Vista's Network Access Protection (NAP) helps keep 'unhealthy' computers off your LAN

Discussion in 'Networking & Internet' started by Jason, Apr 2, 2007.

  1. Jason


    Sep 26, 2005
    Likes Received:
    <H2>How it works</H2>

    NAP support is included with Vista and Longhorn Server, and a NAP client for Windows XP with SP2 is expected to be available when Longhorn Server is released. The XP NAP client is in beta testing at the time of this writing.

    The NAP platform consists of a number of components working together:<UL><LI>The Network Policy Server (NPS). This is a Longhorn Server, and its NAP services are made up of two parts: the NAP Administration Server and the NAP Enforcement Server. Network access information for user and computer accounts is stored in the Active Directory. The System Health Validator (SHV) runs on the NAP server and communicates with a component called the Policy Server. NPS is Longhorn Server's replacement for the Internet Authentication Service (IAS) in Windows Server 2003, thus it is a RADIUS server and proxy. It functions as a policy server working with NAP ES and EC components. The NAP servers and access devices are RADIUS clients to the NPS server. NPS authenticates attempted network connections and then determines whether the computer is compliant with health policies, limiting the access of computers that are not. <LI>A Health Registration Authority (HRA). This is a Longhorn Server that runs IIS and Windows Certificate Services and is needed if you want to use health certificates obtained from a CA. <LI>Remediation server(s). This is a server or servers on which resources reside that noncompliant clients can use to come into compliance. The remediation servers are available on the restricted network so that noncompliant clients, which are not allowed full network access, can still connect to them. <LI>NAP clients. The System Health Agents (SHAs) run on the NAP clients.</LI>[/list]

    The SHAs on the clients contain information about the clients' health status. This is submitted to the NPS server as a Statement of Health (SoH). The SHV on the server communicates with the Policy Server to validate the SoH and determines whether the SoH meets the criteria to comply with your policy requirements. Alternatively, a health certificate can be obtained from an HRA and used in the place of an SoH to prove compliance.

    If a computer is found to be noncompliant, it can be given access to a restricted network. This network contains remediation servers. The client uses the resources on these servers to gain compliance. For instance, a remediation server might contain the virus definition files needed to bring the client up to date, or it might be a software update server with the required service packs or security fixes that the client is lacking. Once the client has been updated, a new SoH can be submitted.

    You can create remediation server groups to specify the remediation servers (by DNS name or IP address). There is a wizard that takes you through the steps of creating a group. You can have different groups for different enforcement technologies.

    You can specify that noncompliant computers that are only allowed access to the restricted network be directed to a Web site where they can get information on how to become compliant, as shown in Figure A.<CENTER><TABLE><TBODY><TR><TD align=middle>

    Figure A</TD></TR><TR><TD align=middle>[​IMG]</TD></TR><TR><TD align=middle>You can direct noncompliant computers to a Web site on the restricted network.</TD></TR></TBODY></TABLE></CENTER><H2>Using NAP</H2>

    When NAP is deployed on your network, you can create health policies that define criteria each computer must meet in order to connect. NAP can control the access of:<UL><LI>"Unmanaged" computers--those that administrators don't have physical access to because users are connecting from home or from the road. These systems often are not owned by the company, so you can't be sure that the proper updates, antivirus, firewalls, etc., are installed and properly configured. <LI>Visiting and roaming portable co
    Jason, Apr 2, 2007
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.