Microsoft TechNet
United States (English) Sign in
Home Library Wiki Learn Gallery Downloads Support Forums Blogs
1 out of 1 rated this helpful - Rate this topic

Managing Network Access Protection at Microsoft

Technical White Paper

Published: June 2009

Download

Download Technical White Paper, 702 KB, Microsoft Word file

Download IT Pro Webcast | WMA | MP3

Situation

Solution

Benefits

Products & Technologies

Microsoft IT needed a new mechanism to improve how to ensure computers that are connected to the corporate network are in compliance with the company's health requirement policies.

Microsoft IT is adopting Microsoft Network Access Protection as the primary mechanism to monitor, report, and enforce health compliance to Windows 7, Windows Vista, Windows XP SP3, and Windows Server 2008 systems that are connected to the corporate network.
  • Improves the end user experience due to automatic remediation that updates computers when possible without requiring any end user interaction
  • Offers a stronger host-based security model
  • Increases return on investment by utilizing the same compliance evaluation mechanism with built-in remediation and enforcement capabilities across all connectivity scenarios such as IPsec, VPN, and DirectAccess
  • Reduces Helpdesk calls related to system health issues
  • Extends reporting and auditing to provide system-wide health information
  • Microsoft Windows Server 2008
  • Windows 7
  • Windows Vista
  • Windows XP
  • Windows XP SP3
  • System Center Configuration Manager 2007
  • Microsoft Forefront
  • Microsoft DirectAccess
  • VPN

Ee156483.arrow_px_down(en-us,TechNet.10).gif Executive Summary

Ee156483.arrow_px_down(en-us,TechNet.10).gif Introduction

Ee156483.arrow_px_down(en-us,TechNet.10).gif Microsoft IT Operations Using NAP

Ee156483.arrow_px_down(en-us,TechNet.10).gif Deploying NAP

Ee156483.arrow_px_down(en-us,TechNet.10).gif Best Practices

Ee156483.arrow_px_down(en-us,TechNet.10).gif Conclusion

Ee156483.arrow_px_down(en-us,TechNet.10).gif For More Information

Executive Summary

A major concern for network administrators is how to ensure that computers connecting to private networks are always up-to-date and are compliant with the company's health policy requirements. This task is commonly referred to as maintaining computer health. Although maintaining compliance on systems that are permanently stationed within the corporate network is significant, a greater challenge is how to identify and ensure health requirements on roaming laptops and other remote systems are maintained in a compliant state. This is especially challenging when computers are not persistently connected to the corporate network and are therefore not easily accessible to network administrators in order to update non-compliant systems.

To validate access to a network based on system health, a network infrastructure needs to provide the following areas of functionality:

  • Health policy validation - Ability to define health policies and validate whether a computer is compliant.
  • Remediation - Automatically drive and apply the changes needed to allow a non-compliant computer to become compliant.
  • Ongoing compliance - Continuously monitor compliant computers and compliance policy to ensure that both are maintained accordingly.
  • Network access limitation - Provide the option to restrict network access for non-compliant computers.

Microsoft® Network Access Protection (NAP) is available for computers running Windows Server® 2008, Windows Server 2008 R2, Windows® 7, Windows Vista®, and Windows XP Service Pack 3 (SP3). Microsoft Information Technology (Microsoft IT) uses NAP to monitor the health state of network clients and records their compliance states in a database. In addition, Microsoft IT leverages NAP's network access restriction capabilities with:

  • Microsoft DirectAccess and Virtual Private Network (VPN) to restrict network access until the computers are healthy.
  • Continuous NAP Compliance and IPsec-NAP to provide compliance reporting for each system without applying network restriction.

The difference between these two cases is whether or not a non-compliant client's network access is restricted. Regardless of any network access restriction, clients in both cases will automatically remediate non-compliant states, meaning they will automatically fix whatever is not complying with the health policies to make them compliant. Systems that had restricted access due to non-compliance are provided access to corporate resources.

This paper briefly discusses the evolution of system health reporting and enforcement scenarios at Microsoft IT; the current Microsoft IT computer health strategy that is based upon the NAP framework; the reporting and enforcement infrastructure currently in place; and the deployment phases and best practices Microsoft IT developed to monitor, report, and enforce computer health for systems within the corporate network as well as those that remotely access corporate resources over the Internet.

Note: For security reasons, the sample names of forests, domains, internal resources, organizations, and internally developed security file names used in this paper do not represent real resource names used within Microsoft and are for illustrative purposes only.

Introduction

As the core group at Microsoft that is responsible for managing the company's corporate network and systems infrastructure, Microsoft IT uses a variety of technologies to monitor and enforce health policies of computers that are connected to the corporate network.

This section of the paper summarizes the critical aspects of network security and system health that Microsoft IT is responsible for maintaining, and then compares the traditional approach used before the advent of NAP with the current practices that focus on NAP as an extensible framework used by Microsoft IT for network access control authentication, authorization, reporting, auditing, remediation, and optionally for access enforcement.

Network Security and System Health Requirements

One of the most critical aspects of maintaining a secure computing environment is to ensure the health of the computers and devices that are connected to it. Microsoft IT has a mandate to provide the company with the most secure computing environment possible. At a more granular level, Microsoft IT's network security and system health objectives include:

  • Keeping computers in compliance with corporate policy and government regulations regardless of their location inside or outside the corporate network.
  • Ensuring user productivity while mitigating security threats.
  • Automating remediation of non-compliant systems.
  • Enforcing access at the edge (based on identity, health, and authorization).
  • Confirming compliance by reviewing data collected from compliance activities.
  • Evolving security requirements on a regular basis to mitigate new security risks.

Microsoft IT's Historical Approach

Over the years, Microsoft IT had created a custom solution to manage simple compliance validation such as antivirus and security updates. However, this custom solution was limited in scope and was somewhat costly due to the requirements associated with maintaining custom code.

In addition to the cost, the custom solution was relatively slow, had many dependencies, and had several points of failure. All these challenges made the custom solution cumbersome and highlighted a need for the adoption of a standardized approach to system health.

Microsoft IT needed a framework that would allow them to extend security and system health checks, which ultimately would provide a stronger solution for security and compliance. Being able to adopt a technology that improved the end user experience with regards to the custom solution was also an important criterion.

Microsoft IT's Approach to Using NAP

When NAP was first developed, Microsoft IT recognized NAP's value as a key factor in their quest to improve the overall security and health of Microsoft's computing environment. NAP is a commercial solution for companies of all sizes, from small businesses to the enterprise. NAP has no reliance on custom code, and uses components built into the Windows product. As an integrated feature in Windows, NAP provides a seamless user experience, which is a significant improvement over the earlier custom solution.

Available as a feature in Windows XP SP3, Windows Vista, Windows 7, and Windows Server 2008, NAP provides an integrated mechanism for detecting the health state of a network client that is attempting to connect to or communicate on a network and then optionally limiting the access of the network client until the health policy requirements have been met.

Using NAP, Microsoft IT has a powerful health compliance validation, remediation, and enforcement framework that does not require any custom code. Microsoft IT uses a combination of "in the box" components including NAP agent services, Windows Security Health Agent (WSHA), other Microsoft products such as System Center Configuration Manager (SCCM) and Microsoft Forefront™ to extend NAP's compliance checks.

In addition to the previously mentioned Microsoft products, there is a large community of Microsoft Partners who are creating complementary NAP products. A list of participating partners is available at
http://www.microsoft.com/windowsserver2008/en/us/nap-partners.aspx.

Finally, for companies that want to develop their own NAP components, NAP provides an application programming interface (API) that can provide additional compliance checks and remediation. For more information, see
http://msdn.microsoft.com/en-us/library/aa369712.aspx.

Microsoft IT Operations Using NAP

NAP is a key component of Microsoft IT's network security requirements, providing these critical functions:

  • Health Evaluation and compliance reporting: Microsoft IT leverages the NAP IPsec framework for both computers with the corporate network, as well as for systems that roam externally and use the Internet to access corporate resources.
  • Automatic remediation: For computers that are "unhealthy," NAP's automatic remediation feature silently drives the computer to a healthy state by automatically correcting those aspects of the computer's security, configuration, and state that are determined to be non-compliant, and then has the system automatically reconnect to the corporate network.
  • Network access control: If required by a company's health policies, NAP can optionally use proof of health certificate to control or restrict access to the network. Conforming to its corporate health policies, Microsoft IT uses NAP to allow healthy remote systems to have complete access to the corporate network, whereas unhealthy remote systems will only be able to access remediation servers for machines connecting via DirectAccess and VPN.

Compliance Reporting with Automatic Remediation

Microsoft IT uses the NAP framework that supports a reporting capability that was not available in Microsoft's previous custom solution. Reporting mode is the process of NAP establishing the communication between the end user client computer and the IT infrastructure servers. In contrast to enforcement, NAP's reporting with automatic remediation will not restrict network access based on health compliance. Once the health issues from the reports are understood, policy configurations can be enabled to automatically remediate a non-compliant computer.

NAP in the Corporate Network

Inside the corporate network, Microsoft IT is using NAP's IPsec Quarantine Enforcement Client (QEC). Microsoft IT uses this framework for reporting only; the IPsec QEC's optional enforcement capabilities have not been implemented.

Microsoft IT selected NAP IPsec QEC because it does not require any change to their existing network infrastructure services such as switches, Dynamic Host Configuration Protocol (DHCP) servers, and domain controllers. Microsoft IT continues to maintain its IPsec server and domain isolation environment. With IPsec, the corporate domains can be isolated, segmenting all computers into trusted and untrusted groups.

Continuous NAP Compliance

Continuous NAP Compliance is a new deployment model for NAP that delivers similar benefits to remote systems that NAP provides to those sitting within a corporate network:

  • Continuous NAP Compliance provides customers the ability to achieve perpetual NAP compliance for computers running Windows Server 2008, Windows Server 2008 R2, Windows 7, Windows Vista, or Windows XP (SP3) regardless of their location.
  • Continuous NAP Compliance also provides administrators with the compliance state of all computers and accelerates access of those systems where health compliance is a prerequisite for connecting. Continuous NAP Compliance also provides an automatic remediation capability that transparently updates computers that are identified as being out of compliance with corporate health policies.

Continuous NAP Compliance is supported by some system health agents (SHAs). Microsoft IT, for example, is using Continuous NAP Compliance with Windows Security Health Agent (WSHA).

The term "Continuous NAP Compliance" describes a scenario where NAP uses Hypertext Transfer Protocol Secure (HTTPS) over the Internet in order to enable compliance reporting and automatic remediation for remote computers that are not using DirectAccess or VPN to connect to corporate resources through the Internet. With Continuous NAP Compliance, the clients only require an HTTPS-based connection to an Internet-facing Health Registration Authority (HRA).

Continuous NAP Compliance fills the security gap that exists for mobile computers that are managed only when they are physically connected to the corporate network or by VPN. Client computers updated prior to connecting over VPN result in faster connect times and a better user experience. Continuous NAP Compliance can be leveraged as the health checking/enforcement mechanism for Microsoft DirectAccess. The information logged by the HRA and Network Policy Servers (NPS) server (NAP reporting) can be used for asset tracking and forensics for stolen or lost assets. Overall, Continuous NAP Compliance enables a stronger host-based security model for domain-joined computers connected to the Internet from anywhere, at any time.

Internet-facing HRAs deployed on the edge or possibly behind ISA domain-joined clients receive additional Internet URLs in existing NAP client settings Group Policy objects (GPOs). Microsoft IT has clients communicate to NAP HRAs using HTTPS/Secure Sockets Layer (SSL) whenever they are connected to the Internet. Because Microsoft IT's HRA servers are available on the Internet, this transparent communication occurs periodically without any end user action or intervention, and without any need to re-connect to the corporate network. Reporting Mode, Deferred Enforcement Mode, and Full Enforcement Mode are all possible usage scenarios. This allows for Internet reporting based on client communication with Internet HRAs, as well as asset tracking based on source IP addresses that are captured in HRA events.

System Health Agents and Validators

Components of the NAP infrastructure known as system health agents (SHAs), which reside on client systems, and system health validators (SHVs), which live on servers, provide health state tracking and validation. The System Health Validators are configured to determine the specific health requirements for clients on the network.

NAP is designed to be flexible and extensible. It can interoperate with any vendor's software that provides SHAs and SHVs that use the NAP API. Microsoft IT is currently working with the following components:

  • Windows Security Health Validator
  • System Center Configuration Manager System Health Validator
  • Forefront Client Security (FCS) 2.0 System Health Validator

Windows Security Health Agent (WSHA)

Windows Security Health Agent is available out-of-the-box for Windows XP SP3 and newer systems, including Windows Vista and Windows 7.

When checking computer health at a high level, WSHA provides a very comprehensive health agent for Windows-based systems. WSHA covers a broad scope of compliance checks including firewall, antivirus, and antispyware; provides automatic updates configuration; and ensures that updates of a specific severity level are installed.

For Microsoft IT, WSHA is currently the only agent is required to validate health for computers connecting remotely to the corporate network using DirectAccess or VPN. Microsoft IT uses WHSA's reporting and remediation capabilities for both Internet-based and corporate intranet scenarios.

System Center Configuration Manager

SCCM provides a highly manageable patch distribution mechanism that supports grace periods and third-party patches. As with WSHA, SCCM provides its own reporting framework and patch-specific metrics.

Microsoft IT is using SCCM for patch management and uses SCCM NAP integration to measure patch compliance for its networks. Microsoft IT is also in the process of enabling NAP with SCCM for enforcement purposes.

Microsoft Forefront Client Security 2.0

Forefront Client Security (FCS) 2.0 is a powerful antivirus, anti-spyware solution that offers a wide range of security checks including Microsoft BitLocker™ drive encryption, User Account Control (UAC), Internet Explorer® security settings, and others. In addition to the security checks, FCS also manages the Windows Firewall, and scans for missing Microsoft security updates.

Similar to WSHA and SCCM, Forefront has its own reporting framework associated with it.

Enforcement Scenarios

As previously described, NAP can optionally be used to enforce system health, and if corporate health requirements demand it, NAP can restrict access to corporate resources to systems that have been identified as unhealthy. After NAP automatically remediates the computer and confirms the computer is healthy, NAP can then automatically re-connect the computer to the corporate network.

There are several different kinds of enforcement scenarios NAP can use. The scenarios Microsoft IT is implementing and evaluating are described in the following text.

Microsoft DirectAccess

Microsoft IT is implementing a new secure network access feature in Windows 7 and Windows Server 2008 R2 named DirectAccess. This new secure network access technology uses IPsec for authentication and encryption in order to provide a secure connection to the corporate network without having to use a VPN. Corporate network file shares, intranet Web sites, and line-of-business (LOB) applications are accessible through DirectAccess wherever an Internet connection is available.

DirectAccess connects remote workers seamlessly to corporate resources. The ability for DirectAccess to provide an "always on" secure communication channel through the Internet using "standard" ports such as TCP 443 translates to significant productivity improvements for remote workers at their customer sites or in other remote locations with restrictive port or firewall policies. With DirectAccess, employees can access corporate resources from remote branch offices, extranets, or even while sitting at a Wi-Fi cafe.

DirectAccess provides the secure connection to corporate resources and then uses NAP to assess the health of any client attempting to access networked resources. Unhealthy systems are run through NAP's automated remediation capabilities to bring the system up to compliance before allowing full access to corporate resources.

A schematic of Microsoft IT's DirectAccess implementation
The following illustration shows a simplified view of a remote DirectAccess client accessing a NAP Health Registration Authority server in order to obtain the health certificate that is required to gain full internal network access.

Figure 1. A schematic of Microsoft IT's DirectAccess implementation

For more information on DirectAccess, see Using DirectAccess to Provide Secure Access to Corporate Resources from Anywhere.

VPN

The VPN enforcement scenario allows for both domain-joined and non-domain–joined systems to be able to access corporate resources. VPN is Microsoft IT's primary remote connectivity solution for systems Windows XP, Windows Vista, and Windows Server 2003, Windows Server 2008, and Windows Server 2008 R2.

Instead of using the IPsec tunnel used by DirectAccess, VPN enables access via Point-to-Point Tunneling protocol (PPTP), Secure Socket Tunneling Protocol (SSTP), as well as through a new feature in Windows 7 and in Windows Server 2008 R2 named VPN Reconnect. The NAP framework extends the same compliance checks as compliance requirements for remote connectivity. NAP will restrict access for computers connecting via DirectAccess or VPN until they prove their compliance using the NAP framework and the health checks performed by WSHA (and other agents in the future).

IPsec-Forefront Soft Eviction

Forefront has an administratively controlled process for blocking computers from connecting to other systems on a network known as soft eviction.

Forefront's soft eviction feature functions in all NAP full enforcement scenarios, but Microsoft IT is investigating it only with IPsec. Microsoft IT is investigating the use of IPsec NAP enforcement and the Forefront soft eviction capabilities to prevent non-compliant systems from accessing other managed clients or servers when connected to the corporate network.

Sample Reports

Having accurate and detailed reporting data is critical to the success of any NAP deployment. Having this data will assist in identifying causes for non-compliance and track progress towards compliance goals. Microsoft IT uses NAP reporting to develop a better understanding of the potential impact to the client base as enforcement is planned and implemented for each individual corporate policy requirement and deployment phase.

Numbers and percentages of unique domain-joined computers that NAP reported as non-compliant in May 2009
The following illustration shows a variety of custom reports that Microsoft IT has developed.

Figure 2. Numbers and percentages of unique domain-joined computers that NAP reported as non-compliant in May 2009

The information in these reports can be extremely useful for identifying the numbers of computers that roam outside the corporate network and establish a connection to the Internet.

The following illustration identifies the total numbers of non-compliant systems for a variety of health requirements as of May 2009.

An alternate view of the May 2009 computers that were identified by NAP as non-compliant

Figure 3. An alternate view of the May 2009 computers that were identified by NAP as non-compliant

Deploying NAP

This section discusses the reference architecture Microsoft IT designed when deploying NAP, and then lists the deployment phases and key tasks achieved at each milestone.

Microsoft IT's Deployment Topology

Microsoft IT's NAP deployment topology
The following illustration shows the reference architecture of Microsoft IT's NAP deployment.

Figure 4. Microsoft IT's NAP deployment topology

Component and Role Deployment

  • Network Policy Servers: Network Policy Servers (NPS) were deployed for the NAP IPsec. Each server runs both the NPS role and the Health Registration Authority (HRA) role. NPS is the NAP health policy server that evaluates the health state of NAP clients, determines whether network access or communication is allowed, and through the set of installed NAP system health validators, the set of remediation actions that a non-compliant NAP client must perform. NPS is the Microsoft implementation of a Remote Authentication Dial-In User Service (RADIUS) server and proxy in Windows Server 2008 and Windows Server 2008 R2. NPS is the replacement for the Internet Authentication Service (IAS) in Windows Server 2003. When acting as a NAP health policy server, NPS performs system health evaluation for NAP clients based on configured health and network policies.
  • Health Registration Authorities: The Health Registration Authority (HRA) role was installed on the same servers that run the NPS role. The HRAs were configured to point to all available Certificate Authorities, ordered by local region, and then by other regions.
  • Certificate Servers: The certificate servers were originally stand-alone, running Windows Server 2003 SP1 and chained to the existing Microsoft corporate root. During the Release Candidate 0 (RC0) timeframe, the certificate authorities were converted to become Enterprise CA, and templates were configured for the NAP health certificates. HRAs were given read and request permissions to the certificate authorities, as well as to the associated NAP health certificate templates. Certificate authorities were deployed in each of the North America, Europe, and Asia data centers.
  • Remediation Servers: Remediation servers consisted of servers, services, domain controllers, and other management servers that are accessible to non-compliant computers on the restricted network. These resources were installed to enable name resolution and to store the most recent software updates or components needed to make computers comply with corporate health requirements.
  • SQL: System reporting was configured via NPS Microsoft SQL Server® 2008 logging on servers running SQL Server 2008 Express Edition. These servers use SQL Server Service Broker to forward the metrics to a back-end SQL Server database.
  • DirectAccess Servers: DirectAccess servers were installed using two network adapters: one to connect directly to the Internet, and a second to connect to the corporate network.
  • Routing and Remote Access Servers: Microsoft IT has deployed Windows Server 2008 and Windows Server 2008 R2 with the Routing and Remote Access Server (RRAS) role. Microsoft IT is transitioning from their legacy Remote Access Quarantine Agent (RQS) and Remote Access Quarantine Client (RQC) quarantine implementation to the built-in functionality of NAP for enforcing health compliance when connecting via VPN.

Implementation Phases

Microsoft IT acts as the company's First and Best customer, helping to identify issues early in development in partnership with the product and technology teams, and helps ensure robust functionality before product release.

Microsoft IT worked closely with the NAP product development team to map out a multi-phase plan for implementing NAP, which was designed to test and confirm the following key tasks and functionality before moving on to the next phase:

  • Lab testing
  • Reporting mode (pilot)
  • Reporting mode
  • Enforcement (pilot)
  • Enforcement

Details of each phase are listed in the following sections.

Lab Testing

Lab testing was ongoing and occurred for all major milestones of both the client and server builds. As bugs and change requests were filed and fixed, they were validated in the next appropriate milestone builds.

The initial goals of this phase included, but were not limited to, the validation of the following areas:

  • Group policy configuration
  • Client installation/configuration
  • Server installation/configuration
  • SHA installation/configuration
  • SHV installation/configuration
  • NPS policy configuration
  • HRA installation/configuration
  • SHA initialization
  • SHA remediation
  • NAP reporting requirements
  • Event logging client/server
  • General user experience

Reporting Mode (Pilot)

The initial goals of this phase included, but were not limited to, the validation of the following areas:

  • Verify that targeted clients are active and reporting to NAP
  • Capture daily statistics of unhealthy versus healthy clients
  • Verify that the required SHAs are installed successfully, initialized, and submitting an up-to-date "Statement of Health"
  • Verify that healthy clients are receiving a NAP health certificate
  • Baseline NAP infrastructure server performance for comparison to broader deployment
  • Compare statistics between SCCM, NAP, and custom compliance and security reports
  • Identify and resolve failures to remediate
  • Identify tools and data that need to be gathered to assist in troubleshooting NAP-related issues

Reporting Mode

The initial goals of this phase included, but were not limited to, the validation of the following areas:

  • Deploy to all managed domains
  • Verify that targeted clients are active and reporting to NAP
  • Capture and analyze daily statistics of unhealthy versus healthy clients
  • Verify that the required SHAs are installed successfully, initialized, and submitting an up-to-date "Statement of Health"
  • Verify that healthy clients are receiving a NAP health certificate
  • Monitor and compare NAP infrastructure server performance to baseline statistics
  • Compare statistics between SCCM, NAP, and custom compliance and security reports
  • Identify and resolve failures to remediate
  • Estimate impact to user base if enforcement enabled
  • Train Helpdesk and support tiers

Enforcement (Pilot)

The initial goals of this phase included, but were not limited to, the validation of the following areas:

  • Test health enforcement via the DirectAccess and VPN pilot scenarios
  • Capture daily statistics of unhealthy versus healthy clients
  • Compare statistics between SCCM, NAP, and custom compliance and security reports
  • Identify and resolve failures to remediate

Enforcement

The initial goals of this phase included, but were not limited to, the validation of the following areas:

  • Health enforcement via DirectAccess and VPN
  • Deploy to the rest of the corporate network and other forests
  • Capture daily statistics of unhealthy versus healthy clients
  • Compare statistics between SCCM, NAP, and custom compliance and security reports

Best Practices

In the course of designing, implementing, and operating NAP, Microsoft IT followed these best practices:

  • NAP is an end-to-end solution that crosses many solution areas and organization boundaries. Therefore, cross-group communication is critical for successful NAP deployments. Identify key stakeholders early and ensure processes and approvals are in place before moving forward.
  • Although activating reporting mode is simple, have someone experienced in SQL develop appropriate reports for any complex reporting needs.
  • There is value in using NAP in reporting mode, but consider activating automatic remediation to improve compliance and host- based security.
  • Consider the value/ROI of reporting mode and automatic remediation on the corporate network and any time domain-joined clients are connected with Continuous NAP Compliance.
  • If enforcement is desired, begin deployment with reporting mode and bring computers up to compliance. Once systems are confirmed as compliant, then evolve the deployment to full enforcement mode.
  • Consider deploying Continuous NAP Compliance mode as the simplest and easiest mechanism to get started with NAP.
  • If IPsec full enforcement is a consideration, make sure to evaluate existing public key infrastructure (PKI) early.
  • When deploying Continuous NAP Compliance, PKI is a minor consideration.

Conclusion

NAP is a built-in feature of the Windows operating system for computers running Windows Server 2008, Windows Server 2008 R2, Windows 7, Windows Vista, and Windows XP SP3 that offers an unprecedented set of out-of-the-box health evaluation and compliance reporting, automatic remediation, and optional network access control.

Since its inception, Microsoft IT has been using NAP to monitor the health state of network clients both inside and external to the corporate network. As the centerpiece of Microsoft IT's system health reporting and remediation infrastructure, Microsoft IT uses NAP to automatically and transparently bring non-compliant systems into compliance according to company health requirements. In addition, Microsoft IT leverages NAP's optional network access restriction capabilities for a variety of enforcement scenarios. By combining NAP's in-the-box agents with additional Microsoft products including SCCM and Forefront, Microsoft IT is able to extend NAP's capabilities to meet the company's health and security requirements without having to depend on any custom coded solution.

Finally, Microsoft IT uses NAP reporting to gain insight into the entire company's computer health compliance status. By regularly reviewing the NAP compliance data, Microsoft IT gains a better understanding of the state of the overall network and client health. This information is also used to assess the potential impact to the client base as enforcement is planned and implemented for each individual corporate policy requirement and deployment phase.

Moving forward, Microsoft IT is investigating how to further extend NAP's capabilities with the use of additional system health agents such as enabling NAP with SCCM for enforcement purposes, and working with Forefront to benefit from its administrator-initiated quarantine capability, as well from its vulnerability assessments and remediation capabilities.

For More Information

For more information about Microsoft products or services, call the Microsoft Sales Information Center at (800) 426-9400. In Canada, call the Microsoft Canada information Centre at (800) 563-9048. Outside the 50 United States and Canada, please contact your local Microsoft subsidiary. To access information through the World Wide Web, go to:

http://www.microsoft.com

http://www.microsoft.com/technet/itshowcase

http://www.microsoft.com/nap

This is a preliminary document and may be changed substantially prior to final commercial release of the software described herein.

The information contained in this document represents the current view of Microsoft Corporation on the issues discussed as of the date of publication. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information presented after the date of publication.

This White Paper is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED, OR STATUTORY, AS TO THE INFORMATION IN THIS DOCUMENT.

Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation.

Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property.

© 2009 Microsoft Corporation. All rights reserved.

Microsoft, BitLocker, Forefront, Internet Explorer, SQL Server, Windows, Windows Server, and Windows Vista are either registered trademarks or trademarks of the Microsoft group of companies.

Did you find this helpful?
(1500 characters remaining)
© 2013 Microsoft. All rights reserved.