Security Advisor

NAP Time

The much-improved Network Access Protection mechanism in Vista and Windows Server 2008 means it's now easier to ensure your network is safe from vulnerable computers.

Network Access Protection (NAP) is a Windows mechanism that ensures that only computers meeting your security requirements are allowed access to your network. Using NAP can make your network significantly more secure. Unfortunately, when Microsoft first introduced it, NAP could only check for a few configuration settings and was rather difficult to implement. But NAP has grown up. Improvements in Windows Vista and Windows Server 2008 have combined to make it possible to get started with a full-scale NAP deployment fairly easily.

NAP Basics
To enforce security requirements for all computers that connect to your network, NAP needs to be able to control access regardless of how the computers connect. This requires a gatekeeper that can control VPN connections, DHCP address assignments, connections to both wired and wireless switches and other access methods. Microsoft covers this by letting you configure a variety of "Enforcement Points" that act as gatekeepers to your network. Possible Enforcement Points include VPN or DHCP Servers running Windows Server 2008; a Web server that can issue certificates for a certification authority; and 802.1x-compliant wireless and wired switches.

The Enforcement Point's job is easy: When a client connects, it's prompted to respond as to whether or not it meets all the requirements of your security policy. The Enforcement Point simply forwards the results, called the health status, to a Network Policy Server (NPS), which is Microsoft's implementation of a Remote Authentication Dial-In User Service (RADIUS) server.

Depending on the answer that the NPS returns, the Enforcement Point grants access to the network, denies it, or lets the client connect only to "remediation servers," which give access to resources that may be needed to fix the client's security deficiencies. A health policy server inspects the client's configuration information, compares it against your policy settings and then generates a response for the Enforcement Point.

Starting Your NAP
What makes NAP so appealing is that all current Microsoft client operating systems include the NAP client functionality that's required to do a health check, so you don't need to configure or install anything on your network clients. On the network side, NAP covers most network entry points. Don't be overwhelmed and think you need to cover all access methods from the beginning of your NAP project. Instead, enforce health checks on just one access point, such as a VPN server, and then gradually expand NAP to other Enforcement Points.

To get started, simply add the "Network Policy and Access Services" role to a server running Windows Server 2008. Then, run the NAP wizard to configure a policy that defines which types of clients should be checked and which remediation resources, if any, will be available. Next, you'll have to define System Health Validators (SHVs). These are the settings a client will need to report on, such as whether required patches or anti-virus software are installed.

Once the NPS server and the policies are in place, you'll need to configure the Enforcement Point. This consists of two parts: First, you'll need to make the Enforcement Point communicate with the NPS server. To do this, you'll need to configure it as a RADIUS client. Then, you'll need to configure how the Enforcement Point will respond to clients in the case of both a successful and a failed health check.

Extending NAP
Once you've set up NAP for one type of access, extending it to other connection types will be very straightforward. At that point, you should also explore additional SHVs from Microsoft and third parties that let you check more client health conditions than the SHVs included with Windows allow.

NAP may seem complex, but in reality it has become relatively easy to implement, especially if you take a gradual approach to deployment.

About the Author

Joern Wettern, Ph.D., MCSE, MCT, Security+, is the owner of Wettern Network Solutions, a consulting and training firm. He has written books and developed training courses on a number of networking and security topics. In addition to helping companies implement network security solutions, he regularly teaches seminars and speaks at conferences worldwide.


  • Microsoft Buys Orions Systems To Enhance Vision AI Capabilities in Dynamics 365

    Microsoft announced on Tuesday that it has acquired Orions Systems with the aim of enhancing Dynamics 365 capabilities, as well as the Microsoft Power Platform.

  • Microsoft Hires Movial To Build Android OS for Microsoft Devices

    Microsoft has hired the Romanian operations of software engineering and design services company Movial to develop an Android-based operating system solution for the Microsoft Devices business segment.

  • Microsoft Ending Workflows for SharePoint 2010 Online Next Month

    Microsoft on Monday gave notice that it will be ending support this year for the "workflows" component of SharePoint 2010 Online, as well as deprecating that component for SharePoint 2013 Online.

  • Why Windows Phone Is Dead, But Not Completely Gone

    Don't call it a comeback (because that's not likely). But as Brien explains, there are three ways that today's smartphone market leaves the door open for Microsoft to bring Windows back to smartphones.

comments powered by Disqus

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.