What's New in Network Access Protection
Updated: January 9, 2009
Applies To: Windows Server 2008 R2
Network Access Protection (NAP) provides the following new feature in Windows Server® 2008 R2:
Multi-configuration SHV. This feature targets both the cost of deployment and ownership of NAP servers by allowing you to specify multiple configurations of a system health validator (SHV). When you configure a health policy, you can select one of these SHV configurations. When you configure a network policy for health evaluation, you select a specific health policy. Therefore, different network policies can specify different sets of health requirements based on a specific configuration of the SHV. For example, you can create a network policy that specifies that intranet-connected computers must have antivirus software enabled and a different network policy that specifies that VPN-connected computers must have their antivirus software enabled and signature file up-to-date.
NAP provides the following new feature in Windows® 7:
NAP client user interface improvements. After collecting feedback from end-user interaction with NAP in Microsoft and partner deployments, the end-user experience has been improved by integrating the NAP client user interface into the Action Center on computers running Windows 7.
Network administrators, system administrators, and network architects that design and manage a NAP deployment will be interested in these features.
Following are special considerations for using new features with NAP:
To use multi-configuration SHVs, NAP health policy servers must be running a Windows Server 2008 R2 operating system.
Multi-configuration SHVs are only available for SHVs that support this feature, for example the Windows Security Health Validator (WSHV).
To use NAP client user interface improvements, client computers must be running a Windows 7 operating system.
These features provide greater flexibility and simplicity for administrators that are managing a NAP infrastructure. The following sections describe how you can use these improvements.
SHVs define configuration requirements for computers that attempt to connect to your network. For example, the WSHV can be configured to require that some or all of the following are enabled on NAP client computers:
Firewall. If selected, the client computer must have a firewall that is registered with Windows Security Center and enabled for all network connections.
Virus protection. If selected, the client computer must have an antivirus application installed, registered with Windows Security Center, and turned on.
Antivirus is up-to-date. If selected, the client computer can also be checked to ensure that the antivirus signature file is up-to-date.
Spyware protection. If selected, the client computer must have an antispyware application installed, registered with Windows Security Center, and turned on.
Antispyware is up-to-date. If selected, the client computer can also be checked to ensure that the antispyware signature file is up-to-date.
Automatic updating. If selected, the client computer must be configured to check for updates from Windows Update. You can choose whether to download and install them.
Security update protection. If selected, the client computer must have security updates installed based on one of four security severity ratings in the Microsoft Security Response Center (MSRC). The client must also check for these updates by using a specified time interval. You can use choose to use Windows Server Update Services (WSUS), Windows Update, or both to obtain security updates.
To ensure that NAP client computers meet these requirements, you must configure WSHV settings, enable WSHV in a health policy, and then add the health policy condition to a network policy.
When an SHV supports the multi-configuration SHV feature, different settings can be stored in multiple SHV configuration profiles. When you configure a health policy, you can choose which SHV will be used, and custom settings for the SHV if these have been configured. For example, using this feature you might create the following two health policy configurations:
Default configuration. The client computer must have a firewall and Windows Update enabled, antivirus and antispyware applications must be on and up-to-date, and all important security updates must be installed.
Trusted configuration. The client computer must have an antivirus application on and up-to-date.
These settings can then be used to create health policies requiring either default configuration settings or trusted configuration settings. You can create as many unique configuration settings as you require.
Previously, it was necessary to use a different NAP health policy server to specify a different set of configurations for the same SHV. With multi-configuration SHV, a single NAP health policy server can be used to deploy multiple configurations of the same SHV.
Multi-configuration SHV affects the procedures used to configure SHVs and health policies. SHV configuration is divided into settings configuration and error codes configuration. If an SHV supports multi-configuration SHV, then additional settings can be created by right-clicking Settings, clicking New, and then providing a friendly name for the new configuration. If an SHV does not support multi-configuration SHV, you can configure requirements by using the Default Configuration settings.
Multi-configuration SHV is only available if the SHV vendor has designed the SHV to support this feature.
Review the NAP policy configuration and settings on all NAP health policy servers on your network to determine how they will be affected by this feature. If you upgrade these servers from Windows Server® 2008 to Windows Server 2008 R2, verify that all SHV settings are correctly migrated to Default Configuration settings for all installed SHVs.
The end user experience has been enhanced by improving messages the end users sees about NAP and by integrating the NAP client user interface into the Action Center on computers running Windows 7. The Action Center provides a central location to view alerts and take action that can help keep Windows running smoothly.
By integrating NAP client notifications with the Action Center, the end user has a comprehensive view of all important security and maintenance settings on their computer that might need attention.
When settings or services on an end user's computer do not meet network requirements, the end user might receive a NAP notification message. These messages have been improved and integrated into the Action Center on computers running Windows 7.
NAP client notification messages are only provided on computers that have the NAP Agent service running. The Action Center is only available on computers running Windows 7.
Review the types of messages provided by the Action Center on computers running Windows 7. For example, a red item in Action Center indicates an important issue that must be addressed soon. Yellow items are suggested tasks, such as maintenance tasks.