Export (0) Print
Expand All

Determine Your Policy Strategy for Network Access Protection

Applies To: System Center Configuration Manager 2007, System Center Configuration Manager 2007 R2, System Center Configuration Manager 2007 R3, System Center Configuration Manager 2007 SP1, System Center Configuration Manager 2007 SP2

To determine a policy strategy for Network Access Protection with Configuration Manager 2007, a number of people must collaborate to decide on objectives, requirements, and processes. This will likely involve the Configuration Manager administrator, the Network Policy Server administrator, and representatives from the security team, the infrastructure team, and possibly the help desk.

Configuring Network Access Protection policies for Configuration Manager requires the configuration of two sets of policies: the Network Access Protection policies defined in Configuration Manager; and Network Access Protection policies defined on the Network Policy Server:

  • The Network Access Protection policies in Configuration Manager determine which software updates computers must have by a defined date. As a result of these, Configuration Manager passes to the Network Policy Server the computer's health state, and if necessary a list of servers required for remediation.

  • The Network Access Protection policies on the Network Policy Server determine whether clients have full network access or restricted network access, and whether non-compliant computers are remediated. The decision is based on the computer's health state received from Configuration Manager. Policies on the Network Policy Server can be configured as follows:

    • NAP-capable clients that are compliant have full network access.

    • NAP-capable clients that are non-compliant have restricted network access until remediated.

    • NAP-capable clients that are non-compliant have full network access for a limited time and are immediately remediated.

    • NAP-ineligible clients have full network access.

    • NAP-ineligible clients have restricted network access but will not be remediated.

    • All error conditions, by default, result in computers having restricted access (with remediation if supported by the client), but they can be configured for full network access.

noteNote
If health policies are not enforced in the network policy on the Network Policy Server, Network Access Protection in Configuration Manager cannot remediate non-compliant computers. Compliance in this case can be achieved through the defined Configuration Manager software updates functionality. If health policies are enforced in the network policy on the Network Policy Server, Network Access Protection in Configuration Manager always attempts to remediate non-compliant computers, even if the option to auto-remediate non-compliant computers is not enabled in the network policy.

When you have decided on the policy strategy for your network, you should configure connection request policies, health policies, and network policies. The network policies should include settings for the following:

  1. Computers that are NAP capable and compliant.

  2. Computers that are NAP capable and non-compliant.

  3. Computers that are NAP ineligible and therefore you cannot tell if they are compliant or non-compliant.

Typically, these policies are configured as follows:

  1. Compliant computers have full network access.

  2. Non-compliant computers have either limited network access and are remediated, and then have full network access; or they have full network access for a limited time, and they are immediately remediated on the unrestricted network.

  3. NAP-ineligible computers have full network access. However, in a high-security environment where the health status of these computers cannot be assessed, it might be appropriate for them to have restricted network access although they cannot be remediated and therefore will never be able to access the full network.

When you have decided on how the majority of computers will work with Network Access Protection, you can then plan more detailed policies for specific conditions. For example, you might have the following exceptions and exemptions:

  • Specified people will never have restricted network access.

  • Standard networked computers will have full network access for a limited time if non-compliant, whereas home computers will have limited access if non-compliant.

  • During the hours that a local helpdesk is not available, non-compliant computers will have full network access for a limited time rather than limited access.

  • Specified machines will be exempt from health policies. As an example, this exemption is appropriate if the Configuration Manager client must not be installed on selected computers.

Implementing policies for exceptions and exemptions is achieved through policy conditions and ordering. The first policy that matches a connecting computer will be used, which means you usually need to order the more specific policies (the exceptions) before the general policies. If you need policy exemptions for people or computers, create the necessary Microsoft Windows groups to be selected from the Network Policy Server.

ImportantImportant
If you have NAP-capable computers in Configuration Manager site that is enabled for Network Access Protection but they do not have the Configuration Manager client installed, you must have either exemption policies for these computers that do not reference the Configuration Manager System Health Validator or a means by which computers on the restricted network can install the Configuration Manager client (for example, by providing an installation link on the troubleshooting Web site as part of the user experience).

See Also

For additional information, see Configuration Manager 2007 Information and Support.
To contact the documentation team, email SMSdocs@microsoft.com.
Was this page helpful?
(1500 characters remaining)
Thank you for your feedback

Community Additions

ADD
Show:
© 2014 Microsoft