I am starting a new series of articles that will deal with new Windows Server 2008 roles. ?First one will be NAP (Network Access Protection).
NAP is responsible for evaluating client “health” status and determining if the client is compliant or non-compliant with our health policyes. NAP can not and will not protect your network from clients that are compliant but their users decide to act malicious once they enter out network. So you must look at NAP as just one of the available security layers in a “Defense in depth” model.
NAP has four scenarios in which it can be used:
- IPSec enforcement (clients must be compliant to obtain certificate so they can comunicate in the network, this is considered to be strongest NAP implementation)
- 802.1x enforcement (clients must be compliant to obtain full network access through authentication switch or access point)
- VPN enforcement for remote access connections (network access can be limited for non-compliant clients through use of various IP packet filters)
- DHCP enforcement (considered to be the weakest method since local administrator can assign static IP address to client thus bypassing NAP enforcement through DHCP)
- TS Gateway (see comments for more info)
NAP agent is available in Windows XP SP2 (agent must be downloaded from MS site), Windows XP SP3, Windows Vista and Windows Server 2008. Older operating systems do not support NAP in Windows Server 2008 and an administrator must decide how to handle those computers (allow access to network or limited access to network resources).
NAP is designed as ongoing client health monitoring, which means that client can become non-compliant any time and it will be denied full network access, NAP also offers autoremediation services and can also be configured with remediation servers (WSUS, internet access, AV servers…) in the restricted network.
In the next article I will describe how to install and configure NAP with DHCP scenario.