Home > Security > Network Access Protection

Network Access Protection

Network Access Protection (NAP)

One of the new security services being offered Windows Server 2008 is called Network Access Protection.  NAP requires that clients (Vista SP1, XP SP3, Server 2008) to complete a health check of thier system which is then submitted to a NAP server.  NAP then compares the results with some preconfigured System Health Validators and based on the results the NAP server will place the client onto one of the following networks:

  • Private Network:  Client meets all required SHV’s
  • Remediation Network: Segmented network used to remediate any current health issues
  • No Network Connectivity: Client is denied network access

Here is a list of the current acronyms being used when discussing NAP:

  • NPS = Network Policy Server (the NAP server)
  • SHA = System Health Agent (client-side NAP plug-in)
  • SHV = System Health Validator (server-side NAP plug-in)
  • SoH = Statement of Health (created by the  client)  
  • SSoH = System Statement of Health  (sent by client, combination of several SoH’s)
  • SoHR = System of Health Response (response from server to SS0H)

There are several different NAP enforcement types available:

  • IPSec Connection Security
  • 802.1x Access Point
  • VPN Server
  • DHCP Server
  • TS Gateway

Here is the list of the default Windows Security Health Validators which are used to evaluate the current health of the client machine. 

  • Windows Firewall
  • Antivirus (additonal: updated virus definitions)
  • Spyware Protection (additional: updated spyware definitions)
  • Automatic Updating
  • Security Update Protection (additional: Important, Moderate, Low, WSUS or Windows Updates)

In order to configure client workstations to be configured to used NAP there are several GPO Client Computer Settings that should be configured:

  • Computer Configuration\Policies\Windows Settings\Security Settings\System Services\Network Access Protection Agent
  • Computer Configuration\Policies\Windows Settings\Security Settings\NAP\NAP Client Configurations\Enforcement Clients
  • Computer Configuration\Policies\Administrative Templates\Windows Components\Security Center

NAP can also be extended and centralized using the following Microsoft products:

  • System Center Configuration Manager 2007
  • Forefront Security Security


Categories: Security
  1. Norio
    July 22, 2009 at 10:05 pm

    Hello Joe. Your web site is really nice. It’s easy to browse. I like the design.
    I am doing test for NAC appliance from Juniper with Symantec End Point 11 and
    MS System Center Configuration Manager 2007 before deploying the system.
    Juniper NAC has the remediation function for Symantec, but it doesn’t have it for SCCM 2007
    (only support SMS2003). So, I’m struggling to find out how to remediate the PC for windows update through SCCM2007 with WSUS. Anyway, I’m interested in NAP for windows 2008.

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: