Microsoft Windows Vista: Network Access Protection (NAP)

Microsoft's Network Access Protection (NAP) is built into the Windows Longhorn Server and Windows Vista client operating systems and expands upon the functionality of the Network Access Quarantine Control feature in Windows Server 2003. NAP allows you to monitor the health status of all computers that attempt to connect to your network--not just remote access clients--and ensure that they're compliant with your health policies. Noncompliant computers can be given access to a restricted network where you can place resources they can use to gain compliance. Here are 10 basic facts you need to know before deploying NAP on your network.

NAP is a supplemental feature:

NAP does not take the place of other network security mechanisms, such as firewalls, anti-malware programs, and intrusion detection systems. It does not in any way prevent unauthorized access to your network. Instead, it helps protect your network from attacks and malicious software that can be introduced by authorized users who connect to your network via unpatched, misconfigured, or unprotected computers.

NAP can be deployed in two modes-monitoring mode or isolation mode:

If you configure a monitoring policy, authorized users are given access to the network even if their computers are found noncompliant, but the noncompliant status is logged so that administrators can instruct the users to bring the computers into compliance. In isolation mode, noncompliant computers are given access only to the restricted network, where they can find resources to gain compliance.

You can select compliance criteria for the computers that connect to your network:

Compliance criteria include requirements for service packs and security updates, antivirus software, anti-spyware protection, firewalls, and Windows Automatic Updates. The criteria are configured on the System Health Validator (SHV) on the NAP server.

The NAP server must run Windows Longhorn Server:

The NAP server is a Network Policy Server (NPS). NPS is Longhorn's replacement for Internet Authentication? Service (IAS) in Windows Server 2003 and provides authentication and authorization. NAP services include the NAP Administration Server and the NAP Enforcement Server. The System Health Validator (SHV) runs on the server.

NAP requires that the client computers have NAP client software installed:

The NAP client is built into Windows Vista, and a NAP client for Windows XP is expected to be made available with the release of Windows Longhorn Server. The System Health Agent (SHA) runs on the client. If you have computers on the network running operating systems that don't support NAP, you can exempt them from the health status requirements by creating exceptions, so that those computers can still access the network. If no exceptions are made for them, non-NAP capable computers will have access to the restricted network only.

The SHA prepares a Statement of Health (SoH) based on the health status of the client computer:

The NAP software submits the SoH to the SHV. The SHV communicates with the Policy Server and determines whether the health status provided in the SoH meets the requirements of your health policy. If it does, the computer is allowed full access to the network. If not (in isolation mode), the computer is given access to the restricted network where it can download the updates or software needed to come into compliance. The computers on the restricted network that contain these resources are called remediation servers.

You can use health certificates to prove compliance:

In this case, you need a Longhorn server running Internet Information Services (IIS) and Certificate Services to act as a CA and issue the health certificates. This server is called the Health Registration Authority (HRA). The NAP client sends the SoH to the HRA, which sends it to the NPS server. The NPS server communicates with the Policy Server to find out if the SoH is valid. If it is, the HRA obtains a health certificate for the client, which can be used to initiate IPSec-based communications.

There are four types of NAP enforcement:

IPSec enforcement relies on the HRA and X.509 certificates. 802.1x enforcement relies on an EAPHost NAP enforcement client and is used for clients connecting through an 802.1x access point. (This can be a wireless access point or an Ethernet switch.) Restricted access profiles are placed on noncompliant clients using packet filters or VLAN identifiers to restrict them to the restricted network. VPN enforcement relies on VPN servers to enforce the health policy when a computer attempts to make a VPN connection to the network. DHCP enforcement relies on the DHCP servers to enforce the health policy when a computer leases or renews its IP address. You can use one, some, or all of the enforcement methods on a given network.

Only computers that connect to the network via one of the four enforcement methods will have their access restricted if they're noncompliant:

DHCP enforcement is the easiest to deploy and most comprehensive because most computers will need to lease IP addresses (all except those assigned static addresses), but IPSec enforcement is the strongest enforcement method. When a computer's access is restricted, it will still have access to the DNS and DHCP servers, as well as the remediation servers. You can, however, place secondary DNS servers or forwarding servers on the restricted network, rather than primary DNS servers.

NAP is different from Network Access Quarantine Control in Windows Server 2003:

NAP can be applied to all the systems on the network, not just remote access clients. With NAP, you can also monitor and control the health status of visiting laptops and even on-site desktop computers. It's also easier to deploy because it doesn't require the creation of custom scripts and manual configuration with command-line tools, as does NAQC. In addition, third-party software vendors can use the NAP APIs to create NAP-compatible health status validation and network access limitation components. NAP and NAQC can be used simultaneously, but generally NAP will serve as a replacement for NAQC.