Understanding How to Configure Health Policy

Applies To: Windows Server 2008

Understanding how to configure health policy

Network Access Protection (NAP) enforcement is accomplished by Network Policy Server (NPS) on a per-network policy basis. That is, you can create network policies that enforce NAP and you can create network policies that do not enforce NAP. In addition, you can create network policies that enforce NAP in different ways and for different NAP enforcement methods.

To configure NPS to enforce client health policies, you must configure the following:

  • System health validators (SHVs), which contain the settings that you can choose to enforce or not enforce. For example, in the Windows Security Health Validator (WSHV), you can choose whether to enforce client computer use of a firewall, antivirus software, and other settings.

  • Health policies, which contain the SHVs that you want to enforce with the health policy.

  • Network policy, which you create by adding one or more SHVs to the health policy. You can add the health policy to the network policy and enable NAP enforcement in the policy.

The basic steps for creating a network policy that enforces NAP are:

  • If required for your network configuration, install SHVs from other companies. Also install the corresponding system health agents (SHAs) on client computers.

  • Configure the SHVs that you want to use, whether they are non-Microsoft SHVs or the WSHV, which is included in Windows Server® 2008.

  • Add SHVs to a new or existing health policy.

  • Create a new network policy or open an existing policy.

  • In network policy conditions, add the health policy to the network policy.

Planning a network policy that enforces NAP

If you need a network policy that enforces NAP, you must determine:

  • The type of network access server, or RADIUS client, that the NAP-capable client computer uses to connect to the network.

  • The NAP enforcement client you want to use. The NAP enforcement client that you choose must match the connection method that the client uses to access the network. For example, if you deploy NAP with the DHCP enforcement method, you must use the DHCP enforcement client.

  • The Windows groups that contain the users and computers that you want to authorize to access your network.

  • The SHAs that are installed on the client computers and SHVs that are installed on the NPS server. These NAP components must be installed before you configure and enable a network policy that enforces a client health policy using the SHV.

See Also

Concepts

NAP Components
Windows Security Health Validator