Windows Server 2008 NAP (Part 1)

by Marin Franković on 16 December, 2008

I am starting a new series of articles that will deal with new Windows Server 2008 roles. ?First one will be NAP (Network Access Protection).

NAP is responsible for evaluating client “health” status and determining if the client is compliant or non-compliant with our health policyes. NAP can not and will not protect your network from clients that are compliant but their users decide to act malicious once they enter out network. So you must look at NAP as just one of the available security layers in a “Defense in depth” model.

NAP has four scenarios in which it can be used:

  • IPSec enforcement (clients must be compliant to obtain certificate so they can comunicate in the network, this is considered to be strongest NAP implementation)
  • 802.1x enforcement (clients must be compliant to obtain full network access through authentication switch or access point)
  • VPN enforcement for remote access connections (network access can be limited for non-compliant clients through use of various IP packet filters)
  • DHCP enforcement (considered to be the weakest method since local administrator can assign static IP address to client thus bypassing NAP enforcement through DHCP)
  • TS Gateway (see comments for more info)


NAP agent is available in Windows XP SP2 (agent must be downloaded from MS site), Windows XP SP3, Windows Vista and Windows Server 2008. Older operating systems do not support NAP in Windows Server 2008 and an administrator must decide how to handle those computers (allow access to network or limited access to network resources).

NAP is designed as ongoing client health monitoring, which means that client can become non-compliant any time and it will be denied full network access, NAP also offers autoremediation services and can also be configured with remediation servers (WSUS, internet access, AV servers…) in the restricted network.

In the next article I will describe how to install and configure NAP with DHCP scenario.

{ 2 comments… read them below or add one }

Ilija December 16, 2008 at 12:25

What about TS Gateway? As I read somewhere, TS Gateway can be used to check the status of the computer, but it does not support automatic remediation.


Marin December 16, 2008 at 12:53

Yes, there is TS Gateway NAP enforcement for Windows Vista and Windows Server 2008 clients, but that particular method does not support remediation as you have mentioned. More info can be found at


Leave a Reply

Previous post:

Next post: