Share via


Network Access Protection


Published: October 18, 2007


Network Access Protection (NAP) is a policy enforcement platform built into the Windows Vista and Windows Server 2008 operating systems that allows you to better protect network assets by enforcing compliance with system health requirements.

Computer Health Requirements

You are faced with the challenge of ensuring that computers that connect to and communicate on your network are compliant with system health requirements. For example, compliant computers have the correct security software installed (such as antivirus protection), the current operating system updates, and the correct configuration (such as host-based firewalls enabled). This challenge is made daunting by the portable nature of laptop computers that can roam to various Internet hotspots and other private networks, and the use of remote access connections made from home computers. If a connecting computer is not compliant, it can expose your network to attacks by malicious software such as network-level viruses and worms. To provide protection against noncompliant computers, you need to do the following:

  • Centrally configure a set of policies that specify requirements for system health.
  • Verify system health before allowing unlimited access to the private network or to private network resources.
  • Limit the network access of noncompliant computers to a restricted network containing resources to return the noncompliant computer to a compliant state.

NAP provides components and an infrastructure that help you validate and enforce compliance with system health policies for network access and communication.

Health Policy Validation

When a user attempts to connect to your network, Network Access Protection validates the computer’s health state against the health policies that you have defined. You can then choose what to do if a computer is not compliant. In a monitoring-only environment, all authorized computers are granted access to the network even if some do not comply with health policies, but the compliance state of each computer is logged. In a restricted access environment, computers that comply with the health policies are allowed unlimited access to the network, but computers that do not comply with health policies or that are not compatible with Network Access Protection have their access limited to a restricted network. In both environments, computers that are compatible with Network Access Protection can automatically become compliant, and you can define exceptions to the validation process. Network Access Protection also includes migration tools to make it easier for you to define exceptions that best suit your network needs.

Health Policy Compliance

You can help ensure compliance with health policies by choosing to automatically update noncompliant computers with the missing requirements through management software, such as Microsoft Systems Management Server. In a monitoring-only environment, computers will have access to the network even before they are updated with required software or configuration changes. In a restricted access environment, computers that do not comply with health policies have limited access until the software and configuration updates are completed. Again, in both environments, computers that are compatible with Network Access Protection can automatically become compliant, and you can define policy exceptions.

Limited Network Access

You can protect network assets by limiting the access of computers that do not comply with health policy requirements. You can define the level of access noncompliant computers will have. Network access limits can be based on a specific amount of time or whether the network access is limited to a restricted network, to a single resource, or to no internal resources at all. If you do not configure health update resources, the limited access will last for the duration of the connection. If you configure health update resources, the limited access will last only until the computer is brought into compliance. You can use both monitoring and health policy compliance in your networks and configure exceptions for both.

Download

Get the Core Infrastructure Optimization Implementer Resource Guide: Basic to Standardiz