Windows Server

Vista's Network Access Protection (NAP) helps keep 'unhealthy' computers off your LAN

Network Access Protection helps you ensure that the computers that connect to your network meet health status requirements, reducing the risk that they'll introduce viruses or serve as the conduit for attacks and exploits. Computers that don't meet your health criteria (e.g., updated and protected by a firewall, antivirus, and anti-spyware software) can be connected to a remediation server, to be brought into compliance.

This article is also available as a PDF download.

In today's mobile world, users connect to the company LAN from their homes or when on the road via VPN; they bring their personal laptops to the office; and they may use other systems that could pose a threat to the network. As a result, businesses must be able to control which computers can access their networks.

Computers on your network should have the latest security updates and service packs to fix known vulnerabilities, and they must be protected against viruses and malicious software. The computers connected to your LAN while they're on the Internet must also have personal firewalls installed and be properly configured. These measures help ensure the "health" of the computers in your network environment.

There are various ways to monitor the health status of remote access computers. Microsoft's Network Access Quarantine Control (NAQC) in Windows Server 2003, for instance, can quarantine computers attempting to connect over a VPN or dialup connection if administrator-specified health criteria aren't met--but it's difficult to implement and requires you to write custom scripts and use command-line tools. Another limitation is that third-party applications can't participate in policy decisions. Cisco's Network Admission Control (NAC) serves a similar function, but a NAC appliance is costly.

Microsoft is addressing this need by building into the Windows Vista client and Longhorn Server a new feature called Network Access Protection (NAP), which can be deployed without extra cost to provide the same functionality--and more. NAP's scope is expanded to cover all systems that connect to your LAN, not just remote access clients, and it can enforce many types of policies. The NAP platform also provides APIs that can be used by third-party developers.

How it works

NAP support is included with Vista and Longhorn Server, and a NAP client for Windows XP with SP2 is expected to be available when Longhorn Server is released. The XP NAP client is in beta testing at the time of this writing.

The NAP platform consists of a number of components working together:

  • The Network Policy Server (NPS). This is a Longhorn Server, and its NAP services are made up of two parts: the NAP Administration Server and the NAP Enforcement Server. Network access information for user and computer accounts is stored in the Active Directory. The System Health Validator (SHV) runs on the NAP server and communicates with a component called the Policy Server. NPS is Longhorn Server's replacement for the Internet Authentication Service (IAS) in Windows Server 2003, thus it is a RADIUS server and proxy. It functions as a policy server working with NAP ES and EC components. The NAP servers and access devices are RADIUS clients to the NPS server. NPS authenticates attempted network connections and then determines whether the computer is compliant with health policies, limiting the access of computers that are not.
  • A Health Registration Authority (HRA). This is a Longhorn Server that runs IIS and Windows Certificate Services and is needed if you want to use health certificates obtained from a CA.
  • Remediation server(s). This is a server or servers on which resources reside that noncompliant clients can use to come into compliance. The remediation servers are available on the restricted network so that noncompliant clients, which are not allowed full network access, can still connect to them.
  • NAP clients. The System Health Agents (SHAs) run on the NAP clients.

The SHAs on the clients contain information about the clients' health status. This is submitted to the NPS server as a Statement of Health (SoH). The SHV on the server communicates with the Policy Server to validate the SoH and determines whether the SoH meets the criteria to comply with your policy requirements. Alternatively, a health certificate can be obtained from an HRA and used in the place of an SoH to prove compliance.

If a computer is found to be noncompliant, it can be given access to a restricted network. This network contains remediation servers. The client uses the resources on these servers to gain compliance. For instance, a remediation server might contain the virus definition files needed to bring the client up to date, or it might be a software update server with the required service packs or security fixes that the client is lacking. Once the client has been updated, a new SoH can be submitted.

You can create remediation server groups to specify the remediation servers (by DNS name or IP address). There is a wizard that takes you through the steps of creating a group. You can have different groups for different enforcement technologies.

You can specify that noncompliant computers that are only allowed access to the restricted network be directed to a Web site where they can get information on how to become compliant, as shown in Figure A.

Figure A

You can direct noncompliant computers to a Web site on the restricted network.

Using NAP

When NAP is deployed on your network, you can create health policies that define criteria each computer must meet in order to connect. NAP can control the access of:

  • "Unmanaged" computers--those that administrators don't have physical access to because users are connecting from home or from the road. These systems often are not owned by the company, so you can't be sure that the proper updates, antivirus, firewalls, etc., are installed and properly configured.
  • Visiting and roaming portable computers--these may be company-owned or owned by employees or they may belong to people from other organizations who are working onsite on your network. Because they leave your site, their health status can change or updates may be neglected when they're away.
  • Onsite desktop computers--even though you have more control over these company-owned systems that don't leave the premises, you still need a way to ensure that they are all properly configured and updated and that users haven't disabled important protective mechanisms.

Note that NAP itself doesn't perform the verification of a computer's compliance with your policies; this is done by System Health Agents (SHAs) and System Health Validators (SHVs) that work in conjunction with NAP. The SHV dialog box, shown in Figure B, lets you set these health policies:

  • Systems must have the latest service packs and security updates applied.
  • Windows Automatic Updates must be turned on.
  • Systems must have antivirus software installed, enabled, and up to date.
  • Systems must have anti-spyware protection installed, enabled, and up to date.
  • Systems must have personal firewall software turned on and properly configured for all network connections.

Figure B

You can select health criteria to enforce using these check boxes.

Enforcement technologies

NAP supports various enforcement mechanisms that limit the access of computers found to be noncompliant. You can use one, all, or some of them, with the Longhorn NPS Server acting as the Policy Server. There are four enforcement technologies:

  • IPSec enforcement uses an IPSec NAP enforcement client (EC) working in conjunction with the HRA. The HRA issues X.509 certificates, which are used to authenticate NAP clients when they attempt to make secure connections with other NAP clients. Only compliant computers are allowed to communicate. IPSec is the strongest enforcement method.
  • 802.1x enforcement uses an NPS server in conjunction with an EAPHost NAP enforcement client. When a noncompliant computer attempts to connect, the NPS server tells the 802.1x access point to put a restricted access profile (which is a set of packet filters or a VLAN ID) on the client to confine it to the restricted network. 802.1x is a strong enforcement method.
  • VPN enforcement uses a VPN NAP enforcement service and a VPN NAP enforcement client. The VPN server enforces your health policies when a computer attempts to make a VPN connection. VPN enforcement is a strong enforcement method but is limited to VPN clients.
  • DHCP enforcement uses a DHCP NAP enforcement server and a DHCP NAP enforcement client. The DHCP server enforces the health policy whenever a computer leases or renews its IP address. DHCP enforcement uses IP table entries; it's the weakest form of enforcement.

Summary

With NAP in Longhorn Server and Vista/XP clients, network administrators have much more control over which computers can connect to the local network. They can also ensure that those computers that do come onto the network meet health status requirements to reduce the risk that they'll introduce viruses or serve as the conduit for attacks and exploits. Not only are noncompliant systems denied access to the full network, they are also provided with a way to become compliant so that their users can connect and get their work done.

Glossary

  • NAP: Network Access Protection, a technology built into Longhorn Server and Windows Vista to provide a way for administrators to check the health status of computers attempting to connect to the network and to quarantine those that are noncompliant by using specified policies until they obtain compliance.
  • NPS: Network Policy Server, which replaces Windows Server 2003's RADIUS implementation (IAS). It authenticates clients and works with NAP enforcement servers and enforcement clients to determine whether clients are compliant with network health requirements.
  • HRA: Health Registration Server, a Windows Longhorn Certification Authority (CA) that issues heath certificates that can be used to prove compliance with health policies.
  • Remediation server: A server on the restricted network that can be accessed by noncompliant computers and which contains resources that can be used to gain compliance.
  • SHA: System Health Agent, the component that runs on the NAP client and gathers information about the computer's health status, which it reports to the SHV via an SoH.
  • SHV: System Health Validator, the component that runs on the NAP server, which communicates with the Policy Server to determine whether the SoH submitted by a client complies with your health policies.
  • SoH: Statement of Health, a report on a computer's health status that is submitted to the SHV on the NAP server by the SHA on the NAP client.
  • EC: NAP enforcement client, the "client piece" of each of the NAP enforcement technologies.
  • ES: NAP enforcement server, the "server piece" of each of the NAP enforcement technologies.

About

Debra Littlejohn Shinder, MCSE, MVP is a technology consultant, trainer, and writer who has authored a number of books on computer operating systems, networking, and security. Deb is a tech editor, developmental editor, and contributor to over 20 add...

9 comments
BALTHOR
BALTHOR

That the invading hacker computer and virus are running at 450 trillion plus cps!

georgelawlor16
georgelawlor16

The Idea is great, the implementation is pure MS. This looks more like a way to force users to keep the MS auto-upgrade connected and turned on all the time thus giving MS another tool to look for illegal system and other software. The system and LAN overhead on this NAP must be enormous. Where's the simple easy to apply stuff; MAC address filtering, IP address filtering, application filtering? George

Justin Fielding
Justin Fielding

NAP is all very nice in theory but until Longhorn is out and stable for production use, NAP isn't any use at all.

JodyGilbert
JodyGilbert

Have you had problems with employees and partners connecting to your network with unpatched or misconfigured computers? How well do you think NAP is likely to work in resolving those issues?

NKX
NKX

It is odd that a computer can be considered "managed" and therefore "trusted" just because its running the latest Windows updates and has the latest AV signature files. What about Domain membership, OS Tagging, etc. I would like to use a feature like NAP to stop computers, that are not part of our domain, from connecting to the network. In its current form, I just can't see a good use for it. Especially as the XP client and Server 2008 is so far away.

Ptero.4
Ptero.4

Actually george. M$ have an even more sinister plan of Network aceess protection. They`re planning to use it to make it impossible to connect Linux PC`s to a Windoze Vista network, and maybe in the future lock Macs out too.

brucehopkins
brucehopkins

This is an intersting enhancement. Won't be of use until Longhorn is ready, but still something intersting. Its great to see MS getting behind this as its been available for a while through Cisco's clean Access or Enterasys's Sentinal products. Glad to see MS taking some responsiblity for building this type of functionality into the core of the OS. Now lets start working on some better management tools for the firewalls and the ability to deny or allow access through the firewall based on Group membership. Bruce

brucehopkins
brucehopkins

Comeon Ptero.4. What would be the benefit of this with MS? MS has actaully did a better job of embracing Linux over the past few years. Have you heard of their deal with Suse? There are places where Linux makes sense and places where it does not in corporate networks. I see you are listed as a student. Start thinking for yourself before you go out into the real world. There are places for both these OS's as well as AIX, Solaris and a host of others. Just depends on what you are trying to accomplish. I for one would never want to support a bunch of users on Linux. It would not be fun.

Ambercroft
Ambercroft

Given that a large portion of the internet is run by *nix systems, would that mean that M$ is locking Windows off the internet? Off your LAN...