Network Access Protection

Applies To: Windows Server 2008

Network Access Protection (NAP) is a new set of operating system components included with the Windows Server® 2008 and Windows Vista® operating systems that provides a platform to help ensure that client computers on a private network meet administrator-defined requirements for system health. NAP policies define the required configuration and update status for a client computer’s operating system and critical software. For example, computers might be required to have antivirus software with the latest signatures installed, current operating system updates installed, and a host-based firewall enabled. By enforcing compliance with health requirements, NAP can help network administrators mitigate some of the risk caused by improperly configured client computers that might be exposed to viruses and other malicious software.

What does Network Access Protection do?

NAP enforces health requirements by monitoring and assessing the health of client computers when they attempt to connect or to communicate on a network. If client computers are determined to be noncompliant with health requirements, they can be placed on a restricted network that contains resources to assist in remediating client systems so that they can become compliant with health policies.

Who will be interested in this feature?

Network and system administrators who want to enforce system health requirements for client computers connecting to the networks they support will be interested in NAP. With NAP, network administrators can:

  • Ensure the health of desktop computers on the local area network (LAN) that are configured for DHCP or that connect through 802.1X authenticating devices, or that have NAP Internet Protocol security (IPsec) policies applied to their communications.

  • Enforce health requirements for roaming laptops when they reconnect to the company network.

  • Verify the health and policy compliance of unmanaged home computers that connect to the company network through a virtual private network (VPN) server running Routing and Remote Access.

  • Determine the health and restrict access of laptops brought to an organization by visitors and partners.

Depending on their needs, administrators can configure a solution to address any or all of these scenarios.

NAP also includes an application programming interface (API) set for developers and vendors to build their own components for network policy validation, ongoing compliance, and network isolation.

Are there any special considerations?

NAP deployments require servers that are running Windows Server 2008. In addition, client computers running Windows Vista, Windows Server 2008, or Windows XP with Service Pack 3 (SP3) are required. The central server that performs health determination analysis for NAP is a computer running Windows Server 2008 and Network Policy Server (NPS). NPS is the Windows implementation of a Remote Authentication Dial-in User Service (RADIUS) server and proxy. NPS is the replacement for the Internet Authentication Service (IAS) in the Windows Server 2003 operating system. Access devices and NAP servers act as RADIUS clients to an NPS-based RADIUS server. NPS performs authentication and authorization of a network connection attempt and, based on configured system health policies, determines computer health compliance and how to limit a noncompliant computer's network access.

What new functionality does this feature provide?

The NAP platform is a new client health validation and enforcement technology included with the Windows Server 2008 and Windows Vista operating systems.

Note

The NAP framework is not the same as Network Access Quarantine Control, which is a feature provided with Windows Server 2003 and Internet Security and Acceleration (ISA) Server 2004. Network Access Quarantine Control can provide additional protection for remote access (dial-up and VPN) connections. For more information about Network Access Quarantine Control in Windows Server 2003, see Network Access Quarantine Control in Windows Server 2003 (https://go.microsoft.com/fwlink/?LinkId=56447). For more information about this feature in ISA Server 2004, see VPN Roaming Clients and Quarantine Control in ISA Server 2004 Enterprise Edition (https://go.microsoft.com/fwlink/?LinkId=56449).

Why is this functionality important?

One of the greatest challenges to today's businesses is the increasing exposure of client devices to malicious software such as viruses and worms. These programs can gain entry to unprotected or incorrectly configured host systems, and can use this system as a staging point to propagate to other devices on the corporate network. Network administrators can use the NAP platform to protect their network by ensuring that client systems maintain proper system configurations and software updates to help protect them from malicious software.

Key Processes of NAP

Several key processes are required for NAP to function properly: policy validation, NAP enforcement and network restriction, remediation, and ongoing monitoring to ensure compliance.

Policy validation

System health validators (SHVs) are used by NPS to analyze the health status of client computers. SHVs are incorporated into network polices that determine actions to be taken based on client health status, such as granting of full network access or restricting network access. Health status is monitored by client-side NAP components called system health agents (SHAs). NAP uses SHAs and SHVs to monitor, enforce, and remediate client computer configurations.

Windows Security Health Agent and Windows Security Health Validator are included with the Windows Server 2008 and Windows Vista operating systems, and enforce the following settings for NAP-capable computers:

  • The client computer has firewall software installed and enabled.

  • The client computer has antivirus software installed and running.

  • The client computer has current antivirus updates installed.

  • The client computer has antispyware software installed and running.

  • The client computer has current antispyware updates installed.

  • Microsoft® Update Services is enabled on the client computer.

In addition, if NAP-capable client computers are running Windows Update Agent and are registered with a Windows Server Update Service (WSUS) server, NAP can verify that the most recent software security updates are installed based on one of four possible values that match security severity ratings from the Microsoft Security Response Center (MSRC).

NAP enforcement and network restriction

NAP can be configured to deny noncompliant client computers access to the network or allow them access to a restricted network only. A restricted network should contain key NAP services, such as Health Registration Authority (HRA) servers and remediation servers, so that noncompliant NAP clients can update their configurations to comply with health requirements.

NAP enforcement settings allow you to either limit network access of noncompliant clients, or merely observe and log the health status of NAP-capable client computers.

You can choose to restrict access, defer restriction of access, or allow access by using the following settings:

  • Allow full network access. This is the default setting. Clients that match the policy conditions are deemed compliant with network health requirements, and granted unrestricted access to the network if the connection request is authenticated and authorized. The health compliance status of NAP-capable client computers is logged.

  • Allow full network access for a limited time. Clients that match the policy conditions are temporarily granted unrestricted access. NAP enforcement is delayed until the specified date and time.

  • Allow limited access. Client computers that match the policy conditions are deemed noncompliant with network health requirements, and are placed on the restricted network.

Remediation

Noncompliant client computers that are placed on a restricted network might undergo remediation. Remediation is the process of updating a client computer so that it meets current health requirements. For example, a restricted network might contain a File Transfer Protocol (FTP) server that provides current virus signatures so that noncompliant client computers can update their outdated signatures.

You can use NAP settings in NPS network policies to configure automatic remediation so that NAP client components automatically attempt to update the client computer when it is noncompliant with network health requirements. You can use the following network policy setting to configure automatic remediation:

  • Auto remediation. If Enable auto-remediation of client computers is selected, automatic remediation is enabled, and NAP-capable computers that do not comply with health requirements automatically attempt to update themselves.

Ongoing monitoring to ensure compliance

NAP can enforce health compliance on compliant client computers that are already connected to the network. This functionality is useful for ensuring that a network is protected on an ongoing basis as health policies change and the health of client computers change. For example, if health policy requires that Windows Firewall is turned on but a user has inadvertently turned it off, NAP can determine that the client computer is in a noncompliant state. NAP will then place the client computer on the restricted network until Windows Firewall is turned back on.

If automatic remediation is enabled, NAP client components can automatically enable Windows Firewall without user intervention.

NAP enforcement methods

Based on the health state of a client computer, NAP can allow full network access, limit access to a restricted network, or deny access to the network. Client computers that are determined to be noncompliant with health policies can also be automatically updated to meet these requirements. The way that NAP is enforced depends on the enforcement method you choose. NAP enforces health policies for the following:

  • IPsec-protected traffic

  • 802.1X port-based wired and wireless network access control

  • Virtual private networks (VPN) with Routing and Remote Access

  • Dynamic Host Configuration Protocol (DHCP) IPv4 address lease and renewal

  • Connections to a Terminal Services Gateway (TS Gateway) server

The following sections describe these enforcement methods.

NAP enforcement for IPsec communications

NAP enforcement for IPsec-protected traffic is deployed with a health certificate server, an HRA server, an NPS server, and an IPsec enforcement client. The health certificate server issues X.509 certificates to NAP clients when they are determined to be compliant with network health requirements. These certificates are then used to authenticate NAP clients when they initiate IPsec-protected communications with other NAP clients on an intranet.

IPsec enforcement confines the communication on your network to compliant clients, and provides the strongest form of NAP enforcement. Because this enforcement method uses IPsec, you can define requirements for protected communications on a per-IP address or per-TCP/UDP port number basis.

NAP enforcement for 802.1X

NAP enforcement for 802.1X port-based network access control is deployed with an NPS server and an EAPHost enforcement client component. With 802.1X port-based enforcement, an NPS server instructs an 802.1X authenticating switch or an 802.1X-compliant wireless access point to place noncompliant 802.1X clients on a restricted network. The NPS server limits the client's network access to the restricted network by instructing the access point to apply IP filters or a virtual LAN identifier to the connection. 802.1X enforcement provides strong network restriction for all computers accessing the network through 802.1X-capable network access devices.

NAP enforcement for VPN

NAP enforcement for VPN is deployed with a VPN enforcement server component and a VPN enforcement client component. Using NAP enforcement for VPN, VPN servers can enforce health policy when client computers attempt to connect to the network using a remote access VPN connection. VPN enforcement provides strong limited network access for all computers accessing the network through a remote access VPN connection.

NAP enforcement for DHCP

DHCP enforcement is deployed with a DHCP NAP enforcement server component, a DHCP enforcement client component, and NPS. Using DHCP enforcement, DHCP servers and NPS can enforce health policy when a computer attempts to lease or renew an IP version 4 (IPv4) address. The NPS server limits the client's network access to the restricted network by instructing the DHCP server to assign a limited IP address configuration. However, if client computers are configured with a static IP address or are otherwise configured to circumvent the limited IP address configuration, DHCP enforcement is not effective.

NAP enforcement for TS Gateway

NAP enforcement for TS Gateway is deployed with a TS Gateway enforcement server component and a TS Gateway enforcement client component. Using NAP enforcement for TS Gateway, the TS Gateway server can enforce health policy on client computers that attempt to connect to internal corporate resources through the TS Gateway server. TS Gateway enforcement provides strong limited access for all computers accessing the network through a TS Gateway server.

Combined approaches

Each of these NAP enforcement methods has different advantages. By combining enforcement methods, you can combine the advantages of these different methods. Deploying multiple NAP enforcement methods, however, can make your NAP implementation more complex to manage.

The NAP framework also provides a suite of APIs that allow companies other than Microsoft to integrate their software into the NAP platform. By using the NAP APIs, software developers and vendors can provide end-to-end solutions that validate health and remediate noncompliant clients.

How should I prepare to deploy this feature?

The preparations you need to make for deploying NAP depend on the enforcement method or methods you choose, and the health requirements you intend to enforce when client computers connect to or communicate on your network.

If you are a network or system administrator, you can deploy NAP with the Windows Security Health Agent and Windows Security Health Validator. You can also check with other software vendors to find out if they provide SHAs and SHVs for their products. For example, if an antivirus software vendor wants to create a NAP solution that includes a custom SHA and SHV, they can use the API set to create these components. These components can then be integrated into the NAP solutions that their customers deploy.

In addition to SHAs and SHVs, the NAP platform uses multiple client and server-side components to detect and monitor the system health status of client computers when they attempt to connect or communicate on a network. Some common components used to deploy NAP are illustrated in the following figure:

NAP client components

A NAP-capable client is a computer that has the NAP components installed and that can verify its health state by sending statements of health (SoHs) to NPS. The following are common NAP client components.

System health agent (SHA). Monitors and reports the client computer's health state so that NPS can determine whether the settings monitored by the SHA are up-to-date and configured correctly. For example, the Windows System Health Agent (WSHA) can monitor Windows Firewall; whether antivirus software is installed, enabled, and updated; whether antispyware software is installed, enabled, and updated; and whether Microsoft Update Services is enabled and the computer has its most recent security updates. There might also be SHAs available from other companies that provide additional functionality.

NAP agent. Collects and manages health information. NAP agent also processes SoHs from SHAs and reports client health to installed enforcement clients. To indicate the overall health state of a NAP client, the NAP agent uses a system SoH.

NAP enforcement client (NAP EC). To use NAP, at least one NAP enforcement client must be installed and enabled on client computers. Individual NAP enforcement clients are enforcement method-specific, as described previously. NAP enforcement clients integrate with network access technologies, such as IPsec, 802.1X port-based wired and wireless network access control, VPN with Routing and Remote Access, DHCP, and TS Gateway. The NAP enforcement client requests access to a network, communicates a client computer's health status to the NPS server, and communicates the restricted status of the client computer to other components of the NAP client architecture.

Statement of health (SoH). A declaration from a SHA that asserts its health status. SHAs create SoHs and send them to the NAP agent.

NAP server components

The following are common NAP server components.

NAP health policy server. A server running NPS that is acting in the role of a NAP health evaluation server. The NAP health policy server has health policies and network policies that define health requirements and enforcement settings for client computers requesting network access. The NAP health policy server uses NPS to process RADIUS Access-Request messages containing the system SoH sent by the NAP EC, and passes them to the NAP administration server for evaluation.

NAP administration server. Provides a processing function that is similar to the NAP agent on the client side. It is responsible for collecting SoHs from NAP enforcement points, distributing SoHs to the appropriate system health validators (SHVs), and collecting SoH responses (SoHRs) from the SHVs and passing them to the NPS service for evaluation.

System health validators (SHVs). Server software counterparts to SHAs. Each SHA on the client has a corresponding SHV in NPS. SHVs verify the SoH that is made by its corresponding SHA on the client computer. SHAs and SHVs are matched to each other, along with a corresponding health requirement server (if applicable) and perhaps a remediation server. The SHV can also detect that no SoH has been received (such as in the case where the SHA has never been installed, or has been damaged or removed). Whether the SoH meets or does not meet the defined policy, the SHV sends a statement of health response (SoHR) message to the NAP administration server. One network might have more than one kind of SHV. If it does, the server running NPS must coordinate the output from all of the SHVs and determine whether to limit the access of a noncompliant computer. If your deployment uses multiple SHVs, you need to understand how they interact and plan carefully when you configure health policies.

NAP enforcement server (NAP ES). Matched to a corresponding NAP EC for the NAP enforcement method being used. NAP ES receives the list of SoHs from the NAP EC and passes them to NPS for evaluation. Based on the response, it provides either limited or unlimited network access to a NAP-capable client. Depending on the type of NAP enforcement, the NAP ES can be a component of a NAP enforcement point.

NAP enforcement point. A server or network access device that uses NAP or can be used with NAP to require the evaluation of a NAP client’s health state and provide restricted network access or communication. A NAP enforcement point can be a health registration authority (IPsec enforcement), an authenticating switch or wireless access point (802.1x enforcement), a server running Routing and Remote Access (VPN enforcement), a DHCP server (DHCP enforcement), or a TS Gateway server (TS Gateway enforcement).

Health requirement server. A software component that communicates with a SHV to provide information used in evaluating requirements for system health. For example, a health requirement server can be an antivirus signature server that provides the version of the current signature file for validation of a client antivirus SoH. Health requirement servers are matched to SHVs, but not all SHVs need a health requirement server. For example, a SHV can just instruct NAP-capable clients to check local system settings to ensure that a host-based firewall is enabled.

Remediation server. Hosts the updates that SHAs can use to bring noncompliant client computers into compliance. For example, a remediation server can host software updates. If health policy requires that NAP client computers have the latest software updates installed, the NAP EC will restrict network access to clients without these updates. Remediation servers must be accessible to clients with restricted network access in order for clients to obtain the updates required to comply with health policies.

Statement of health response (SoHR). Contains the results of the SHV's evaluation of the client SoH. The SoHR reverses the path of the SoH and is sent back to the client computer SHA. If the client computer is deemed noncompliant, the SoHR contains remediation instructions that the SHA uses to bring the client computer configuration into compliance with health requirements.

Just as each type of SoH contains information about system health status, each SoHR message contains information about how to become compliant with health requirements.

Additional references

For more information about NAP, see Network Access Protection (https://go.microsoft.com/fwlink/?LinkId=56443).

For information about other Network Policy and Access Services features, see the Network Policy and Access Services Role topic.