What should you recommend?

Your network contains a single Active Directory domain. All domain controllers run Windows Server
2008 R2. There are 1,000 client computers that run Windows 7 and that are connected to managed
switches. You need to recommend a strategy for network access that meets the following
requirements:
·Users are unable to bypass network access restrictions.
·Only client computers that have uptodate service packs installed can access the network.
·Only client computers that have uptodate antimalware software installed can access the network.
What should you recommend?

Your network contains a single Active Directory domain. All domain controllers run Windows Server
2008 R2. There are 1,000 client computers that run Windows 7 and that are connected to managed
switches. You need to recommend a strategy for network access that meets the following
requirements:
·Users are unable to bypass network access restrictions.
·Only client computers that have uptodate service packs installed can access the network.
·Only client computers that have uptodate antimalware software installed can access the network.
What should you recommend?

A.
Implement Network Access Protection (NAP) that uses DHCP enforcement.

B.
Implement Network Access Protection (NAP) that uses 802.1x enforcement.

C.
Implement a Network Policy Server (NPS), and enable IPsec on the domain controllers.

D.
Implement a Network Policy Server (NPS), and enable Remote Authentication DialIn User Service
(RADIUS) authentication on the managed switches.

Explanation:

MCITP Self-Paced Training Kit Exam 70-646 Windows Server Administration:
■Integration with network access protection (NAP)System Center Configuration Manager 2007 lets
your organization enforce compliance of software updates on client computers. This helps protect
the integrity of the corporate network through integration with the Microsoft Windows Server 2008
NAP policy enforcement platform. NAP policies enable you to define which software updates to
include in your system health requirements. If a client computer attempts to access your network,
NAP and System Center Configuration
Manager 2007 work together to determine the client’s health state compliance and determine
whether the client is granted full or restricted network access. If the client is noncompliant, System
Center Configuration Manager 2007 can deliver the necessary software updates so that the client
can meet system health requirements and be granted full network access.
■Restrict network accessSystem Center Configuration Manager 2007 NAPenables you to include
software updates in your system health requirements.NAP policies define which software updates
need to be included, and the System Center Configuration Manager 2007 System Health Validator
point passes the client’s compliant or noncompliant health state to the Network Policy Server, which
determines whether to grant the client full or restricted network access. Noncompliant clients can
be automatically brought into compliance through remediation. This requires the System Center
Configuration Manager 2007 software updates feature to be configured and operational.
NAP Enforcement Methods
When a computer is found to be noncompliant with the enforced health policy, NAPenforces limited
network access. This is done through an Enforcement Client (EC). Windows Vista, Windows XP
Service Pack 3, and Windows Server 2008 include NAPEC support for IPsec, IEEE 802.1X, Remote
Access VPN, and DHCP enforcement methods. Windows Vista and Windows Server 2008 also
support NAP enforcement for Terminal Server Gateway connections.
NAP enforcement methods can either be used individually or can be used in conjunction with each
other to limit the network access of computers that are found not to be in compliance with
configured health policies. Hence you can apply the remote access VPN and IPsec enforcement
methods to ensure that internal clients and clients coming in from the Internet are only granted
access to resources if they meet the appropriate client health benchmarks.
802.1X NAP Enforcement
802.1X enforcement makes use of authenticating Ethernet switches or IEEE 802.11 Wireless Access
Points.
These compliant switches and access points only grant unlimited network access to computers that
meet the compliance requirement. Computers that do not meet the compliance requirement are
limited in their communication by a restricted access profile. Restricted access profiles work by
applying IP packet filters or VLAN (Virtual Local Area Network) identifiers. This means that hosts that
have the restricted access profile are allowed only limited network communication. This limited
network communication generally allows access to remediation servers. You will learn more about
remediation servers later in this lesson.
An advantage of 802.1X enforcement is that the health status of clients is constantly assessed.
Connected clients that become noncompliant will automatically be placed under the restricted
access profile. Clients under the restricted access profile that become compliant will have that
profile removed and will be able to communicate with other hosts on the network in an unrestricted
manner. For example, suppose that a new antivirus update comes out. Clients that have not installed
the update are put under a restricted access profile until the new update is installed. Once the new
update is installed, the clients are returned to full network access.
A Windows Server 2008 computer with the Network Policy Server role is necessary to support
802.1X NAP enforcement. It is also necessary to have switch and/or wireless access point hardware
that is 801.1xcompliant.
Client computers must be running Windows Vista, Windows Server 2008, or Windows XP Service
Pack 3 because these operating systems include the EAPHost EC.
MORE INFO 802.1X enforcement step-by-step
For more detailed information on implementing 802.1X NAP enforcement, consult the following
Step-by-Step guide on TechNet: http ://go.microsoft.com/fwlink/?LinkId=86036.



Leave a Reply 0

Your email address will not be published. Required fields are marked *