Network Access Protection Design Guide

Collapse All

Updated: February 29, 2012

Applies To: Windows 7, Windows Server 2008, Windows Server 2008 R2, Windows Server 8 Beta, Windows Vista

Network Access Protection (NAP) is one of the most anticipated features of the Windows Server® 2008 operating system. NAP is a new platform that allows network administrators to define specific levels of network access based on a client’s identity, the groups to which the client belongs, and the degree to which the client complies with corporate governance policy. If a client is not compliant, NAP provides a mechanism for automatically bringing the client into compliance (a process known as remediation) and then dynamically increasing its level of network access. NAP is supported by Windows Server 2008 R2, Windows Server 2008, Windows 7, Windows Vista®, and Windows® XP with Service Pack 3 (SP3). NAP includes an application programming interface that developers and vendors can use to integrate their products and leverage this health state validation, access enforcement, and ongoing compliance evaluation. For more information about the NAP API, see Network Access Protection (http://go.microsoft.com/fwlink/?LinkId=128423).

The following are key NAP concepts:

NAP Agent. A service included with Windows Server 2008, Windows Vista, and Windows XP with SP3 that collects and manages health information for NAP client computers.
NAP client computer. A computer that has the NAP Agent service installed and running, and is providing its health status to NAP server computers.
NAP-capable computer. A computer that has the NAP Agent service installed and running and is capable of providing its health status to NAP server computers. NAP-capable computers include computers running Windows Server 2008, Windows Vista, and Windows XP with SP3.
Non-NAP-capable computer. A computer that cannot provide its health status to NAP server components. A computer that has NAP agent installed but not running is also considered non-NAP-capable.
Compliant computer. A computer that meets the NAP health requirements that you have defined for your network. Only NAP client computers can be compliant.
Noncompliant computer. A computer that does not meet the NAP health requirements that you have defined for your network. Only NAP client computers can be noncompliant.
Health status. Information about a NAP client computer that NAP uses to allow or restrict access to a network. Health is defined by a client computer's configuration state. Some common measurements of health include the operational status of Windows Firewall, the update status of antivirus signatures, and the installation status of security updates. A NAP client computer provides health status by sending a message called a statement of health (SoH).
NAP health policy server. A NAP health policy server is a computer running Windows Server 2008 with the Network Policy Server (NPS) role service installed and configured for NAP. The NAP health policy server uses NPS policies and settings to evaluate the health of NAP client computers when they request access to the network, or when their health state changes. Based on the results of this evaluation, the NAP health policy server instructs whether NAP client computers will be granted full or restricted access to the network.

For more information, see Appendix B: Reviewing Key NAP Concepts.

About this guide

This guide is intended for use by an infrastructure specialist or system architect. The guide provides recommendations to help you plan a new NAP deployment based on the requirements of your organization and the particular design that you want to create. It highlights your main decision points as you plan your NAP deployment. Before you read this guide, you should have a good understanding of your organizational requirements and the way NAP works.

This guide describes a set of deployment goals that are based on the primary NAP enforcement methods. It helps you determine the most appropriate enforcement method and corresponding design for your environment. You can use these deployment goals to create a comprehensive NAP design that meets the needs of your environment.

The following NAP enforcement methods are described in this guide:

NAP with IPsec enforcement
NAP with 802.1X enforcement
NAP with VPN enforcement
NAP with DHCP enforcement
NAP-NAC enforcement

Note
The TS Gateway enforcement method is not discussed in this guide. For more information, see TS Gateway Step-by-Step Guide (http://go.microsoft.com/fwlink/?LinkID=167919).

For each enforcement method, you will find guidelines for gathering required data about your environment. You can then use these guidelines to plan and design your NAP deployment. After you read this guide and finish gathering, documenting, and mapping your organization's requirements, you will have the information you need to begin deploying NAP using the guidance in the Network Access Protection Deployment Guide.

Terminology used in this guide

For a list of NAP-related terms, see NAP Terminology.

due to the worm situation and no one contacting. i am aware more of the worm in areas of hacker's intent. the worm changed in november for the first time 2 days after a danielle arrested for altering data and selling p2p.com which was at the begining and the name matched. i know more about this worm and i now see msft and dns joint forces in my machine. so maybe something is now being done and someone listening.
this is the situation and idea. due to the root certificate situation and attemps for a new system, i went through in my head every possible secure system, and thought it would be a great idea to have a blog to share ideas. maybe yall found one already and im late, but ill still display. knowing the worm and loopback interception and creation and nonvalidcation outside the intercept, any fake cookie will not be enough. even if the hacker cant get in, this worm has a 2nd machine so to speak that hides in kernel after altering device drivers and bios and f irmware. also by checking my active sessions where the hacker failed to hide, had an ip address that showed a list of hundreds of certificates including banks. the best idea i got so far(note im not as smart as yall) is where the certificate would have to do 4 things. it would have to go to the security site that gave it permission, then go to the site trying to access, and then a program(exe) would have to be involved so no further interception can happen. each of these sites would have part of an encryption code that will only work when all sites involved are added together.
then the hacker could still go into memory and use assembly langage to overide the block if failed. in my past programming, i added the security situation in different parts of the program and also used a timer to call to see how it was validated. if this doesnt happen and the hacker rerouted, it would put the block back on and secure more. im just an amature trying to help where needed. no one contacted me that could have prevented these hackings and i even had the shutdown code...

[tfl - 04 07 2010] Hi - and thanks for your post. You should post questions like this to the MSDN Forums at http://forums.microsoft.com/msdn or the MSDN Newsgroups at http://www.microsoft.com/communities/newsgroups/en-us/. You are much more likely get a quicker response using the forums than through the Community Content. For specific help about:
Visual Studio  : http://groups.google.com/groups/dir?sel=usenet%3Dmicrosoft.public.vstudio%2C&;;
SQL Server     : http://groups.google.com/groups/dir?sel=usenet%3Dmicrosoft.public.sqlserver%2C&;;
.NET Framework : http://groups.google.com/groups/dir?sel=usenet%3Dmicrosoft.public.dotnet.framework
PowerShell     : http://groups.google.com/group/microsoft.public.windows.powershell/topics?pli=1
All Public     : http://groups.google.com/groups/dir?sel=usenet%3Dmicrosoft.public%2C&;;

but i would suggest a block where IT techs if all else can share their ideas and figure ways around it so it can be improved.

See Also

Concepts