Embed Size (px)
Citation preview
A huge amount of trouble sharing files. Email with attachments are bouncing.
FTP does not provide progress feedback or seem to work.
NetworkAccessProtection Support Case16 December 201111:19
Security Page 1
Eventually I opted for sharing via Skydrive but this created a concern that I may be exposing sensitive data on the internet.
Security Page 2
Configure NAP with a wizard
The NAP configuration wizard helps you set up NPS as a NAP health policy server. The wizard provides
commonly used settings for each NAP enforcement method, and automatically creates customized NAP
Security Page 3
policies for use with your network design. You can access the NAP configuration wizard from the NPS console.
To configure NPS using the NAP wizard
1. Click Start, click Run, type nps.msc, and then press ENTER.
2. In the Network Policy Server console tree, click NPS (Local).
3. In the details pane, under Standard Configuration, click Configure NAP. The NAP configuration
wizard will start. See the following example.
4. On the Select Network Connection Method for Use with NAP page, under Network connection
method, select IEEE 802.1X (Wired), and then click Next.
5. On the Specify 802.1X Authenticating Switches page, click Add.
6. In the New RADIUS Client dialog box, under Friendly name, type 802.1X Switch. Under Address
(IP or DNS), type 192.168.0.3.
7. Under Shared secret, type secret.
8. Under Confirm shared secret, type secret, click OK, and then click Next.
9. On the Configure User Groups and Machine Groups page, click Next. You do not need to
configure groups for this test lab.
10. On the Configure an Authentication Method page, confirm that a computer certificate obtained in
the previous procedure is displayed under NPS Server Certificate, and that Secure Password (PEAP-
MSCHAP v2) is selected under EAP types. Click Next.
11. Use the following steps to configure VLAN properties for compliant computers. In this lab, VLAN ID
3 will be used for compliant computers.
If you are running Windows Server 2008 R2, this page is titled Configure Traffic Controls.
On the Configure Traffic Controls page, under Full access network, click Configure.
Note
a. On the Configure Virtual LANs (VLANs) page, under Organization network VLAN, click
Configure.
b. In the Virtual LAN (VLAN) Configuration dialog box (if you are running Windows Server 2008 R2,
this dialog box is titled Configure RADIUS Attributes), on the RADIUS standard attributes tab, click Tunnel-Type, and then click Edit.
c. In the Attribute Information dialog box, click Add.
d. Another Attribute Information dialog box is displayed. Under Attribute Value, choose Commonly
used for 802.1x, verify that Virtual LANs (VLAN) is selected, and then click OK twice.
e. In the Virtual LAN (VLAN) Configuration dialog box (or, if you are running Windows Server 2008 R2, in the Configure RADIUS Attributes dialog box), on the RADIUS standard attributes
tab, click Tunnel-Medium-Type, and then click Edit.
f. In the Attribute Information dialog box, click Add.
g. Another Attribute Information dialog box is displayed. Under Attribute Value, choose Commonly
used for 802.1x, verify that 802 (Includes all 802 media plus Ethernet canonical format) is selected,
and then click OK twice.
Security Page 4
h. In the Virtual LAN (VLAN) Configuration dialog box (or, if you are running Windows
Server 2008 R2, in the Configure RADIUS Attributes dialog box), on the RADIUS standard attributes
tab, click Tunnel-Pvt-Group-ID, and then click Edit.
i. In the Attribute Information dialog box, click Add.
j. Another Attribute Information dialog box is displayed. Under Enter the attribute value in, choose
String, type 3, and then click OK twice. This value represents the compliant VLAN ID used in this lab.
k. In the Virtual LAN (VLAN) Configuration dialog box (or, if you are running Windows
Server 2008 R2, in the Configure RADIUS Attributes dialog box), click the Vendor Specific attributestab, and then click Add.
If you are running Windows Server 2008 R2, in the Add Vendor Specific Attribute dialog
box, under Vendor, select Custom.
Note
l. In the Add Vendor Specific Attribute dialog box, under Vendor, select Microsoft.
m. In the Add Vendor Specific Attribute dialog box, under Attributes, select Tunnel-Tag, and then
click Add.
n. In the Attribute Information dialog box, under Attribute value, type 1, and then click OK.
The Tunnel-Tag value is populated in all attributes used in this policy, and serves to group
these attributes together, identifying them as belonging to a particular tunnel. Consult your vendor documentation to determine if a unique Tunnel-Tag value is required for your switch.
Note
a. Click Close, and then click OK.
12. Use the following steps to configure VLAN properties for noncompliant computers. These steps are
identical to those used for compliant computers with the exception that VLAN ID 2 is configured for noncompliant computers.
If you are running Windows Server 2008 R2, this page is titled Configure Traffic Controls.
On the Configure Traffic Controls page, under Restricted access network, click Configure.
Note
a. On the Configure Virtual LANs (VLANs) page, under Restricted network VLAN, click Configure.
b. In the Virtual LAN (VLAN) Configuration dialog box (if you are running Windows Server 2008 R2,
this dialog box is titled Configure RADIUS Attributes), on the RADIUS standard attributes tab, click Tunnel-Type, and then click Edit.
c. In the Attribute Information dialog box, click Add.
d. Another Attribute Information dialog box is displayed. Under Attribute Value, choose Commonly used for 802.1x, verify that Virtual LANs (VLAN) is selected, and then click OK twice.
e. In the Virtual LAN (VLAN) Configuration dialog box, (or Configure RADIUS Attributes dialog box,
if you are running Windows Server 2008 R2), on the RADIUS standard attributes tab, click Tunnel-Medium-Type, and then click Edit.
f. In the Attribute Information dialog box, click Add.
g. Another Attribute Information dialog box is displayed. Under Attribute Value, choose Commonly
used for 802.1x, verify that 802 (Includes all 802 media plus Ethernet canonical format) is selected, and then click OK twice.
h. In the Virtual LAN (VLAN) Configuration dialog box, (or Configure RADIUS Attributes dialog box,
if you are running Windows Server 2008 R2), on the RADIUS standard attributes tab, click Tunnel-Pvt-Group-ID, and then click Edit.
i. In the Attribute Information dialog box, click Add.
j. Another Attribute Information dialog box is displayed. Under Enter the attribute value in, choose
String, type 2, and then click OK twice. This value represents the compliant VLAN ID used in this lab.
k. In the Virtual LAN (VLAN) Configuration dialog box, (or Configure RADIUS Attributes dialog box,
if you are running Windows Server 2008 R2), click the Vendor Specific attributes tab, and then click Add.
If you are running Windows Server 2008 R2, in the Add Vendor Specific Attribute dialog
box, under Vendor, select Custom.
Note
l. In the Add Vendor Specific Attribute dialog box, under Vendor, select Microsoft.
m. In the Add Vendor Specific Attribute dialog box, under Attributes, select Tunnel-Tag, and then
click Add.
n. In the Attribute Information dialog box, under Attribute value, type 1, and then click OK.
o. Click Close, and then click OK.
13. This completes the configuration of VLAN properties for compliant and noncompliant computers. Click Next.
14. On the Define NAP Health Policy page, verify that Windows Security Health Validator and
Enable auto-remediation of client computers check boxes are selected, and then click Next.
15. On the Completing NAP Enforcement Policy and RADIUS Client Configuration page, click
Finish.
16. Leave the NPS console open for the following procedure.
Security Page 5
Configuring Full Access/Compliant Network
Security Page 6
Security Page 7
The Tunnel-Tag value is populated in all attributes used in this policy, and serves to group these
attributes together, identifying them as belonging to a particular tunnel. Consult your vendor documentation to determine if a unique Tunnel-Tag value is required for your switch.
Configuring Restricted Access Network
Security Page 8
Verify Settings
Security Page 9
Security Page 10
Disable fast reconnect. Recommendation is to not enable fast reconnect.
Security Page 11
Check WiredAutoConfig Service is running.
When this service is running, authentication tab appears in the LAN Settings.
Security Page 12
Disable Fast reconnect and select CA's possible to select multiple
Select Configure for Authentication Methods
Security Page 13
Log Name: SecuritySource: Microsoft‐Windows‐Security‐AuditingDate: 12/21/2011 1:31:34 PMEvent ID: 6273Task Category: Network Policy ServerLevel: InformationKeywords: Audit FailureUser: N/AComputer: TFS.effective‐computing.comDescription:Network Policy Server denied access to a user.
Contact the Network Policy Server administrator for more information.
Security ID: NULL SIDAccount Name: ‐Account Domain: ‐Fully Qualified Account Name: ‐
User:
Security ID: EC\SQL1$Account Name: SQL1.effective‐computing.comFully Qualified Account Name: EC\SQL1$OS‐Version: 6.1.7601 1.0 x64 ServerCalled Station Identifier: ‐Calling Station Identifier: ‐
Client Machine:
NAS IPv4 Address: 192.168.0.6NAS IPv6 Address: ‐NAS Identifier: TFS.effective‐computing.comNAS Port‐Type: EthernetNAS Port: ‐
NAS:
RADIUS Client:
Security Page 14
Client Friendly Name: ‐Client IP Address: ‐
Connection Request Policy Name: NAP 802.1X (Wired)Network Policy Name: NAP 802.1X (Wired) NoncompliantAuthentication Provider: WindowsAuthentication Server: TFS.effective‐computing.comAuthentication Type: UnauthenticatedEAP Type: ‐Account Session Identifier: 6CFBE9471357B4459B0C8CE8676621385B2F9C5337BFCC01Logging Results: Accounting information was written to the local log file.Reason Code: 66Reason: The user attempted to use an authentication method that is not enabled on the matching network policy.
Authentication Details:
Event Xml:<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> <System> <Provider Name="Microsoft‐Windows‐Security‐Auditing" Guid="{54849625‐5478‐4994‐A5BA‐3E3B0328C30D}" /> <EventID>6273</EventID> <Version>1</Version> <Level>0</Level> <Task>12552</Task> <Opcode>0</Opcode> <Keywords>0x8010000000000000</Keywords> <TimeCreated SystemTime="2011‐12‐21T13:31:34.793040700Z" /> <EventRecordID>95408518</EventRecordID> <Correlation /> <Execution ProcessID="544" ThreadID="2180" /> <Channel>Security</Channel> <Computer>TFS.effective‐computing.com</Computer> <Security /> </System> <EventData> <Data Name="SubjectUserSid">S‐1‐0‐0</Data> <Data Name="SubjectUserName">‐</Data> <Data Name="SubjectDomainName">‐</Data> <Data Name="FullyQualifiedSubjectUserName">‐</Data> <Data Name="SubjectMachineSID">S‐1‐5‐21‐2958826572‐3304703673‐2514800256‐3617</Data> <Data Name="SubjectMachineName">SQL1.effective‐computing.com</Data> <Data Name="FullyQualifiedSubjectMachineName">EC\SQL1$</Data> <Data Name="MachineInventory">6.1.7601 1.0 x64 Server</Data> <Data Name="CalledStationID">‐</Data> <Data Name="CallingStationID">‐</Data> <Data Name="NASIPv4Address">192.168.0.6</Data> <Data Name="NASIPv6Address">‐</Data> <Data Name="NASIdentifier">TFS.effective‐computing.com</Data> <Data Name="NASPortType">Ethernet</Data> <Data Name="NASPort">‐</Data> <Data Name="ClientName">‐</Data> <Data Name="ClientIPAddress">‐</Data> <Data Name="ProxyPolicyName">NAP 802.1X (Wired)</Data> <Data Name="NetworkPolicyName">NAP 802.1X (Wired) Noncompliant</Data> <Data Name="AuthenticationProvider">Windows</Data> <Data Name="AuthenticationServer">TFS.effective‐computing.com</Data> <Data Name="AuthenticationType">Unauthenticated</Data> <Data Name="EAPType">‐</Data> <Data Name="AccountSessionIdentifier">6CFBE9471357B4459B0C8CE8676621385B2F9C5337BFCC01</Data> <Data Name="ReasonCode">66</Data> <Data Name="Reason">The user attempted to use an authentication method that is not enabled on the matching network policy.</Data> <Data Name="LoggingResult">Accounting information was written to the local log file.</Data> </EventData></Event>
Security Page 15
Checking the Cisco Router Settings also. I added VLAN 2 and 3 just now.
Security Page 16
Case Ref 111 121 543 042 674
Troubleshooting 23.01.2012
Security Page 17
Log Name: SecuritySource: Microsoft‐Windows‐Security‐Auditing
Security Page 18
Date: 1/23/2012 3:29:11 PMEvent ID: 6273Task Category: Network Policy ServerLevel: InformationKeywords: Audit FailureUser: N/AComputer: TFS.effective‐computing.comDescription:Network Policy Server denied access to a user.
Contact the Network Policy Server administrator for more information.
Security ID: NULL SIDAccount Name: ‐Account Domain: ‐Fully Qualified Account Name: ‐
User:
Security ID: EC\SQL1$Account Name: SQL1.effective‐computing.comFully Qualified Account Name: EC\SQL1$OS‐Version: 6.1.7601 1.0 x64 ServerCalled Station Identifier: ‐Calling Station Identifier: ‐
Client Machine:
NAS IPv4 Address: 192.168.0.6NAS IPv6 Address: ‐NAS Identifier: TFS.effective‐computing.comNAS Port‐Type: EthernetNAS Port: ‐
NAS:
Client Friendly Name: ‐Client IP Address: ‐
RADIUS Client:
Connection Request Policy Name: NAP 802.1X (Wired)Network Policy Name: NAP 802.1X (Wired) NoncompliantAuthentication Provider: WindowsAuthentication Server: TFS.effective‐computing.comAuthentication Type: UnauthenticatedEAP Type: ‐Account Session Identifier: 4527F31BCE51CD49A79F3FD387E1AAFB5B7226ABAFD9CC01Logging Results: Accounting information was written to the local log file.Reason Code: 66Reason: The user attempted to use an authentication method that is not enabled on the matching network policy.
Authentication Details:
Event Xml:<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> <System> <Provider Name="Microsoft‐Windows‐Security‐Auditing" Guid="{54849625‐5478‐4994‐A5BA‐3E3B0328C30D}" /> <EventID>6273</EventID> <Version>1</Version> <Level>0</Level> <Task>12552</Task> <Opcode>0</Opcode> <Keywords>0x8010000000000000</Keywords> <TimeCreated SystemTime="2012‐01‐23T15:29:11.926990400Z" /> <EventRecordID>110956128</EventRecordID> <Correlation /> <Execution ProcessID="504" ThreadID="632" />
Security Page 19
<Channel>Security</Channel> <Computer>TFS.effective‐computing.com</Computer> <Security /> </System> <EventData> <Data Name="SubjectUserSid">S‐1‐0‐0</Data> <Data Name="SubjectUserName">‐</Data> <Data Name="SubjectDomainName">‐</Data> <Data Name="FullyQualifiedSubjectUserName">‐</Data> <Data Name="SubjectMachineSID">S‐1‐5‐21‐2958826572‐3304703673‐2514800256‐3617</Data> <Data Name="SubjectMachineName">SQL1.effective‐computing.com</Data> <Data Name="FullyQualifiedSubjectMachineName">EC\SQL1$</Data> <Data Name="MachineInventory">6.1.7601 1.0 x64 Server</Data> <Data Name="CalledStationID">‐</Data> <Data Name="CallingStationID">‐</Data> <Data Name="NASIPv4Address">192.168.0.6</Data> <Data Name="NASIPv6Address">‐</Data> <Data Name="NASIdentifier">TFS.effective‐computing.com</Data> <Data Name="NASPortType">Ethernet</Data> <Data Name="NASPort">‐</Data> <Data Name="ClientName">‐</Data> <Data Name="ClientIPAddress">‐</Data> <Data Name="ProxyPolicyName">NAP 802.1X (Wired)</Data> <Data Name="NetworkPolicyName">NAP 802.1X (Wired) Noncompliant</Data> <Data Name="AuthenticationProvider">Windows</Data> <Data Name="AuthenticationServer">TFS.effective‐computing.com</Data> <Data Name="AuthenticationType">Unauthenticated</Data> <Data Name="EAPType">‐</Data> <Data Name="AccountSessionIdentifier">4527F31BCE51CD49A79F3FD387E1AAFB5B7226ABAFD9CC01</Data> <Data Name="ReasonCode">66</Data> <Data Name="Reason">The user attempted to use an authentication method that is not enabled on the matching network policy.</Data> <Data Name="LoggingResult">Accounting information was written to the local log file.</Data> </EventData></Event>
PS C:\Users\Austin.EC> Netsh nap client show grouppolicy
NAP client configuration (group policy):‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐
NAP client configuration:‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐
Cryptographic service provider (CSP) = Microsoft RSA SChannel Cryptographic Provider, keylength = 2048
Hash algorithm = sha1RSA (1.3.14.3.2.29)
Enforcement clients:‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐Name = DHCP Quarantine Enforcement ClientID = 79617Admin = Disabled
Name = IPsec Relying PartyID = 79619
Security Page 20
Admin = Enabled
Name = RD Gateway Quarantine Enforcement ClientID = 79621Admin = Disabled
Name = EAP Quarantine Enforcement ClientID = 79623Admin = Enabled
Client tracing:‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐State = DisabledLevel = Disabled
Trusted server group configuration:‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐Group = NAP Trusted Health Registration AuthoritiesRequire Https = EnabledURL = https://TFS.effective‐computing.com/DomainHRA/hcsrvext.dllProcessing order = 1Group = NAP Trusted Health Registration AuthoritiesRequire Https = EnabledURL = https://ConfigManager.effective‐computing.com/DomainHRA/hcsrvext.dllProcessing order = 2
Ok.
PS C:\Users\Austin.EC> Netsh nap client show configuration
NAP client configuration:‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐
Cryptographic service provider (CSP) = Microsoft RSA SChannel Cryptographic Provider, keylength = 2048
Hash algorithm = sha1RSA (1.3.14.3.2.29)
Enforcement clients:‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐Name = DHCP Quarantine Enforcement ClientID = 79617Admin = Disabled
Name = IPsec Relying PartyID = 79619Admin = Disabled
Name = RD Gateway Quarantine Enforcement ClientID = 79621Admin = Disabled
Name = EAP Quarantine Enforcement ClientID = 79623Admin = Disabled
Security Page 21
Client tracing:‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐State = DisabledLevel = Disabled
Ok.
PS C:\Users\Austin.EC> Netsh nap client show state
Client state:‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐Name = Network Access Protection ClientDescription = Microsoft Network Access Protection ClientProtocol version = 1.0Status = EnabledRestriction state = Not restrictedTroubleshooting URL =Restriction start time =Extended state =GroupPolicy = Configured
Enforcement client state:‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐Id = 79617Name = DHCP Quarantine Enforcement ClientDescription = Provides DHCP based enforcement for NAPVersion = 1.0Vendor name = Microsoft CorporationRegistration date =Initialized = No
Id = 79619Name = IPsec Relying PartyDescription = Provides IPsec based enforcement for Network Access ProtectionVersion = 1.0Vendor name = Microsoft CorporationRegistration date =Initialized = Yes
Id = 79621Name = RD Gateway Quarantine Enforcement ClientDescription = Provides RD Gateway enforcement for NAPVersion = 1.0Vendor name = Microsoft CorporationRegistration date =Initialized = No
Id = 79623Name = EAP Quarantine Enforcement ClientDescription = Provides Network Access Protection enforcement for EAP authenticated network connections, suchas those used with 802.1X and VPN technologies.Version = 1.0
Security Page 22
Vendor name = Microsoft CorporationRegistration date =Initialized = Yes
Ok.
PS C:\Users\Austin.EC> Netsh nap client dump
# ==========================================================# Network Access Protection client configuration# ==========================================================pushd nap client
# ‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐# Trusted server group configuration# ‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐
reset trustedservergroup
# ‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐# Cryptographic service provider (CSP) configuration# ‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐
set csp name = "Microsoft RSA SChannel Cryptographic Provider" keylength = "2048"
# ‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐# Hash algorithm configuration# ‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐
set hash oid = "1.3.14.3.2.29"
# ‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐# Enforcement configuration# ‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐
set enforcement id = "79617" admin = "disable" id = "79619" admin = "disable" id = "79621" admin = "disable" id = "79623" admin = "disable"# ‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐# Tracing configuration# ‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐
set tracing state = "disable" level = "basic"
# ‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐# User interface configuration# ‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐
reset userinterface
popd# End of NAP client configuration
PS C:\Users\Austin.EC> Netsh nap client show hashes
Security Page 23
Available hash algorithms:
Name OID‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐sha1RSA 1.2.840.113549.1.1.5md5RSA 1.2.840.113549.1.1.4sha1DSA 1.2.840.10040.4.3sha1RSA 1.3.14.3.2.29shaRSA 1.3.14.3.2.15md5RSA 1.3.14.3.2.3md2RSA 1.2.840.113549.1.1.2md4RSA 1.2.840.113549.1.1.3md4RSA 1.3.14.3.2.2md4RSA 1.3.14.3.2.4md2RSA 1.3.14.7.2.3.1sha1DSA 1.3.14.3.2.13dsaSHA1 1.3.14.3.2.27mosaicUpdatedSig 2.16.840.1.101.2.1.1.19sha1NoSign 1.3.14.3.2.26md5NoSign 1.2.840.113549.2.5sha256NoSign 2.16.840.1.101.3.4.2.1sha384NoSign 2.16.840.1.101.3.4.2.2sha512NoSign 2.16.840.1.101.3.4.2.3sha256RSA 1.2.840.113549.1.1.11sha384RSA 1.2.840.113549.1.1.12sha512RSA 1.2.840.113549.1.1.13RSASSA‐PSS 1.2.840.113549.1.1.10sha1ECDSA 1.2.840.10045.4.1sha256ECDSA 1.2.840.10045.4.3.2sha384ECDSA 1.2.840.10045.4.3.3sha512ECDSA 1.2.840.10045.4.3.4specifiedECDSA 1.2.840.10045.4.3
Ok.
PS C:\Users\Austin.EC> Netsh nap client show csps
Available cryptographic service providers (CSPs):
Name‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐Microsoft Base Cryptographic Provider v1.0Microsoft Base DSS and Diffie‐Hellman Cryptographic ProviderMicrosoft Base DSS Cryptographic ProviderMicrosoft Base Smart Card Crypto ProviderMicrosoft DH SChannel Cryptographic ProviderMicrosoft Enhanced Cryptographic Provider v1.0Microsoft Enhanced DSS and Diffie‐Hellman Cryptographic ProviderMicrosoft Enhanced RSA and AES Cryptographic ProviderMicrosoft RSA SChannel Cryptographic ProviderMicrosoft Strong Cryptographic Provider
Ok.
Security Page 24
PS C:\Users\Austin.EC>
The authentication mode was not set, we changed this.
Unchecked overide network policy settings.
Security Page 25
Security Page 26
