Network Access Protection in NPS

Applies To: Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2

Network Access Protection (NAP) is a client health policy creation, enforcement, and remediation technology that is included in Windows Vista®, Windows Server® 2008, Windows® 7, and Windows Server® 2008 R2. By using NAP, you can establish health policies that define such things as software requirements, security update requirements, and required configuration settings for computers that connect to your network.

NAP enforces health policies by inspecting and assessing the health of client computers, restricting network access when client computers are noncompliant with health policy, and remediating noncompliant client computers to bring them into compliance with health policy before they are granted full network access. NAP enforces health policies on client computers that are attempting to connect to a network. NAP also provides ongoing health compliance enforcement while a client computer is connected to a network.

NAP is an extensible platform that provides an infrastructure and an application programming interface (API) set. By using the NAP API set, you can add components to NAP clients and to servers running Network Policy Server (NPS) that check computer health, enforce network health policy, and remediate noncompliant computers to bring them into compliance with health policy.

By itself, NAP does not provide components to verify or remediate computer health. Other components, known as system health agents (SHAs) and system health validators (SHVs) , provide client computer health state inspection and reporting, validation of client computer health state compared to health policy, and configuration settings to help the client computer become compliant with health policy.

The Windows Security Health Agent (WSHA) is included in Windows Vista and Windows 7 as part of the operating system. The corresponding Windows Security Health Validator (WSHV) is included in Windows Server 2008 and Windows Server 2008 R2 as part of the operating system. By using the NAP API set, other products can also implement SHAs and SHVs to integrate with NAP. For example, an antivirus software vendor can use the API set to create a custom SHA and SHV. These components can then be integrated into the NAP solutions deployed by customers of the software vendor.

If you are a network or system administrator planning to deploy NAP, you can deploy NAP with the WSHA and WSHV that are included with the operating system. You can also check with other software vendors to find out if they provide SHAs and SHVs for their products.

NAP overview

Most organizations create network policies that dictate the type of hardware and software that can be deployed on the organization network. These policies frequently include rules for how client computers can be configured before connecting to the network. For example, many organizations require that client computers run antivirus software with recent antivirus updates installed, and that client computers have a software firewall installed and enabled before connecting to the organization network. A client computer that is configured according to the organization network policy can be viewed as compliant with policy, while a computer that is not configured according to the organization network policy can be viewed as noncompliant with policy.

NAP allows you to use NPS to create policies that define client computer health. NAP also allows you to enforce the client health policies you create, and to automatically update, or remediate, NAP-capable client computers to bring them into compliance with client health policy. NAP provides continuous detection of client computer health to guard against cases in which a client computer is compliant when it connects to the organization network but becomes noncompliant while connected.

NAP provides complementary client computer and organization network protection by ensuring that computers connecting to the network comply with organization network and client health policies. This protects the network from harmful elements introduced by client computers, such as computer viruses, and it also protects client computers from harmful elements that could be introduced by the network to which it is connecting.

In addition, NAP autoremediation reduces the amount of time that noncompliant client computers are prevented from accessing organization network resources. When autoremediation is configured and clients are in a noncompliant state, NAP client components can rapidly update the computer by using resources you supply on a remediation network, allowing the now-compliant client to be more quickly authorized by NPS to connect to the network.

NPS and NAP

NPS can act as a NAP policy server for all NAP enforcement methods.

When you configure NPS as a NAP policy server, NPS evaluates statements of health (SoH) sent by NAP-capable client computers that want to connect to the network. You can configure NAP policies in NPS that allow client computers to update their configuration to become compliant with your organization network policy.

Client computer health

Health is defined as information about a client computer that NAP uses to determine whether to allow or deny client access to a network. An assessment of client computer health status represents the configuration state of a client computer in comparison to the state that is required by health policy.

Example measurements of health include:

  • The operational status of Windows Firewall. Is the firewall enabled or disabled?

  • The update status of antivirus signatures. Are the antivirus signatures the most recent ones available?

  • The installation status of security updates. Are the most recent security updates installed on the client?

The health status of the client computer is encapsulated in an SoH, which is issued by NAP client components. NAP client components send the SoH to NAP server components for evaluation to determine whether the client is compliant and can be granted full network access.

In NAP terminology, verifying that a computer meets your defined health requirements is called health policy validation . NPS performs health policy validation for NAP.

How NAP enforcement works

NAP enforces health policies by using client-side components that inspect and assess the health of client computers, server-side components that restrict network access when client computers are deemed noncompliant, and both client-side and server-side components that assist in remediating noncompliant client computers for full network access.

Key processes of NAP

To help protect network access, NAP relies on three processes: policy validation, NAP enforcement and network restriction, and remediation and ongoing compliance.

Policy validation

By using NPS, you can create client health policies using SHVs that allow NAP to detect, enforce, and remediate client computer configurations.

WSHA and WSHV provide the following functionality for NAP-capable computers:

  • The client computer has firewall software installed and enabled.

  • The client computer has antivirus software installed and running.

  • The client computer has current antivirus updates installed.

  • The client computer has antispyware software installed and running.

  • The client computer has current antispyware updates installed.

  • Microsoft Update Services is enabled on the client computer.

In addition, if NAP-capable client computers are running Windows Update Agent and are registered with a Windows Server Update Service (WSUS) server, NAP can verify that the most recent software security updates are installed based on one of four possible values that match security severity ratings from the Microsoft Security Response Center (MSRC).

When you create policies that define the client computer health status, policies are validated by NPS. The NAP client-side components send a SoH to the NPS server during the network connection process. NPS examines the SoH and compares it to health policies.

NAP enforcement and network restriction

NAP denies noncompliant client computers access to the network or allows them access only to a special restricted network called a remediation network . A remediation network provides client computers with access to remediation servers, which provide software updates, and other key NAP services, such as Health Registration Authority (HRA) servers, that are required to bring noncompliant NAP clients into compliance with health policy.

The NAP enforcement setting in NPS network policy allows you to use NAP to limit the network access or observe the state of NAP-capable client computers that do not comply with your network health policy.

You can choose to restrict access, defer restriction of access, or allow access with network policy settings.

Remediation

Noncompliant client computers that are put into a restricted network might undergo remediation. Remediation is the process of automatically updating a client computer so that it meets current health policies. For example, a restricted network might contain a File Transfer Protocol (FTP) server that automatically updates the virus signatures of noncompliant client computers that have outdated signatures.

Ongoing compliance

NAP can enforce health compliance on client computers that are already connected to the network. This functionality is useful for ensuring that a network is protected on an ongoing basis as health policies change and the health of client computers change. For example, NAP determines that the client computer is in a noncompliant state if a health policy requires that Windows Firewall is turned on and an administrator inadvertently turns the firewall off on a client computer. NAP will then disconnect the client computer from the organization network and connect the client computer to the remediation network until Windows Firewall is turned back on.

You can use NAP settings in NPS network policies to configure autoremediation so that NAP client components automatically attempt to update the client computer when it is not compliant. As with NAP enforcement settings, autoremediation is configured in network policy settings.