Skip to main content

Network Access Protection: Frequently Asked Questions

Published: July 13, 2004 | Updated: January 4, 2011

This FAQ answers commonly asked questions about Network Access Protection (NAP). Click a question to view its answer. To view all the answers at one time, select the View all answers check box.


General Information

A. NAP is one of the most desired and highly anticipated features of Windows Server 2008. NAP is a new platform and solution that controls access to network resources based on a client computer’s identity and compliance with corporate governance policy. NAP allows network administrators to define granular levels of network access based on who a client is, the groups to which the client belongs, and the degree to which that client is compliant with corporate governance policy. If a client is not compliant, NAP provides a mechanism to automatically bring the client back into compliance and then dynamically increase its level of network access.

The NAP platform is built into Windows Vista, Windows Server 2008, and Windows XP Service Pack 3.

A. For an introduction to NAP scenarios and components and a brief description of how NAP works, see Introduction to Network Access Protection.

For an overview of NAP capabilities and architecture and a comparison of NAP with Network Access Quarantine Control in Windows Server 2003, see Network Access Protection Platform Overview.

For links to all of the resources for NAP, see the Network Access Protection webpage.

A. The prevention of the propagation of viruses through antivirus software and the timely installation of operating system updates is a critical part of managing today's networks. As an industry leader, Microsoft wants to help make sure that networks are not compromised when computers requesting access to a network or communicating on a network lack the proper system health configuration, such as operating system or antivirus updates.

A. NAP provides a set of client and server-side components to help customers protect their networks by inspecting client computer health state, limiting network access for noncompliant clients, and updating noncompliant clients for unlimited network access. NAP is a platform upon which health requirement policies are specified and by which those policies are enforced. Health requirement policies can include, but are not limited to: software update levels, antivirus signatures, specific configuration settings, open and closed ports, and firewall settings. NAP will work with existing Windows-based infrastructure such as the Active Directory® domain service, Group Policy, Microsoft System Center Configuration Manager 2007, Windows Update Services, and Microsoft Internet Security and Acceleration (ISA) Server. (Some upgrades might be required.)

A. When a client attempts to access the network or communicate on the network, it must present its system health state or proof of health compliance. If a client cannot prove it is compliant with system health requirements (for example, that it has the latest operating system and antivirus updates installed), its access to the network or communication on the network can be limited to a restricted network containing server resources so that health compliance issues can be remedied. After the updates are installed, the client requests access to the network or attempts the communication again. If compliant, the client is granted unlimited access to the network or the communication is allowed.

For additional information, see the Introduction to Network Access Protection and Network Access Protection Platform Architecture white papers.

A. NAP uses servers running Windows Server 2008 and the following:

  • Network Policy Server (NPS)
  • Provides centralized health policy configuration and evaluation of NAP client health state.

    NPS is the Windows Server 2008 implementation of a Remote Authentication Dial-in User Service (RADIUS) server and proxy. NPS replaces the Internet Authentication Service (IAS) in Windows Server 2003.

  • Routing and Remote Access
  • Provides health requirements enforcement for remote access virtual private network (VPN) connections.

  • Dynamic Host Configuration Protocol (DHCP) Server service
  • Provides health requirements enforcement for DHCP address allocation.

A. NAP clients must run Windows Vista, Windows Server 2008, or Windows XP with Service Pack 3.

A. Microsoft is including NAP support in Windows XP Service Pack 3. For more information about the availability of Windows XP Service Pack 3, see Windows Service Pack Road Map. For additional information about NAP support for versions of Windows prior to Windows Vista and Windows Server 2008, click here.

A. NAP will ship as a core Windows component.

A. NAP will be delivered in Windows Vista, Windows Server 2008, and Windows XP Service Pack 3.

A. All of the current white papers, Web articles, and WebCasts on NAP are available from the Network Access Protection Web page.

For the latest information from the NAP product team at Microsoft, see the Network Access Protection blog.

For ongoing discussions of NAP, see the Network Access Protection TechNet forum.

A. Despite the similar name, NAP is not the same as Network Access Quarantine Control. Network Access Quarantine Control functionality that is provided with Windows Server 2003 Service Pack 1 and later is based only on client inspection and is strictly a remote access solution. Network Access Quarantine Control requires customer-written, customized scripts to perform compliance checks, and the APIs were not supported (ISA Server 2004 now supports them). The new NAP platform allows for third-party vendors to take part in the policy decisions. NAP also allows for remote, local, managed, unmanaged, and guest client inspection, which offers significantly more functionality than only remote access connections that are supported by Network Access Quarantine Control.

NAP is essentially the replacement for Network Access Quarantine Control and the long-term solution for customers. Microsoft anticipates that partners will provide services and solutions to assist customers with the maintenance of their existing investment or the update of their networks for NAP.

For a detailed comparison of NAP with Network Access Quarantine Control in Windows Server 2003, see Network Access Protection Platform Overview.

A. NAP is based on a different architecture and will be a core Windows component in Windows Vista and Windows Server 2008.

Microsoft has delivered a set of technologies to help Windows Server 2003 customers build custom remote access quarantine solutions today using tools from the Windows Server Resource Kit Tools, released with Windows Server 2003 Service Pack 1 and later. ISA Server 2004 is a complementary offering to these existing Windows technologies, providing authentication and deep inspection of VPN traffic as well as administrative tools and session state monitoring of the restricted network to help bring client computers in line with IT security policies (including operating system and antivirus updates prior to permitting the VPN connection). Microsoft is working closely with industry partners such as Avanade to deliver these customized solutions for customers using ISA Server 2004

For more information about ISA Server, see the Microsoft ISA Server site.

A. Most of our customers require enterprise-level management of their operating system updates and full software distribution capabilities; Systems Management Server (SMS) already provides these services. Currently, there is less demand for Windows Update Services, but Microsoft will continue to assess the need for its support in the future.

A. NAP falls under the following two security pillars:

Isolation and Resiliency
The efforts for Windows Server 2003 focused on how to help reduce, mitigate, or contain threats. Microsoft has shipped Windows Server 2003 Service Pack 1, which includes the server-relevant security technologies found in Windows XP Service Pack 2.

NAP will also include technologies to help IT administrators control and improve the overall health of their networks by validating the health compliance of each client—remotely or on-site—upon accessing the network.

Authentication and Access Control
Computer networks are no longer closed systems in which a client's presence on the network can serve as proof of identity. Passwords provide the most common mechanism for authenticating users who need access to computers and networks. With NAP, IT administrators will have more control over the authentication process.

A. For additional information about NAP support for versions of Windows prior to Windows Vista and Windows Server 2008, click here.

A. Microsoft is currently in discussions with standards bodies. NAP has already embraced industry standards such as Protected Extensible Authentication Protocol (PEAP), and the NAP architecture is open and extensible.

NAP and Cisco’s Network Admission Control

A. Based on extensive customer feedback, the Microsoft NAP and Cisco Network Admission Control (NAC) solutions must be able to communicate with one another. By working together, customers now have the flexibility to choose the security solution that meets their needs and the opportunity to implement a single, coordinated solution.

A. Microsoft and Cisco have been partners in networking for many years. The Microsoft NAP and Cisco Network Admission Control (NAC) collaboration efforts are an extension of our existing relationship. It builds on the successful, joint efforts of Microsoft and Cisco on a number of other technology fronts and in market segments including Internet Protocol (IP) telephony, data centers, Internet Protocol version 6 (IPv6), home networking and media, and small- and medium-sized business solutions and channel programs. Security is an important extension of this collaboration, and, in the security arena, Microsoft and Cisco have already been working together in areas including VPNs, wireless security, and networking security.

A. Microsoft and Cisco will collaborate in the following ways:

  • By sharing information about their technologies to help drive an approach to solution compatibility between NAP and Network Admission Control (NAC), their respective approaches for providing endpoint security, and health-policy compliance when accessing network resources
  • By working toward interoperability efforts between the two architectures as these solutions evolve and are delivered to customers
  • By driving industry standards in the network admissions and access control arenas to help promote broad market adoption

A. This coordinated approach will allow customers to integrate the embedded security capabilities of Cisco's network infrastructure with those of Microsoft Windows, enabling customers to choose components and implement a single, coordinated solution. The benefit to customers is the flexibility to choose the appropriate security technology that serves their business needs while still being able to implement a single, coordinated solution.

NAP Partners

A. Please see the Partners page for Server and Cloud Platform to find Microsoft partners who can help with NAP.