Example Scenarios for Implementing Network Access Protection in Configuration Manager

Example Scenarios for Implementing ...

Applies To: System Center Configuration Manager 2007

Topic last updated—May 2008

The following sections provide example scenarios of how Network Access Protection (NAP) in Configuration Manager 2007 can be implemented to solve the following business requirements:

Enforce compliance of software updates as part of a phased deployment
Enforce compliance of software updates as part of an expedited deployment

Enforce compliance of software updates as part of a phased deployment

This scenario demonstrates how you can use Network Access Protection in Configuration Manager as a part of phased deployment of software updates, restricting network access to the few computers that fail to install required software updates by a specified date.

Woodgrove Bank receives the monthly notification of software updates from Microsoft, and it wants to help protect the network from computers that are vulnerable to the exploits addressed in the software updates. It decides the course of action in the following table.

Process	Reference
Software updates that address a security vulnerability are assessed by the company security team, led by Kevin Verboort. This team verifies whether the vulnerability is applicable to their environment, and if it is, the business impact on corporate assets and business continuity, together with the circumstances under which the vulnerability could be exploited. The software updates that are not security-related are assessed by other teams responsible for those areas.	Internal process that is company-specific
Kevin then works with Mary North, who is the Configuration Manager administrator for software updates. She takes the security team's list of critical security updates and runs a report to see how many computers on the network are potentially vulnerable to the exploit addressed in the security update. About a quarter of computers on the network are found to be potentially vulnerable from the listed software security updates, and all these computers support NAP.	Network Access Protection report: List of computers that would be non-compliant based on selected software updates For more information, see the following topics: About Reports for Network Access Protection How to Run Network Access Protection Reports
Kevin decides, based on the security implications and business impact analysis, that all computers should install the security software updates through software updates within two weeks. For the few computers that fail to install the software updates in this time period, the installation will be enforced through Network Access Protection on the limited network.	Determine Your Policy Strategy for Network Access Protection
Mary also receives a list of nonsecurity updates that should be installed within four weeks.	Internal process that is company-specific
Over the course of a week, Mary tests the installation of the selected software updates on a representative group of computers to ensure that installation is successful and applications continue to function as expected.	Configuring Software Updates
Mary submits two Requests for Change (RFCs): The nonsecurity software updates that will be installed within four weeks, without Network Access Protection enforcement. The security software updates that will be installed through software updates initially, and through Network Access Protection as a failsafe enforcement measure. Both RFCs are granted.	Internal process that is company-specific
Mary then talks to the Network Policy Server administrator to communicate when the Configuration Manager NAP policies will be created, and the date that the security software updates will become effective in them. The two administrators work together to ensure that non-compliant computers will be automatically remediated on the limited network, and that the software updates are available on the Troubleshooting Web site if remediation fails. Mary also provides the Help Desk with advance notification of the software updates installation, and which software updates will be enforced through Network Access Protection.	Determine Administrator Roles and Processes for Network Access Protection Configuring the Remediation User Experience for Configuration Manager Network Access Protection
Mary confirms that the software updates packages she created for the software updates have now replicated to all distribution points in the hierarchy. Mary then uses the Deploy Software Updates Wizard to create two deployments and targets both to the All Systems collection in the central site: The nonsecurity software updates that have a deadline of four weeks. The security software updates that have a deadline of two weeks, and a NAP-effective date of four weeks.	Software Distribution - Packages report: Distribution status of a specific package How to Deploy Software Updates How to Configure NAP Evaluation for Software Updates
Mary sends a confirmation notice of the deployment to the security team, the Network Policy Server team, and the Help Desk. The Help Desk distributes user notification with a warning that computers might lose network connectivity if the required security software updates are not installed by the due date, and encourages users to install them themselves as soon as possible.	Internal process that is company-specific
Mary monitors compliance of the software updates. At the end of three weeks, a number of computers remain non-compliant with the security software updates. Each computer owner is sent an e-mail notification that their computer is out of compliance with security policies and risks losing network connectivity to be automatically remediated if it remains non-compliant by the end of the week.	Network Access Protection report: List of computers that would be non-compliant based on selected software updates For more information, see the following topics: About Reports for Network Access Protection How to Run Network Access Protection Reports
Two days before the effective date configured in the NAP policies, Mary notes that only a handful of computers now remain non-compliant with the security software updates. Mary forwards this report to the security team and notifies the Help Desk about which computers remain non-compliant and support Network Access Protection.	Internal process that is company-specific
Mary continues to monitor compliance for the selected software updates, and forwards progress reports to the security team at an agreed interval.	Internal process that is company-specific
After six weeks, Mary notes that 85percent of computers are reporting compliance with the nonsecurity software updates, and 100 percent of computers are reporting compliance with the security software updates. Mary reviews the process to see if modifications are required and investigates the computers that have not installed the nonsecurity updates.	Network Access Protection reports: List of software updates installed through remediation Comparison of software updates installed by software update deployments and NAP remediation List of computers that installed a specific software update through remediation during a specified period List of remediation failures for specified time period
Mary makes her reports available to the security team and invites feedback from the Help Desk to identify any technical or communication improvements.	Internal process that is company-specific

Configuration Manager NAP policies might impact users in the following ways during a phased deployment:

Laptop returns to corporate network after period of absence:

A salesman frequently travels to customer sites, but returns to corporate headquarters for important meetings. He has briefly scanned the e-mail notifications to install security updates but did not install them, and the deadline came and went without any repercussions.

When he arrives at headquarters for the meeting, he connects his computer to the network and shortly after logging on he sees a notification that his computer has limited network access because it is not compliant with security policies. He remembers the e-mail notifications and searches for them, looking for instructions on what to do. By the time he has found the e-mail and read it, his computer has already installed the required software updates and he has unlimited network access. His computer continues to install the nonsecurity updates in the background.
User on vacation returns to work:

A user returns to work after several weeks of vacation. Although her computer was fully compliant before she left, her computer was switched off while she was gone, so it was not able to receive software updates during that time. When she returns to work, she switches on the computer, logs on, and loads Microsoft Outlook. However, her mailbox will not connect to the server and she sees a notification that she has limited network access because her computer is not compliant.

Unaware of the e-mail notifications that have gone out in the last few weeks, she calls the Help Desk who confirms that her computer is one of the computers that were listed as non-compliant by the effective date in the Configuration Manager NAP policy. The Help Desk explains that her computer will be automatically remediated and all she has to do is wait, and they will ring back to confirm that connectivity is restored after half an hour.

The user gets a cup of coffee and catches up on the latest news in the office during her absence. On her return, she sees that her computer now has full network access, confirms this with the Help Desk, and her user assistance ticket is closed.
Setting up a new computer:

A new user receives her desktop computer, running Windows Vista and imaged with a Configuration Manager client. She unpacks the computer, connects it up and switches it on. After completing the initial setup, a balloon pops up, informing her that her computer has limited network access.

She clicks on the notification and sees that her computer is installing software updates that are required for the company's security policy. She tidies away the boxes and on returning to her computer sees another notification that the computer now has unlimited network access. She configures her desktop while in the background, nonsecurity updates and the applications she requires are automatically installed.
Guests are denied full network access:

A consultant from another company connects his laptop into the corporate network. The guest sees that his computer has limited network access and that remediation on the restricted network has failed. He contacts the Help Desk.

This behavior is by design. Because this computer does not have a Configuration Manager client installed, the System Health Validator point cannot validate whether the computer is compliant or non-compliant. In this scenario, the Configuration Manager System Health Validator on the Network Policy Server is configured to give the computer a non-compliant health state, and automatic remediation is not possible.

The Help Desk confirms that their procedure in this scenario is to explain to the guest that full network access is not possible, but that they can use the Web proxy server on the restricted network. The guest uses the proxy Web server for Internet access and a VPN connection to his own corporate network.

Momentary loss of network connectivity for a few users:

Even before the effective date, some users notice a Network Access Protection notification that their computer is not compliant and has limited network access. Very soon afterwards they see another messaging informing them that their computer is now compliant and they have full network access. Some users are concerned about these messages and ring the Help Desk. They are informed that this is expected behavior for Network Access Protection to ensure that computers are up-to-date with requirements, and not symptomatic of a problem.

As time progresses, users become accustomed to the new process and only ring the Help Desk if they see a failure message.

Note
There are a number of scenarios that might result in a client being deemed non-compliant by the System Health Validator, and which do not relate to whether the client has software updates installed. These scenarios include a client having a cached statement of health that is older than the configured statement of health validity period, and the client does not have the latest Configuration Manager NAP policies. Be aware that Configuration Manager 2007 clients can go into remediation for a number of reasons, and educate users and the Help Desk of this possibility before deployment. For more information on this scenario, see About Network Access Protection Remediation and About Compliance for Network Access Protection in Configuration Manager.

Note

There are a number of scenarios that might result in a client being deemed non-compliant by the System Health Validator, and which do not relate to whether the client has software updates installed. These scenarios include a client having a cached statement of health that is older than the configured statement of health validity period, and the client does not have the latest Configuration Manager NAP policies. Be aware that Configuration Manager 2007 clients can go into remediation for a number of reasons, and educate users and the Help Desk of this possibility before deployment.

For more information on this scenario, see About Network Access Protection Remediation and About Compliance for Network Access Protection in Configuration Manager.

Enforce compliance of software updates as part of an expedited deployment

This scenario demonstrates how you can use Network Access Protection in Configuration Manager as a part of an expedited deployment of a software update that must be urgently installed to protect network resources.

Woodgrove Bank receives an urgent notification from Microsoft regarding a critical software security update, and it wants to immediately minimize the number of computers on the network that are vulnerable to the exploit. It decides on the course of action described in the following table.

Process	Reference
Kevin Verboort receives the security notification, and as the security chief officer he calls the security team to an urgent meeting to review the critical software security update and understand the security implications for their environment. The security threat is assessed for the business impact on corporate assets and business continuity, and the circumstances under which the vulnerability could be exploited.	Internal process that is company-specific
While the meeting is in progress, Mary North, who is the Configuration Manager administrator for software updates, has been asked to run a report to find out how many computers on the network are potentially vulnerable to the exploit addressed in the security software update. Over half of the computers on the network are found to be potentially vulnerable from the listed software security updates, and most of these computers support Network Access Protection.	Network Access Protection report: List of computers that would be non-compliant based on selected software updates. Network Access Protection report: List of NAP-capable and NAP-upgradeable computers. For more information, see the following topics: About Reports for Network Access Protection How to Run Network Access Protection Reports
The security team decides that the risk of computers being vulnerable to the security exploit addressed by the security software update is important enough that computers should install it immediately, even at the risk of short-term lost productivity.	Determine Your Policy Strategy for Network Access Protection
Mary creates a software update package, downloading the software update and adding it to all distribution points in the hierarchy.	How to Create a Deployment Package
Mary initiates a minimal test of this software update on a representative group of computers to ensure that installation is successful and basic applications continue to function as expected.	Internal process that is company-specific
Kevin initiates the emergency procedure for an out-of-band Request for Change, which is immediately reviewed and granted. Notification is sent to Mary, to the Network Policy Server administrators, to the Help Desk, and to teams monitoring service resources to warn them of a sudden increase of traffic when a high number of computers attempt remediation in a short space of time.	Internal process that is company-specific
After confirming that there are no problems with the tested software update, Mary uses the New Policies Wizard to identify the software update and configures the effective date for As soon as possible. She then configures the System Health Validator point component properties and configures the option Date created must be after (UTC) with the current date and time.	How to Create a Configuration Manager NAP Policy for Network Access Protection How to Specify the Option 'Date created must be after' for the Statement of Health
Mary knows that she has some computers that cannot support Network Access Protection, and these are computers running Windows XP Service Pack 1, and Windows Server 2003. The security update is applicable to the computers running Windows XP Service Pack 1, but it is not applicable to servers running Windows Server 2003. Mary creates a software update deployment for the software update, with a deadline of As soon as possible. She targets this software update deployment to a collection that contains Windows XP Service Pack 1 only.	How to Deploy Software Updates
Mary sends a confirmation notice that the Change of Request work has been completed, which is forwarded to interested parties.	Internal process that is company-specific
Mary monitors compliance of the critical security software update and reports progress to the security team. In particular, special attention is paid to the computers that cannot support Network Access Protection, because failed installations on these computers will not prevent them from accessing the network. Any installation failures on these machines are immediately reported to the Help Desk to proactively investigate and resolve them to ensure compliance.	Network Access Protection report: List of computers that would be non-compliant based on selected software updates. For more information, see the following topics: About Reports for Network Access Protection How to Run Network Access Protection Reports
After 24 hours, 90 percent of the applicable computers are compliant with the software update. Mary investigates the non-compliant computers and discovers that they are not currently on the corporate network for legitimate reasons. An e-mail notification is sent to them, requesting that they install the software update manually. Mary knows that if this mechanism fails (for example, the user is on vacation and left her computer turned off), compliance will be enforced when the computer is connected to the corporate network.	Internal process that is company-specific
Mary continues to monitor compliance for the selected software updates and forwards progress reports to the security team at an agreed-upon interval.	Internal process that is company-specific
At the end of an agreed-upon period with the security team, Mary confirms all computers are now reporting compliance with the selected software update and reviews the process to see if modifications are required to more effectively install urgent software updates.	Network Access Protection reports: List of software updates installed through remediation Comparison of software updates installed by software update deployments and NAP remediation List of computers that installed a specific software update through remediation during a specified period List of remediation failures for specified time period
Mary makes her findings available to the security team and invites feedback from the Help Desk to identify any technical or communication improvements.	Internal process that is company-specific

Configuration Manager NAP policies might impact users in the following ways when using Network Access Protection as an expedited deployment of an urgent security update:

Inconsequential loss of network connectivity for most users:

Most users lose network connectivity at the same time, and applications that require network connectivity report errors until remediation is complete. For many users, this is only a short period of time, and some users do not even notice.
Important loss of network connectivity for managers:

A manager is in the middle of a presentation at corporate headquarters and is using slides hosted on a remote computer. In the middle of her presentation, her computer loses network connectivity and a notification informs her that her computer is not compliant with network policies and has limited network access until compliant.

The manager is not very happy with the interruption to her presentation, and she resolves that next time she will copy the slides locally to her computer. She is not sure how long the loss of connectivity will be, but she decides to take a break in the presentation and invite questions and discussions on the slides presented so far. After 10 minutes, she sees a notification that says her network connectivity is restored and she continues with her presentation.
Loss of network connectivity has impact on deliverables:

A developer is working through some changes to an in-house application that needs to be checked in by the end of the day. At four o'clock he completes his changes but they fail to check in with a network failure error. He then notices that his computer has limited network access and he calls the Help Desk.

The Help Desk explains about the urgent software update that must be installed immediately, and asks for his patience while it automatically installs. He clicks on the Network Access Protection notification and can see that his computer is installing software updates through the Configuration Manager System Health Agent, but the installation is taking a long time.

The Help Desk investigates and confirms that his network segment is heavily saturated, and distribution points are also running more slowly than usual because of the higher than usual demand. The developer realizes he is unlikely to check in his new code by the end of the day and informs his manager. He goes home leaving his computer switched on. He returns the following day to find that it is reconnected to the network, so he can now check in his code.
Network loss continuation for remote offices:

A user in a remote branch loses connectivity while trying to send e-mails. He contacts the Help Desk and learns about the critical software update. However, his computer fails to install the software update and on investigation, the Help Desk discovers remediation failures are due to network timeouts. The software update package has not yet replicated to the branch distribution point and the computer is attempting to download the software update across a slow and unreliable network connection.

The Help Desk engineer explains how the user can install the software update from the Troubleshooting Web site, and then instructs him to reboot his machine. The user follows this advice, and after the reboot, his computer is connected with unlimited access.

Enforce compliance of software updates as part of a phased deployment

Enforce compliance of software updates as part of an expedited deployment

See Also

Concepts