locked
A few questions RRS feed

  • Question

  • Hello,

    I've spent weeks testing the NAP. I tested DHCP, SSTP, 802.1X and IPsec with NAP

    with a lot of help from ppl here (mainly from Greg).

    Here I'd like to ask a few questions:

    1. All those labs can only auto-remediation windows firewall. Does auto-remediation works with Anti-virus protection, 3rd party firewall and 3rd party anti-spyware?

    2. Which kind of anti-virus should I install so that NAP regard my computer is safe??

    3. is it possible to not install sub ordinate CA when working with IPsec NAP? ( according to the step by step guide).

    4. in 802.1X lab, what does the "Microsoft, 1" vendor specific settings mean??



    MCSE CCNP
    • Edited by CT Andrew Friday, May 30, 2008 7:50 AM one more item
    Friday, May 30, 2008 4:56 AM

Answers

  • Hi,

    1. The Windows System Health Agent (WSHA) can auto-remediate firewall ON, Windows Defender ON (Vista only), automatic updates ON, and security updates up to date. It does not auto-remediate AV applications.

    However, if the AV vendor distributes a SHA for their product, this can allow you to remediate several things related to the AV signature and other software settings. Check the list of partners at http://www.microsoft.com/windowsserver2008/en/us/nap-partners.aspx.

    2. If you plan to use the WSHA, you can install any AV that integrates with Windows Security Center. 3rd-party AV integration is done through WMI. You can read about this at http://www.microsoft.com/windowsxp/sp2/wscoverview.mspx. You might also be interested in the WSC FAQ at http://support.microsoft.com/kb/883792.

    3. You can use a root CA to issue health certificates, but this is not recommended.

    4. A value of 1 for this attribute is arbitrary, but I believe it needs to be an integer and according to RFC 2868 valid values are 0x01 through 0x1F (1-31), so a value of 1 should be fine. It isn't always required, but I believe it helps with some equipment and never hurts. The purpose of this "attribute" (it isn't really an attribute per se, it is actually a field inside other attributes) is to group all attributes in a given policy together.

    -Greg
     
    Saturday, May 31, 2008 12:32 AM

All replies

  • Hi,

    1. The Windows System Health Agent (WSHA) can auto-remediate firewall ON, Windows Defender ON (Vista only), automatic updates ON, and security updates up to date. It does not auto-remediate AV applications.

    However, if the AV vendor distributes a SHA for their product, this can allow you to remediate several things related to the AV signature and other software settings. Check the list of partners at http://www.microsoft.com/windowsserver2008/en/us/nap-partners.aspx.

    2. If you plan to use the WSHA, you can install any AV that integrates with Windows Security Center. 3rd-party AV integration is done through WMI. You can read about this at http://www.microsoft.com/windowsxp/sp2/wscoverview.mspx. You might also be interested in the WSC FAQ at http://support.microsoft.com/kb/883792.

    3. You can use a root CA to issue health certificates, but this is not recommended.

    4. A value of 1 for this attribute is arbitrary, but I believe it needs to be an integer and according to RFC 2868 valid values are 0x01 through 0x1F (1-31), so a value of 1 should be fine. It isn't always required, but I believe it helps with some equipment and never hurts. The purpose of this "attribute" (it isn't really an attribute per se, it is actually a field inside other attributes) is to group all attributes in a given policy together.

    -Greg
     
    Saturday, May 31, 2008 12:32 AM
  • Thank you so much you are really helpful

    MCSE MCITP:EA CCNP
    Tuesday, June 10, 2008 4:21 AM