under the restricted access profile that become compliant will have that profile removed and will be able to communicate with other hosts on the network in an unrestricted manner. For example, suppose that a new antivirus update comes out. Clients that have not installed the update are put under a restricted access profile until the new update is installed. Once the new update is installed, the clients are returned to full network access.
A Windows Server 2008 computer with the Network Policy Server role is necessary to support 802.1X NAP enforcement. It is also necessary to have switch and/or wireless access point hardware that is 801.1x-compliant. Client computers must be running Windows Vista, Windows Server 2008, or Windows XP Service Pack 3 because these operating systems include the EAPHost EC.MORE INFO 802.1X enforcement step-by-step
For more detailed information on implementing 802.1X NAP enforcement, consult the following Step-by-Step guide on TechNet: http://go.microsoft.com/fwlink/?LinkId=86036.