SolutionBase: Find out what's coming with Microsoft's Network Access Protection

Even though Longhorn is still a long way off, some details are starting to emerge about features that you'll need to start preparing for. Here's a look at Microsoft's upcoming Network Access Protection feature.

With Windows Server 2003, Microsoft introduced Network Access Quarantine Control, which prevents remote clients from accessing the network unless and until they meet configuration criteria established by the administrator. At first glance, Microsoft's new Network Access Protection (NAP) technology sounds like the same thing: it, too, is designed to enforce compliance with network access policies and ensure that only those remote computers that meet your "health" standards will be allowed access. However, these are two different-- albeit related--technologies.

NAP is expected to be released with the server edition of Longhorn, Microsoft's next network operating system (currently scheduled for release sometime in 2007). It consists of operating system components and a set of APIs, to allow administrators and developers to create mechanisms for verifying that computers attempting to connect the network have the updates and configurations they need to access the network's resources without introducing security issues or threats. Using NAP will require Longhorn Server and clients will need to be running Windows XP SP2 or above.ï¿?? In this article, we'll take a look at how NAP works and how it will benefit your organization's network.

The need for NAP

Most administrators are cognizant of the threats posed by outsiders--strangers who can attack your network by hacking into it over the Internet. However, another important source of viruses and security breaches comes from users who legitimately connect to the LAN for authorized purposes, but do so from computers that haven't been properly secured. It only takes one system running without virus protection or the latest security updates to expose your entire network. Administrators generally have control over the computers that are physically wired to the LAN, but what about those that connect remotely, over a dialup or VPN connection?

Telecommuting from a home computer and calling in to the company network from a laptop while on the road are becoming more and more popular. With remote access technologies, workers no longer need to be at the office to get their work done. But if they aren't diligent about keeping their home systems and laptops protected and updated, they can unknowingly introduce a virus or attack surface when they connect. It's more difficult for administrators to know that the computers used for remote access have the latest service packs and security fixes applied, have anti-virus programs installed and running, and have personal firewalls installed and configured properly when they're connected to the Internet.

That's where NAP comes in. Despite its name, it doesn't directly protect your systems from malicious code and attacks. Instead, it enforces policies requiring that protective mechanisms be in place in order for the systems to access the LAN.

Although the remote connection scenario is a common usage of NAP, it isn't the only one. This is an important way in which NAP differs from Windows Server 2003's NAQC. Portable computers connected directly to the LAN via Ethernet can also pose a threat if they've been taken off-site and connected to other networks (including the Internet). Even desktop computers that stay on the premises can be compromised. Users may turn off essential protective features such as anti-virus protection, and some computers may not receive the updates they need. NAP makes it easy to determine which systems don't comply with your network access requirements, regardless of whether they're portables or desktops, onsite or remote.

How NAP works

To implement NAP, administrators create policies that define the minimum requirements for computers accessing the network. The policies are currently defined on a policy server running IAS. The Quarantine Server (QS) component also runs on an IAS computer (IAS is Microsoft's implementation of RADIUS and Longhorn Server can be configured as an IAS server). You can have multiple quarantine policies on the same network.

The network access requirements defined by a network access policy could include:

  • Service pack level that must be installed.
  • Anti-virus software (and version) that must be installed and enabled.
  • Personal firewall software that must be installed and configured.

Once the policy is created, administrators choose how NAP will react if a computer doesn't meet the requirements. You can select to log information about the computer that doesn't comply but still allow it to access the network or you can select to isolate the non-compliant computers on a special, restricted network. You can also automatically update computers that are out of compliance, using SMS or other management software. Once they've been updated, they'll be allowed full access to the network.

It's also possible to define exceptions so that, for example, specific computers are allowed access even if they don't comply while all others are isolated to the restricted network.

The restricted network to which non-compliant computers are confined can contain resources that will help them come into compliance. For example, security fixes or service packs can be made available, anti-virus software can be downloaded, etc.

NAP components

When a user dials in or attempts a VPN connection or plugs a laptop back into the network or otherwise attempts to connect, NAP components called System Health Agents (SHAs) and System Health Validators (SHVs) check the computer's status and compares it to the policy. Then action can be taken according to the policy specifications. SHAs and SHVs can be built into software management programs to take these actions, such as automatically updating the non-compliant computers (the components are expected to be included in SMS in the future).

Note that the SHVs don't detect threats such as viruses on the computers that are attempting to connect to the network. They only detect that the computer doesn't have the required software (for example, anti-virus program), updates and configuration.

Quarantine enforcement methods

There are three different methods that can be used for quarantining non-compliant computers, based on the type of server that acts as the enforcement server:

  • VPN Quarantine
  • DHCP Quarantine
  • IPSec Quarantine

VPN Quarantine is used by Longhorn Server-based VPN servers to enforce the network access policy on computers that attempt to connect to the LAN via virtual private networking. This is different from enforcement on VPN clients by Windows Server 2003 Network Access Quarantine Control or by ISA Server 2004's VPN Quarantine feature.

The VPN server checks the VPN client's credentials and authenticates it. If the client is not compliant, the VPN server confines it to the restricted network. When it comes into compliance, the VPN server receives a Statement of Health (SoH). It sends the SoH to the VPN server, which in turn sends it on to the IAS quarantine server. The SoH is compared to the policy on the policy server. When the SoH is validated, the client gets access to the LAN.

DHCP Quarantine uses the Longhorn Server-based DHCP server to enforce network access policy. Whenever a DHCP client requests an IP address or attempts to renew its current address, the DHCP server validates the client's compliance. If the client is compliant, it gets an IP address on the LAN. If it's not compliant, the DHCP server does not allow it to access the LAN. Instead, it's assigned an address on the restricted network. When it has been properly updated, it will request an IP address again and, when its health has been validated, it will be given an address and access to the LAN.

With IPSec Quarantine, a Windows Certification Authority (CA) acts as a "health certificate" server. When quarantined computers have been determined to meet the network access requirements, the CA issues them certificates that can be used to authenticate for IPSec-protected communications.

It's important to understand that only computers that connect to the LAN using one of the methods that supports NAP (DHCP, VPN) will be checked for compliance with the network access policies. For example, if a user brings his laptop to work and plugs it into the Ethernet network with a valid static IP address configured, it won't be checked.

These three quarantine methods each use a server component (called Quarantine Enforcement Server or QES) and a client component (called Quarantine Enforcement Client or QEC). You can use one method alone or multiple methods in combination.

The IAS policy server/quarantine server works with the VPN, DHCP or CA server; you create quarantine policies on the IAS server. You will also need to create a class for quarantine users on the IAS server.

You could also have an SMS server that acts as both an SHV and SHA.

NAP for ISVs

Independent Software Vendors (ISVs) can develop NAP components for their programs using the public APIs that Microsoft is making available. NAP is an extensible platform and a number of vendors have announced support for the technology.

Computer Associates, Check Point, Watchguard, eEye, Sygate, Trend Micro, Symantec, McAfee and St. Bernard are just a few of the companies that have partnered with Microsoft to develop applications that support NAP. For a list of NAP partners, see Microsoft's Web site.


In the fourth quarter of 2004, Microsoft and Cisco Systems made a joint announcement that they would be partnering to collaborate on integration of NAP and Cisco's Network Admission Control (NAC) policy enforcement software.

NAC works at the router and switch level to provide for quarantine protection and remediation. The router Access Control List (ACL) prevents non-compliant computers from accessing the LAN resources, other than those needed to gain compliance. Devices (routers, switches, wireless access points and security appliances) that support NAC work together with policy servers that hold the administrator-defined network access criteria.

In the same way that NAP uses an IAS server for the policy server, the Cisco implementation uses their RADIUS server, called the Cisco Secure Access Control Server. Endpoint (client) computers run software called the Cisco Trust Agent that collects and reports information on the system's patch level, anti-virus software, and so forth.

Speculation in the industry is that the two technologies, NAP and NAC, may be eventually merged into one, similarly to the cooperative effort between Microsoft and Cisco that spawned the L2TP VPN technology.

Coming soon to a network near you

The ability to ensure that computers connecting to your company's network have the latest security patches and service packs, are running anti-virus software and have personal firewalls installed and enabled when connecting to the Internet is important to maintaining the health and security of the LAN. Traditionally, administrators have found it difficult to enforce policies designed to protect the network from unprotected clients. New technologies that make it easier include Microsoft's Server 2003 Network Access Quarantine Control, ISA Server 2004's VPN Quarantine, Cisco's Network Admission Control, and--coming somewhat soon to a Longhorn server near you--Microsoft's Network Access Protection.

You might be wondering about clients that don't support NAP, such as Windows 9x, 2000 and NT machines. By default, these machines can't be determined to be compliant, so they're confined to the restricted network. However, you will be able to create exceptions so that these computers won't have to meet the compliance requirements to get access to the LAN.

By Deb Shinder

Debra Littlejohn Shinder, MCSE, MVP is a technology consultant, trainer, and writer who has authored a number of books on computer operating systems, networking, and security. Deb is a tech editor, developmental editor, and contributor to over 20 add...