Determine Administrator Roles and Processes for Network Access Protection

Applies To: System Center Configuration Manager 2007, System Center Configuration Manager 2007 R2, System Center Configuration Manager 2007 R3, System Center Configuration Manager 2007 SP1, System Center Configuration Manager 2007 SP2

In a production environment, implementing Network Access Protection (NAP) will require interaction and collaboration with a number of different groups across the enterprise. For example, these groups might include the following:

  • Active Directory Domain Services architects to designate which forest will be used to publish the NAP health state references, and extend the schema with Configuration Manager 2007 schema extensions.

  • Active Directory Domain Services service administrators to extend the schema and configure the System Management container with required security permissions. The same administrators might also be involved in creating or identifying Windows security accounts or groups to be used when configuring the System Health Validator point and NAP policies.

  • Infrastructure architects to design the network and server architecture that will be required to support Network Access Protection, including deciding which enforcement technologies will be used.

  • Public key infrastructure (PKI) specialists to provide certificate services if you are using an IPsec enforcement solution with Network Access Protection.

  • Windows Server administrators to build and configure the Network Policy Servers and supporting Windows services.

  • Firewall administrators to make configuration changes on firewalls and network devices required to support Network Access Protection.

  • Security advisors to help determine the criteria by which software updates are selected for NAP enforcement, the date by which they will be enforced, and whether non-compliant computers will be restricted until compliant.

  • In-house Web designers to build a comprehensive troubleshooting Web site for computers that fail to remediate on the restricted network.

  • Help Desk engineers who might receive calls from users who cannot get access to the network because their computers have restricted access, or when remediation fails.

  • Configuration Manager software distribution administrators to upgrade clients running a supported version of Windows XP to Windows XP Service Pack 3 so that these clients can support Network Access Protection.

  • Configuration Manager software updates administrators to configure software update points and create software update packages on distribution points.

  • Configuration Manager administrators to configure System Health Validator points, configure the Network Access Protection client agent, and then configure and monitor Configuration Manager NAP policies.

  • End users who will require training and notification about the Network Access Protection processes, and what to do if they encounter a problem.

Because a Network Access Protection solution involves so many roles, a successful implementation will depend on identifying who is responsible for the various roles and ensuring collaboration between groups when necessary. A successful ongoing implementation will depend on identifying and adhering to processes that coordinate the various functions between the roles.

Some of the consequences of not having and following defined processes when Network Access Protection is implemented in a production environment are as follows:

  • The Help Desk is inundated with calls from users who are getting Network Access Protection messages and errors.

  • Productivity drops and deadlines are missed because users cannot access the network resources they need.

  • Satisfaction levels for IT services drop and Service Level Agreements (SLAs) are not met.

  • Non-compliant computers are incorrectly given full network access and put corporate resources at risk.

Use a methodology such as ITIL or Microsoft Operations Framework ( to help you implement Network Access Protection within a framework of defined processes. Make sure you document your design, testing procedures, the areas of responsibility, the processes to follow for configuring policies, remediation, and troubleshooting, and then disseminate this information, making sure that it is centrally available and updated.

Review existing company security policies and, if necessary, modify them to include the implementation of Network Access Protection. Company security policies often drive downstream processes to enforce policy compliance.

Role Separation in Configuration Manager

When you are determining the roles required for Network Access Protection in Configuration Manager, there is a potential overlap between software updates and Network Access Protection. These two roles can be combined or separated, depending on your business requirements. Typically, smaller organizations will combine the two roles, but some organizations will want to separate the roles. The Network Access Protection role in Configuration Manager might even be combined with other roles external to the product, such as Network Policy Server administrators or security administrators.

The role separation for software updates and Network Access Protection in Configuration Manager 2007 is supported by having a separate node for Network Access Protection in the Configuration Manager console. Use the Security tab on the properties of the Network Access Protection node to specify permissions to specific users or groups for tasks in Configuration Manager related to Network Access Protection. Then use the Security tab on the properties of the Software Updates node so that the Network Access Protection administrators do not have access to software updates. This configuration results in the following:

  • Network Access Protection administrators can view the resulting Network Access Protection statistics in the Network Access Protection node.

  • Network Access Protection administrators can create, view, modify, and delete NAP policies.

  • Network Access Protection administrators cannot create, view, modify, or delete software update deployments, packages, or templates.

Because the Policies node also has its own Security tab, you can refine the permissions further to control which Network Access Protection administrators can view, create, modify, and delete NAP policies.

However, because you can configure a software update to be enabled for NAP evaluation in the Deploy Software Updates Wizard and as a property of a packaged update, you cannot prevent software update administrators from also configuring Configuration Manager NAP policies from within the Software Updates node.

If you are using role separation in Configuration Manager, you might also want to configure security so that Network Access Protection administrators have access to the Reporting node, so that Network Access Protection administrators can run reports with the category Network Access Protection.

An administrator who only manages Network Access Protection in Configuration Manager 2007 would not need access to the collections, because Configuration Manager NAP policies are automatically targeted to all clients that are assigned to the site.

For more information about the security rights for Network Access Protection in Configuration Manager, see Network Access Protection Security Rights.

See Also

For additional information, see Configuration Manager 2007 Information and Support.
To contact the documentation team, email