Lab 11 Network Access Protection

Exercise 1: Installing Network Access Protection

In this lab, we will be configuring Network Access Protection Role.

First, we need to install Certificate Services.

This slideshow requires JavaScript.

Now that the role has been installed, we now need to configure the role.

This slideshow requires JavaScript.

Now we need to add another role ‘Network Policy Server’ and ‘Health Registration Authority’


This slideshow requires JavaScript.

Exercise 2: Configuring Network Access Protection

Now we need to configure Network Access Protection.

This slideshow requires JavaScript.

Now we need to go into NPS and configure it to the lab’s requirements.

This slideshow requires JavaScript.

Now in DHCP we need to ‘Enable on all scopes’ for Network Access Protection

Exercise 3: Configuring a NAP Client

Now that NAP has been setup, we need to confirm that NAP Client has been deployed to Clients on the Domain.

This slideshow requires JavaScript.

Exercise 4: Testing Network Access Protection

Now that the Group Policy for the domain has been configured for NAP, we will try to connect a Windows Domain Client to the network.

First, we need to log into the Client VM and release its current IP address and renew to gain a new address from the DHCP server.

Now we are all connected, I need to look and make note of the current alerts in the Action center.

Now we need to check the Event Viewer and make a note of the NAP > Operational logs.

Here we can see a connection between the server and the client communicating about health status.

Now switching to the Server VM we can look for Audit Success logs.

Now that we can see the correct logs, I need to go into Network Policy Server and deny access to the NAP DHCP Non-NAP-Capable.

Now we need to change the Default configuration for Windows Security Health Validator.

Now I need to switch to my Client VM and try to renew a new IP address and see what happens.

As you can see the Client failed to grab a DHCP address, this is because the Client does not meet the standards to connect, as it has security issues, so if I fix these issues in action center it should then allow me to grab an address.

This slideshow requires JavaScript.

As you can see after fixing a few of the security issues it resolved my connection, also I could not update my Windows Defender as I don’t have an internet connection, but this caused me no issues.

In the security logs on the Server, you can see it denying access for the Client.

Exercise 5: Circumventing Network Access Protection

This exercise will show how to connect to a network even if it does not meet the health policy.

First I logged into the Rogue VM and tried to ping the Server and this was unsuccessful as it does not meet the policy, but after setting it static I could ping the server as well as browse Network shares.

Lab complete.


This lab caused me a few issues at the start because of the Certificate Role.

Since it was installed from another lab I went to uninstall it but when I went to reinstall it, it would error out. After several restarts, it finally gave way and let me start from scratch.

This lab was all new to me and it was awesome to see how you can refuse connection to Clients that do not meet the networks security standards, it was also interesting to see how easy this is to bypass. The lab explains that this is something you should put at the switch layer.

Like most of my labs I think I approached this in a good way, instead of using pre existing roles I uninstalled them to remove any conflicts, even though it was a hassle to reinstall it would still have saved me time if I used the role from the last lab, as this could have caused small issues throughout the lab.


Post Author: Nicholas Wilkinson

I am a 3rd year Networking Major in my IT BIT degree. I have a passion for Cloud Computing and IOT devices.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.