4sysops discusses the new Windows Server 2008 NAP (Network Access Protection) infrastructure, in which a genuine concern for confusion is given, whilst also reminding administrators that this is a must have link in an ever-growing chain of essential server systems.
Network Access Protection (NAP) is certainly one of the most interesting new features of Windows Server 2008. It is a very complex application having countless different features.
NAP definition
NAP is a so-called Network Access Control (NAC) solution. It limits network access of computers based on predefined health requirements.Windows Security Health Validator (SHV) policy
The SHV policy defines the aforementioned health requirements. NAP supports the following health requirements: desktop firewall is enabled, virus protection is on and up to date, anti-spyware application is on and up to date, automatic updating is enabled. Each SHV has a corresponding SHA on the client side. It is here where you define the health requirements for your whole network.NAP enforcement methods
NAC solutions can be distinguished according to their methods of enforcing compliance with the health requirements.DHCP enforcement
DHCP enforcement allows you to specify special scope options for non-compliant machines which don’t fulfill your SHV policy.VPN enforcement
Non-compliant clients connecting to the corpnet using the Windows VPN client can be quarantined to a restricted network by applying packed filters.802.1X enforcement
If your network switches support 802.1X authentication and allows VLAN assignment according to RADIUS attributes, then you can use this method to quarantine noncompliant clients to a certain VLAN.IPSec enforcement
Compliant NAP clients receive a health certificate from a certification authority.TS Gateway enforcement
TS Gateway is a new feature of Windows Server 2008 Terminal Services. It allows the use of RDP over HTTPS to establish an encrypted connection to a TS Server.Automatic remediation
Non-compliant computers can be automatically re-mediated. For example, NAP can automatically turn on Windows Firewall if you configured this as a health requirement.Ongoing compliance
NAP checks continuously if NAP clients comply with the SHV policy.NAP client
Windows XP will support NAP when SP3 comes out. Windows Vista and Windows Server 2008 already come with built-in NAP clients. The NAP client consists of three layers: the System Health Agents (SHA), the NAP Agent, and the Enforcement Clients (EC). There are also APIs allowing third-party vendors to integrate their own SHAs and ECs in Microsoft’s NAP infrastructure.
1 Comment on "4sysops discusses Windows Server 2008 Network Access Protection…"
Comment Now!