No Enforcement Design
Updated: February 29, 2012
Applies To: Windows 7, Windows 8, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, Windows Vista
You can choose to implement NAP on your network without restricting the access of noncompliant or non-NAP-capable computers. This design choice provides the benefits of automatic remediation and compliance monitoring without the issues that can accompany access restriction. Although a no enforcement design does not provide the same level of protection for your network as one that includes enforcement, it can be an excellent way to test and refine your NAP infrastructure design and reporting methods.
Any of the NAP enforcement methods can be used with a no enforcement design. This is accomplished by granting full network access to all client computers, including noncompliant and non-NAP-capable computers. In this configuration, client computers will not receive NAP notifications, but they can still be monitored and automatically updated.
The IPsec enforcement method can be used with a no enforcement design that provides NAP notifications to client computers when their health state changes. In this design, health certificates are issued only to compliant client computers. No network restriction occurs because health certificate-based IPsec policies are not deployed.
No matter how you choose to deploy NAP, a no enforcement design can be used as part of your NAP staging strategy or incorporated into your final NAP deployment design.
The following are the benefits of a no enforcement design.
Flexibility: Because noncompliant computers are granted full network access, you can modify your NAP infrastructure and add or remove health agents from your network without extensive testing.
Simple to implement: You do not need to create a separate restricted access network for noncompliant clients. The design can also be implemented quickly; it does not require a phased approach.
No network restriction: If your network has highly secure areas or segments that are already isolated from other parts of the network, a no enforcement design might be ideal because further access restriction is not required.
Automatic updating: You do not need to enforce network restriction in order to automatically update, or remediate, computers that are noncompliant with health policy. A no enforcement design allows you to update client computers automatically so that they are compliant with health requirements.
Compliance monitoring: You can generate the same NAP reports that are provided by methods that restrict access to noncompliant client computers. Clients that are noncompliant with health requirements will still be reported, but no access restriction will occur. For more information, see Track Compliance with Security Policies and NAP Reporting.
NAP with no enforcement requires that the following components are deployed on your network:
A NAP health policy server running Windows Server 2008 R2 or Windows Server 2008 with the Network Policy Server (NPS) role service installed.
A NAP enforcement server running Windows Server 2008 R2 or Windows Server 2008 might be required if you choose to use IPsec, VPN, or DHCP enforcement with your no enforcement design.
An 802.1X authenticating switch or wireless access point can be deployed if you choose to use 802.1X enforcement with your no enforcement design.
Note A NAP CA is required if you choose to use IPsec enforcement with your no enforcement design.
NAP-enabled client computers running Windows 7, Windows Vista, Windows Vista with Service Pack 1 (SP1), Windows XP with SP3, Windows Server 2008, or Windows Server 2008 R2.
All of the server components can be installed on the same computer. Depending on the needs of your organization, additional servers might also be required. For more information, see No Enforcement Example and No Enforcement Configuration.