Security Advisor

NAP Time

The much-improved Network Access Protection mechanism in Vista and Windows Server 2008 means it's now easier to ensure your network is safe from vulnerable computers.

• By Joern Wettern
• 07/01/2009

Network Access Protection (NAP) is a Windows mechanism that ensures that only computers meeting your security requirements are allowed access to your network. Using NAP can make your network significantly more secure. Unfortunately, when Microsoft first introduced it, NAP could only check for a few configuration settings and was rather difficult to implement. But NAP has grown up. Improvements in Windows Vista and Windows Server 2008 have combined to make it possible to get started with a full-scale NAP deployment fairly easily.

NAP Basics
To enforce security requirements for all computers that connect to your network, NAP needs to be able to control access regardless of how the computers connect. This requires a gatekeeper that can control VPN connections, DHCP address assignments, connections to both wired and wireless switches and other access methods. Microsoft covers this by letting you configure a variety of "Enforcement Points" that act as gatekeepers to your network. Possible Enforcement Points include VPN or DHCP Servers running Windows Server 2008; a Web server that can issue certificates for a certification authority; and 802.1x-compliant wireless and wired switches.

The Enforcement Point's job is easy: When a client connects, it's prompted to respond as to whether or not it meets all the requirements of your security policy. The Enforcement Point simply forwards the results, called the health status, to a Network Policy Server (NPS), which is Microsoft's implementation of a Remote Authentication Dial-In User Service (RADIUS) server.

Depending on the answer that the NPS returns, the Enforcement Point grants access to the network, denies it, or lets the client connect only to "remediation servers," which give access to resources that may be needed to fix the client's security deficiencies. A health policy server inspects the client's configuration information, compares it against your policy settings and then generates a response for the Enforcement Point.

Starting Your NAP
What makes NAP so appealing is that all current Microsoft client operating systems include the NAP client functionality that's required to do a health check, so you don't need to configure or install anything on your network clients. On the network side, NAP covers most network entry points. Don't be overwhelmed and think you need to cover all access methods from the beginning of your NAP project. Instead, enforce health checks on just one access point, such as a VPN server, and then gradually expand NAP to other Enforcement Points.

To get started, simply add the "Network Policy and Access Services" role to a server running Windows Server 2008. Then, run the NAP wizard to configure a policy that defines which types of clients should be checked and which remediation resources, if any, will be available. Next, you'll have to define System Health Validators (SHVs). These are the settings a client will need to report on, such as whether required patches or anti-virus software are installed.

Once the NPS server and the policies are in place, you'll need to configure the Enforcement Point. This consists of two parts: First, you'll need to make the Enforcement Point communicate with the NPS server. To do this, you'll need to configure it as a RADIUS client. Then, you'll need to configure how the Enforcement Point will respond to clients in the case of both a successful and a failed health check.

Extending NAP
Once you've set up NAP for one type of access, extending it to other connection types will be very straightforward. At that point, you should also explore additional SHVs from Microsoft and third parties that let you check more client health conditions than the SHVs included with Windows allow.

NAP may seem complex, but in reality it has become relatively easy to implement, especially if you take a gradual approach to deployment.