Understanding Network Access Protection (NAP) in Windows Server 2008

Network Access Protection (NAP) is a platform you can install in Windows Server 2008 for enforcing computer system health requirements on Client machine before they are allowed to access network resources. NAP can ensure that the system complies with a particular update level and configuration requirements such as firewall state, malware removal tools, windows update and Antivirus.

Microsoft also recommends integrating third party tools with existing systems architecture to verify health status of computer systems. NAP includes a set of APIs that you can use to incorporate other tools for health policy validation, controlling access to the network, remediation, and ongoing compliance. With the release of Windows Server 2008, Microsoft introduces Network Policy Server (NPS) as Remote Authentication Dial-In User Service (RADIUS) and VPN server. It replaces Internet Authentication Server (IAS) in Windows Server 2003. NPS performs health evaluation and determines what access to grant NAP clients. When an access request is received, NPS extracts the client’s statement of health (SoH) and forwards it to the NAP Administration Server. Based on the Statement of Health Requests (SoHRs) from the System Health Validators (SHVs) and the health policies, NPS creates a System Statement of Health Response (SSoHR) that states whether the client complies. Every client must demonstrate that they comply with rules of NAP Administration Server. IPSec, IEEE802.1x, VPN, Terminal Server gateway and DHCP are available for enforcing network restrictions on noncompliant hosts.

System Health Validator and Agents

A System Health Validator (SHV) is an element on the NAP client that can be matched to a System Health Agent (SHA). An SHA corresponds to one or more health requirement servers. Health requirements are windows firewall, antivirus, antispyware and windows update.

NAP Scenarios

clip_image001 Desktop computers can pose a threat to the network if they are missing updates, are configured poorly, or have become infected by malware.

clip_image001[1] Roaming Laptops can be missing updates or the most recent antivirus signatures because the user has not connected the laptop to the corporate network for several weeks. A laptop faces potential attack when used in wireless networks, or when left unattended in a place accessible by untrustworthy individuals. With NAP, administrators can verify the health state of laptops each time they reconnect to the organization’s network, whether via a VPN or when the user returns to the office.

clip_image001[2] Some organizations allow their users to connect to the corporate network through a VPN using their own home computers. These computers are not under the control of the organization and unmanaged. With NAP, however, network administrators can inspect the health state of these systems every time they establish a VPN connection, and limit access if the systems do not meet health requirements.

clip_image001[3] Businesses allow all sorts of people to visit their premises: Consultants, partners, friends of employees, recruits and vendors may all ask for access to your network. Administrators can evaluate those computers and isolate them on a restricted network like a separate VLAN. Presumably the restricted network would include Internet access to enable the visitors to access their own e-mail accounts and other outside resources.

Further Study:

How to configure NAP (RADIUS)

How to configure VPN Server

How to configure WSUS

McAfee e-policy Orchestrator

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.