SolutionBase: Increase remote access security with Network Access Protection in Windows Vista

When remote users try to access your network via VPN, you can only hope that they have up-to-date virus protection and other things to keep from spreading problems across your network. Windows Vista introduced Network Access Protection to allow you to enforce rules on users <i style='mso-bidi-font-style:normal'>before</i> they access a network.

To read some reviews and opinions about Windows Vista, one would think that Microsoft spent five years and billions of dollars creating a new skin for Windows XP, slapped the Vista name on the resulting product, and shipped it to retailers and computer manufacturers for sale to unsuspecting end users. Although Vista's new Aero interface is the most visible new feature in the operating system, there are a number of improvements beneath the surface that make Vista worth considering.

Vista includes a variety of improvements intended to better secure individual computers as well as the overall computing environment. One such feature, Network Access Protection (NAP), is included in Vista and will also be a part of Windows Server 2008. NAP allows IT to require that computers connecting to the network -- either directly, via wireless, or via some remote connection method such as through a VPN -- pass specific health requirements. For example, with this feature, you can dictate that connected computers must have recent antivirus software and definitions, antispyware software, a software firewall. You can configure NAP to send non-compliant computers to a quarantine area -- or remediation network -- from which they can address the security shortcomings.

In short, NAP puts enforcement teeth into your existing security policies. You can put in writing that all computers connecting to your network must meet minimal security levels. However, without a way to technically enforce your policies, you can never be sure that an unwitting user may have an already infected computer or fails to follow all security requirements.

NAP has been around for a while in the form of other products such as Cisco Clean Access (formerly Perfigo) and Bradford Campus Manager. Like many things Microsoft, through the use of both Vista and Windows Server 2008 you can implement this security feature at no charge, beyond hardware and Windows licenses. Upon the release of Windows Server 2008, Microsoft is planning to provide NAP support for Windows XP computers as well.

Network Access Protection operating modes

Windows Vista's NAP capability can be used in one of two operating modes: monitoring-only mode or isolation mode. Under monitoring-only mode, clients are checked against security policies and the results logged for future perusal. In this passive mode, clients are able to connect to your network regardless of their state of health. In isolation mode (sometimes called active mode), a client that fails health checks is provided only very limited access to a quarantined network.

From the network, clients requiring remediation are provided access only to resources that allow the client to be brought into compliance. With Vista/Windows Server 2008 NAP, you can also require that clients be automatically brought to your policy's compliance level without user intervention. In other words, any necessary definitions or security patches will be applied automatically.

Network Access Protection components

There are a number of individual components that allow NAP to work its magic. These components are described below. Although not all possible components are listed, these are the main structures that constitute NAP.

Network Access Protection Server (server side)

A Network Access Protection Server is a server running Windows Server 2008 that provides the services necessary to force clients to adhere to your organizational security policies. Many of these services are indicated below.

Network Policy Server (server side)

NAP depends on the services provided by a server running what is called the Network Policy Server service. NPS replaces some legacy services, including:

  • Internet Authentication Service
  • Remote Authentication Dial-In User Service (RADIUS)

NPS runs on a Windows Server 2008 server and is responsible for storing health policies and for providing validation of the state of client's health.

System Health Agent (client side)

System Health Agents are components that monitor and maintain various aspects of system health. There are System Health Agents available that handle virus engine versions and signatures, others than verify local client settings, and others that handle updates to the local OS. For example, take the case of the agent that handles antivirus. The System Health Agent that handles antivirus signatures looks to a server that has the most recent signatures and makes sure that the local client is up-to-date.

Other System Health Agents just check local settings. For example, you may use an agent that makes sure that the local Windows firewall is running. Agents are commonly used to check the configuration of various security settings found in the Windows Security Center.

System Health Validator (server side)

A System Health Agent communicates with a System Health Validator, which sits on a Windows Server 2008 Network Policy Server. A System Health Validator's role is to provide a health response to the client, at which point client NAP components are instructed on what to do next. If a client's System Health Agent is told that a particular Windows patch is not applied and is necessary, the health response sent by the corresponding System Health Validator can instruct the related client System Health Agent to communicate with a particular WSUS server to obtain the necessary patch.

System Health Server (server side)

In conjunction with System Health Agents, a System Health Server makes determinations about client health and notifies the Network Policy Server regarding such determinations. Based on this information, the Network Policy Server can take appropriate action.

Remediation Server (server side)

A remediation server contains all of the resources (servers, services, etc.) that a non-compliant computer needs in order to be brought into compliance with your organization's security policies. For example, your remediation infrastructure may include a server that updates virus definitions for clients that need attention, and services, such as WSUS, that bring a client to your organization's required patch level. A remediation infrastructure also sometimes contains a DNS server that has only enough entries to point clients to remediation services.

Network Access Device (network)

Oftentimes, the Network Access Device component of the NAP architecture isn't a Microsoft-provided service, but can be critical to the proper operation of NAP. Network Access Device can consist of the following kinds of services and devices:

  • An Ethernet switch
  • A wireless access point
  • A DHCP server (Microsoft, or a third party service)
  • A VPN server
  • An SSL proxy device or application
  • The Health Registration Authority, described later.

Quarantine Agent (client side)

A Quarantine Agent is responsible for keeping track of the status of health responses from System Health Agents and supplying this information to Quarantine Enforcement Clients when requested. When the client's state changes, the Quarantine Agent communicates this fact to the individual System Health Agents.

Quarantine Server (server side)

The Quarantine Server restricts a client's network access based on what the System Health Validator indicates.

Quarantine Enforcement Client (client side)

Quarantine Enforcement requests minimal access to the network, verifies the client's health status against a Network Access Protection server, and indicates to other NAP components that client's restricted status. There are a number of Quarantine Enforcement Clients that will ship with Windows Server 2008, including:

  • 802.1x: 802.1X enforcement consists of a Network Policy Server and an Enforcement Client. Under this method, the Network Policy Server instructs an 802.1X devices, such as an Ethernet switch, to place a client into a restricted access state by either filtering traffic or by placing the client into a restricted VLAN. Often times, this VLAN contains services that help clients remediate any potential problems.
  • DHCP: This Quarantine Enforcement Client provides new functionality in the DHCP Client service. This service uses DHCP messages to exchange health messages and restricted network access information between a client and a server. The DHCP Quarantine Enforcement Client gets a list of client health messages from the Quarantine Agent, breaks the list down and places each portion into a Microsoft vendor-specific DHCP option that is sent in DHCPDiscover, DHCPRequest, or DHCPInform messages to the client. These communications help a client determine where to find remediation services.
  • IPSec: The IPsec quarantine method is made up of a Windows certification authority and an IPsec Quarantine Enforcement Client. Certificates are issued to quarantined clients once they are determined to be healthy and are used to authenticate NAP clients when they initiate IPsec-secured communications with other NAP clients. Since all clients in the communication chain are under the auspices of your NAP system, all traffic stays local.
  • VPN: Using this method, VPN servers can enforce organizational security policies whenever a computer tries to connect to your network over a VPN connection.

Health Registration Authority (server side)

The Health Registration Authority obtains certificates for clients once the client has a clean bill of health. The certificates are used to authenticate NAP clients when they use IPSec to communicate with other NAP clients on the network.

Starting the Vista NAP client

There are a couple of ways to start Vista's Network Access Protection Client Configuration tool. First, you can start this tool using the following steps:

  1. Press the Start button.
  2. Choose Control Panel.
  3. If you're using Vista's new Control Panel view, choose System and Maintenance.
  4. Choose Administrative Tools.
  5. Choose the NAP Client Configuration option.

If this option does not appear on your system, you can run the Network Access Protection Client Configuration Tool MMC snap-in directly. Using Windows Explorer, browse to \Windows\System32 and execute the file named NAPCLCFG.MSC.

Regardless of the method you use to start the configuration tool, you will get a screen like the one shown in Figure A.

Figure A

The Windows Vista NAP Client Configuration Tool.

Windows Server 2008 will add more power

This article provided a high-level view of Microsoft's Network Access Protection capability. Although the client is included in Vista, NAP really becomes viable only when introduced to an environment running Windows Server 2008, which provides significant server-side infrastructure.

By Scott Lowe

Since 1994, Scott Lowe has been providing technology solutions to a variety of organizations. After spending 10 years in multiple CIO roles, Scott is now an independent consultant, blogger, author, owner of The 1610 Group, and a Senior IT Executive w...