These remote systems are the weakest entry point into your network as they can easily be
compromised. VPN clients connect to your VPN server and authenticate using Protected
Extensible Authentication Protocol (PEAP) and MS-CHAP (Challenge Handshake Authentication
Protocol) v2. Authenticated clients must then provide a Statement of Health
that is evaluated by the NPS. The VPN client either gets an unrestricted connection or a
limited connection based on whether it complies with the health policy.
258 Microsoft Windows Server 2008 Administration
DHCP Enforcement
If you don??™t have complex equipment on your network, you can use DHCP enforcement.
It involves limiting network access to your resources by either not assigning an
IP address or assigning an IP address that has access only to your remediation servers
if the host does not pass the necessary health criteria. This isn??™t nearly as good as any of
the other solutions because it relies on IP routing tables to secure your network. It can
easily be defeated if someone knows some information about your network and simply
manually assigns the host an IP address. Although not the best solution, it is probably
still better than nothing for most environments and is at least an option if upgrading all
your network equipment and implementing IPSec across your enterprise can??™t be accomplished
for one reason or another.
Pages:
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304