Network Access Protection

One of the most difficult challenges as a network administrator is to make sure that computers connecting to the corporate intranet especially laptop computers is up to date with the latest antivirus software and security patches.

NAP for Windows Server 2008, Windows Server 2008 R2,Windows 7,Windows Vista and Windows XP SP3 provides components and application programming interfaces (API) that helps IT administrators enforce health requirement polices.NAP helps administrators create solutions for validating computers connecting to the network and what to do if they not meet the requirements such as provide needed updates or limit their access to the network. Remember that NAP is not designed to protect the network against malicious users.It is designed to automatically maintain the health of the computers and to help keep the network's integrity.

To validate access to a network based on system health, a network infrastructure needs to provide the following. Health state validation: Determines whether the computers are compliant with health policy requirements.

Network access limitation: Limits access for noncompliant computers.

Automatic remediation: Provides necessary updates to allow a noncompliant computer to become compliant without user intervention.

Ongoing compliance: Automatically updates compliant computers so that they adhere to ongoing changes in health policy requirements

Nap components

NAP clients

NAP enforcement points:

Computers or network access devices that use NAP or can be used with NAP to require the evaluation of a NAP clients health state and provide restricted network access or communication.Enforcement points use a Network Policy Server (NPS). (NPS is the replacement for the Internet Authentication Service (IAS), the Remote Authentication Dial-In User Service (RADIUS) server and proxy provided with Windows Server 2003), acting as a NAP health policy server to evaluate the health state of NAP clients, whether network access or communication is allowed, and the set of remediation actions that noncompliant NAP clients must perform.

Health Registration Authority (HRA) A computer running Windows Server 2008 and Internet Information Services (IIS) that obtains health certificates from a certification authority (CA) for compliant NAP clients.

Network access devices Ethernet switches or wireless access points (APs) that support IEEE 802.1X authentication

VPN server

DHCP server

Computers running Windows Server 2008 and the NPS service that store health requirement policies and provide health state validation for NAP.

Health requirement servers: Computers that provide current system health state for NAP health policy servers. For example, a health requirement server for an antivirus program tracks the latest version of the antivirus signature file.

Active Directory Domain Services: Although not required for health state validation, Active Directory is required for Internet Protocol Security (IPsec) protected communications, 802.1X-authenticated connections, and remote access VPN connections.

Restricted network: A separate logical or physical network that contains:

Remediation servers: Network infrastructure servers and health update servers that NAP clients can access to remediate their noncompliant state.

NAP clients with limited access: Computers that are placed on the restricted network when they do not comply with health requirement policies.

Non-NAP-capable computers: Optionally, computers that do not support NAP can be placed on the restricted network

System Health Agents and System Health Validators

System health agents (SHAs) on NAP clients and system health validators (SHVs) on NAP health policy servers provide health state tracking and validation for attributes of system health. Windows Vista and Windows XP SP3 include a Windows Security Health Validator (SHV), that monitors the settings of the Windows Security Center. Windows Server 2008 includes the corresponding Windows Security Health Validator (SHV.)

An SHA creates a statement of health (SoH) that contains the current status information about the attribute of health being monitored by the SHA. Whenever an SHA updates its status, it creates a new SoH. To indicate its overall health state, a NAP client uses a System Statement of Health (SSoH), which includes version information for the NAP client and the set of SoHs for the installed SHAs. When the NAP client validates its system health, it passes its SSoH to the NAP health policy server for evaluation through a NAP enforcement point. The NAP health policy server uses the SSoH, its installed SHVs, and its health requirement policies to determine whether the NAP client is compliant with system health requirements, and if it is not,what actions that must be taken.

Each SHV produces a statement of health response (SoHR), which can contain remediation instructions. Based on the SoHRs from the SHVs and the configured health requirement policies, the NAP health policy server creates a System Statement of Health Response (SSoHR), which indicates whether the NAP client is compliant or noncompliant and includes the set of SoHRs from the SHVs. The NAP health policy server passes the SSoHR back to the NAP client through a NAP enforcement point. The NAP client passes the SoHRs to its SHAs. The noncompliant SHAs automatically remediate their health state and create updated SoHs, and the health validation process begins again.

Enforcement Methodes

A computer must be compliant to obtain unlimited network access through an 802.1X-authenticated network connection,to an authenticating Ethernet switch or an IEEE 802.11 wireless AP. For noncompliant computers, network access is limited through a restricted access profile placed on the connection by the Ethernet switch or wireless AP. With 802.1X enforcement, health policy requirements are enforced every time a computer attempts an 802.1X-authenticated network connection. 802.1X enforcement also actively monitors the health status of the connected NAP client and applies the restricted access profile to the connection if the client becomes noncompliant. Components of 802.1X enforcement consist of NPS in Windows Server 2008 and an EAPHost EC in Windows Vista, Windows XP SP3, and Windows Server 2008.

With VPN enforcement, a computer must be compliant to obtain unlimited network access through a remote access VPN connection. For noncompliant computers, network access is limited through a set of IP packet filters that are applied to the VPN connection by the VPN server. With VPN enforcement, health policy requirements are enforced every time a computer attempts to obtain a remote access VPN connection to the network. VPN enforcement also actively monitors the health status of the NAP client and apply the IP packet filters for the restricted network to the VPN connection if the client becomes noncompliant.

Components of VPN enforcement consist of NPS in Windows Server 2008 and a VPN Enforcement Client (EC) that is part of the remote access client in Windows Vista, Windows XP SP3, and Windows Server 2008. VPN enforcement provides strong limited network access for all computers accessing the network through a remote access VPN connection.

With DHCP enforcement, a computer must be compliant to obtain an IPv4 address configuration that has unlimited network access from a DHCP server. For noncompliant computers, network access is limited by an IPv4 address configuration that allows limited access only to the restricted network. With DHCP enforcement, health policy requirements are enforced every time a DHCP client attempts to lease or renew an IPv4 address configuration. DHCP enforcement also actively monitors the health status of the NAP client and renews the IPv4 address configuration for access only to the restricted network if the client becomes noncompliant. The components of DHCP enforcement consist of a DHCP Enforcement Server (ES) that is part of the DHCP Server service in Windows Server 2008 and a DHCP EC that is part of the DHCP Client service in Windows Vista, Windows XP SP3, and Windows Server 2008. Because DHCP enforcement relies on a limited IPv4 address configuration that can be overridden by a user with administrator-level access, it is a weak form of limited network access in NAP.

With IPsec enforcement, a computer must be compliant to initiate communications with other compliant computers on an intranet in a server isolation or domain isolation IPsec deployment, which require that incoming communications be protected with IPsec. Components of IPsec enforcement consist of an IPsec ES on an HRA running Windows Server 2008 and an IPsec EC in Windows Vista, Windows XP SP3. The HRA obtains X.509-based health certificates for NAP clients when they prove that they are compliant. You can also configure TS Gateway servers and clients to use Network Access Protection (NAP).

Changes in NAP and NPS in Windows Server 2008 R2

NPS server configuration templates: Makes it easier to configure certain elements and synchronize configuration elements across multiple servers

Multi-SHV configuration: Allows multiple policies to be configured in a single SHV

Accounting Wizard: Ability to easily set up and log health results to a SQL server and fail over capability Migration path from Windows Server 2003 IAS to Windows Server 2008 (R2) NPS Server

NAP client user interface updates to integrate with Windows Action Center. NAP, built into Windows Server 2008 R2 and Windows 7, can be used with DirectAccess to verify that client computers meet your system health requirements, such as having security updates and anti-malware definitions installed, before allowing them a DirectAccess connection.