10/9/2008 6:42:49 AM

Przemek Radzikowski

permalink [Permalink]

International Careers & Jobs - An international employment directory, reviewing world-wide top job sites

  • Home  ›
  • Articles  ›
  • Network Access Protection (NAP) an Introduction

| More

Network Access Protection (NAP) an Introduction

With the release of Windows Server 2008, Network Access Protection (NAP) has finally hit the mainstream and is now able to deliver a solid security offering to clients of all sizes. This article will quickly discuss the background behind NAP operation.



NAP: Introduction

Network Access Protection (NAP) for Windows Server 2008, Windows Vista, and Windows XP Service Pack 3 provides components and an application programming interface (API) that help administrators enforce compliance with health requirement policies for network access or communication. With NAP, developers and administrators can create solutions for validating computers that connect to their networks, provide needed updates or access to needed health update resources, and limit the access or communication of noncompliant computers.

The enforcement features of NAP can be integrated with software from other vendors or with custom programs. Administrators can customize the health maintenance solution they develop and deploy, whether for monitoring the computers accessing the network for health policy compliance, automatically updating computers with software updates to meet health policy requirements, or limiting the access of computers that do not meet health policy requirements to a restricted network.

NAP is not designed to protect a network from malicious users. It is designed to help administrators automatically maintain the health of the computers on the network, which in turn helps maintain the network’s overall integrity. For example, if a computer has all the software and configuration settings that the health policy requires, the computer is compliant and will be allowed unlimited access to the network. NAP does not prevent an authorized user with a compliant computer from uploading a malicious program to the network or engaging in other inappropriate behavior.

Aspects of NAP

NAP has three important and distinct aspects:

  • Health state validation
    When a computer attempts to connect to the network, the computer’s health state is validated against the health requirement policies as defined by the administrator. Administrators can also define what to do if a computer is not compliant. In a monitoring-only environment, all computers have their health state evaluated and the compliance state of each computer is logged for analysis. In a limited access environment, computers that comply with the health requirement policies are allowed unlimited access to the network. Computers that do not comply with health requirement policies can have their access limited to a restricted network.
  • Health policy compliance
    Administrators can help ensure compliance with health requirement policies by choosing to automatically update noncompliant computers with missing software updates or configuration changes through management software, such as Microsoft Systems Management Server. In a monitoring-only environment, computers will have access to the network before they are updated with required updates or configuration changes. In a limited access environment, noncompliant computers have limited access until the updates and configuration changes are completed. In both environments, computers that are compatible with NAP can automatically become compliant and administrators can define exceptions for computers that are not compatible with NAP.
  • Limited access
    Administrators can protect their networks by limiting the access of noncompliant computers, as defined by the administrator. Limited network access can be based on a specific amount of time or on what the noncompliant computer can access. In the latter case, administrators define a restricted network containing health update resources and the limited access will last until the noncompliant computer is brought into compliance. Administrators can also configure exceptions so that computers that are not compatible with NAP do not have their network access limited.

The NAP platform is not the same as Network Access Quarantine Control, which is a capability provided with Windows Server 2003 to provide additional protection for remote access (dial-up and virtual private network [VPN]) connections. For more information, see Network Access Quarantine Control in Windows Server 2003 at

Scenarios for NAP

NAP helps provide a solution for the following common scenarios:

  • Verifying the health state of roaming laptops
    Portability and flexibility are two primary advantages of laptops, but these features also present a health threat. Company laptops frequently leave and return to the company network. While laptops are away from the company, they might not receive the most recent software updates or configuration changes. Laptops might also become infected while they are exposed to unprotected networks such as the Internet. 
  • Verifying the health state of desktop computers
    Although desktop computers do not usually leave the premises, they still can present a threat to a network. To minimize this threat, administrators must maintain these computers with the most recent updates and required software. Otherwise, these computers are at risk of infection from Web sites, e-mail, files from shared folders, and other publicly accessible resources. By using NAP, network administrators can automate health state checks to verify each desktop computer’s compliance with health requirement policies. 
  • Verifying the health state of visiting laptops
    Organizations frequently need to allow consultants, business partners, and guests to connect to their private networks. The laptops that these visitors bring might not meet system health requirements and can present health risks. 
  • Verifying the health state of unmanaged home computers
    Unmanaged home computers that are not a member of the company’s Active Directory Domain Services domain can connect to a managed company network through a VPN connection. Unmanaged home computers provide an additional challenge to administrators because they do not have physical access to these computers. Lack of physical access makes enforcing compliance with health requirements, such as the use of antivirus software, even more difficult.

Depending on their needs, administrators can configure a solution to address any or all of these scenarios for their networks.

Components of NAP

NAP is an extensible platform that provides infrastructure components and an API for adding components that verify and amend a computer’s health and enforce various types of network access or communication. The following sections describe some of the components of the NAP infrastructure to facilitate a basic understanding of NAP processes.

  • System Health Agents and System Health Validators
    Components of the NAP infrastructure known as system health agents (SHAs) and system health validators (SHVs) provide health state tracking and validation. Windows Vista and Windows XP Service Pack 3 include a Windows Security Health Validator SHA that monitors the settings of the Windows Security Center. Windows Server 2008 includes a corresponding Windows Security Health Validator SHV.
  • Enforcement Components and Methods
    Components of the NAP infrastructure known as enforcement clients (ECs) and enforcement servers (ESs) require health state validation and enforce limited network access for noncompliant computers for specific types of network access or communication. Windows Vista, Windows XP Service Pack 3, and Windows Server 2008 include NAP support for the following types of network access or communication:

    • Internet Protocol security (IPsec)-protected traffic
    • IEEE 802.1X-authenticated network connections
    • Remote access VPN connections
    • Dynamic Host Configuration Protocol (DHCP) address configurations
    • Terminal Server (TS) Gateway connections

    These types of network access or communication are known as NAP enforcement methods. Administrators can use them separately or together to limit the access or communication of noncompliant computers.
  • Network Policy Server (NPS)
    NPS is a Remote Authentication Dial-In User Service (RADIUS) server and proxy in Windows Server 2008. As a RADIUS server, NPS provides authentication, authorization, and accounting (AAA) services for various types of network access. For authentication and authorization, NPS uses Active Directory to verify user or computer credentials and obtain user or computer account properties when a computer attempts an 802.1X-authenticated connection or a VPN connection.
  • Remediation Servers
    Remediation servers consist of servers, services, or other resources that a noncompliant computer that has been placed on the restricted network can access. These resources might perform name resolution or store the most recent software updates or components needed to make a noncompliant computer meet system health requirements. For example, a Domain Name System (DNS) server, an antivirus signature file server, and a software update server could all be remediation servers. An SHA can communicate with a remediation server directly or use the facilities of installed client software.


Microsfot's NAP is a mature product which is ready for the general consumption without any worry about "early adoption bugs".


Network Access Quarantine Control in Windows Server 2003

Network Access Protection Architecture

Introduction to Network Access Protection


permalink [Permalink] - Updated: Monday, October 28, 2013

| More


Articles of Interest

International Careers & Jobs - An international employment directory, reviewing world-wide top job sites

(c) Capitalhead Pty Ltd
Contact Capitalhead About Us Articles & Publications Partners Solutions & Services Products Valid XHTML Valid CSS