Overview of Network Access Protection

Applies To: System Center Configuration Manager 2007

Network Access Protection (NAP) is a policy enforcement platform built into the Windows Vista and Windows Server 2008 operating system that allows you to better protect network assets by enforcing compliance with system health requirements.

Configuration Manager 2007 Network Access Protection lets you include software updates in your system health requirements. Configuration Manager NAP policies define which software updates to include, and a Configuration Manager System Health Validator point passes the client's compliant or non-compliant health state to the Network Policy Server. The Network Policy Server then determines whether the client has full or restricted network access, and whether non-compliant clients will be brought into compliance through remediation.

Remediation with Configuration Manager 2007 Network Access Protection requires that Configuration Manager software updates is configured and operational so that a non-compliant computer can be automatically brought into compliance. For information about configuring software updates, see Software Updates in Configuration Manager.

For more information about Network Access Protection in Windows, see the Network Access Protection Web site (http://go.microsoft.com/fwlink/?LinkId=59125).

You can use Network Access Protection in Configuration Manager to support the following business requirements:

Enforce compliance of software updates as part of a phased deployment. When you have a small number of computers that have failed to install current software updates through standard mechanisms by a target date, you can use Network Access Protection policies in Configuration Manager with an effective date to configure enforced compliance for these few computers.
Enforce compliance of software updates as part of an expedited deployment. When you have computers that must urgently install one or more critical software updates (for example, to address a zero-day exploit), you can use Network Access Protection policies in Configuration Manager that are configured to be effective as soon as possible.

For example scenarios of how Network Access Protection can be implemented in Configuration Manager 2007 to address these requirements, see Example Scenarios for Implementing Network Access Protection in Configuration Manager.

Note
For an overview of how Network Access Protection works in Windows, see the Webcast "Introduction to Network Access Protection" (http://go.microsoft.com/fwlink/?LinkId=68775).

Click the associated link in the following section for an explanation of terms used in conjunction with this feature, and for more detailed information on how Network Access Protection works in Configuration Manager.

In This Section

About the Network Access Protection Process: Describes the processes involved when using Network Access Protection in Configuration Manager.

About Phased and Expedited Network Access Protection Deployments: Explains the two different operational scenarios for using Network Access Protection in Configuration Manager.

About the Differences Between Software Updates and Network Access Protection: Compares and contrasts the software updates feature and Network Access Protection feature in Configuration Manager.

About Enabling and Disabling Network Access Protection: Explains the implications involved when enabling or disabling Network Access Protection in Configuration Manager.

About the NAP Client Status in Network Access Protection: Explains the three different statuses a client can have in Configuration Manager with regard to Network Access Protection, which is reported on the Network Access Protection home page and in reports.

About Configuration Manager NAP Policies in Network Access Protection: Explains the term Configuration Manager NAP Policies, and how they are used in Configuration Manager.

About NAP Evaluation in Network Access Protection: Explains the process involved when a client evaluates its compliance with Configuration Manager Network Access Protection (NAP) policies.

About the NAP Effective Date in Network Access Protection: Explains the term "NAP effective date" which is used when configuring and monitoring Configuration Manager Network Access Protection (NAP) policies.

About the Statement of Health (SoH) in Network Access Protection: Explains what the statement of health is and how it is used with Configuration Manager Network Access Protection.

About System Health Validator Points in Network Access Protection: Explains what a System Health Validator point is and how this site system role is used in Configuration Manager, with a detailed breakdown of how it validates client statements of health.

About NAP Health State References in Network Access Protection: Explains what NAP health state references are and how they are used in Configuration Manager by System Health Validator points when validating compliance.

About Compliance for Network Access Protection in Configuration Manager: Explains the processes that Configuration Manager uses to determine whether a client is compliant or non-compliant.

About Enforcing Compliance with Network Access Protection: Explains how enforcing compliance with software updates using Network Access Protection relies on the configuration of the Network Policy Server.

About Network Access Protection Remediation: Explains what remediation means in the context of non-compliant Configuration Manager clients, and how these clients are remediated to be compliant.

About Network Access Protection in Configuration Manager Hierarchies: Explains any considerations to be noted if you are using Network Access Protection in a multi-site Configuration Manager hierarchy.

About Network Access Protection and Multiple Active Directory Forests: Explains the special configurations required if all your site servers and System Health Validators do not reside in the same Active Directory forest.

About Reports for Network Access Protection: Lists the reports that can be used with Network Access Protection in Configuration Manager.

Administrator Workflow: Configure Network Access Protection for Configuration Manager: Provides a flowchart to depict the steps and decisions required to implement Network Access Protection with Configuration Manager.

Administrator Checklist: Configure Network Access Protection for Configuration Manager: Provides a checklist which lists the steps required to implement Network Access Protection with Configuration Manager.

In This Section

See Also

Concepts

Other Resources