Protect Corporate Assets from Unmanaged Computers

Applies To: Windows 7, Windows 8, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, Windows Vista

Unmanaged computers are often at a greater risk of exposure to viruses and other malicious software. These viruses can use several vectors, or methods, of attack. One way that a virus can bypass corporate firewalls and other security measures is by infecting an unmanaged computer that is used to gain access to the corporate network. With NAP, network administrators can enforce health requirements for both managed and unmanaged computers that connect to the network. Health requirements for unmanaged computers can be different from requirements for managed computers. Requirements for system health are defined by administrators using polices that specify different access levels for certain users and computers. For example, an administrator might restrict guests and other unauthenticated users to a guest VLAN. Access to the resources on the corporate LAN can be restricted to only users who meet the conditions you specify, such as membership in a user group, the remote access server used, or compliance with a specific health policy. The following are some examples of policy conditions and settings that you can use to protect the network from unmanaged systems:

  • Corporate VPN policy: Compliant non-domain-joined computers that authenticate with a domain account are allowed access to the intranet. Noncompliant and non-NAP-capable computers that authenticate with a domain account are allowed access to remediation servers.

  • Corporate wired network policy: Compliant domain member computers are allowed full access to the intranet. Non-domain member computers that authenticate with a domain account are granted restricted access if they meet health requirements. Noncompliant computers are allowed access to the Internet and remediation servers only. Non-NAP-capable computers that have been granted exemptions are allowed full access.

  • Vendor wireless network policy: Non-domain member computers that authenticate with a vendor account are assigned to a vendor VLAN and a vendor ACL is applied. Compliant computers are granted access to a file server. Noncompliant computers are allowed access to the Internet and remediation servers only.

  • Guest wireless network policy: Non-domain member computers that do not authenticate with a domain account are assigned to a guest VLAN. The compliance of guest computers is not checked. Access is allowed to the Internet only.

Health policies can be used to customize access for unmanaged computers whether those computers access the network locally with a wired or wireless connection or through a remote access connection. See the following figure.

NAP policy conditions and settings can be configured to allow unmanaged computers access to a guest network, to a restricted network, or to specific resources on the corporate LAN

Conditions that you can use to determine the level of access that should be granted to unmanaged computers include, but are not limited, to:

  • Operating system type and version

  • User account

  • Access method and location

  • Authentication method

  • Time of day

  • Health status

  • NAP capability