Windows 7 / Security and Privacy

Network Access Protection

Many organizations have been affected by viruses or worms that entered their private networks through a mobile PC and quickly infected computers throughout the organization. Windows Vista, when connecting to a Windows Server 2008 infrastructure, supports Network Access Protection (NAP) to reduce the risks of connecting unhealthy computers to private networks directly or across a VPN. If a NAP client computer lacks current security updates or virus signatures-or otherwise fails to meet your requirements for computer health-NAP blocks the computer from having unlimited access to your private network. If a computer fails to meet the health requirements, it will be connected to a restricted network to download and install the updates, antivirus signatures, or configuration settings that are required to comply with current health requirements. Within minutes, a potentially vulnerable computer can be updated, have its new health state validated, and then be granted unlimited access to your network.

NAP is not designed to secure a network from malicious users. It is designed to help administrators maintain the health of the computers on the network, which in turn helps maintain the network's overall integrity. For example, if a computer has all the software and configuration settings that the health requirement policy requires, the computer is considered compliant, and it will be granted unlimited access to the network. NAP does not prevent an authorized user with a compliant computer from uploading a malicious program to the network or engaging in other inappropriate behavior.

NAP has three important and distinct aspects:

  • Network policy validation When a user attempts to connect to the network, the computer's health state is validated against the network access policies as defined by the administrator. Administrators can then choose what to do if a computer is not compliant. In a monitoring-only environment, all authorized computers are granted access to the network even if some do not comply with health requirement policies, but the compliance state of each computer is logged. In an isolation environment, computers that comply with the health requirement policies are allowed unlimited access to the network, but computers that do not comply with health requirement policies or are not compatible with NAP are placed on a restricted network. In both environments, administrators can define exceptions to the validation process. NAP also includes migration tools to make it easier for administrators to define exceptions that best suit their network needs.
  • Health requirement policy compliance Administrators can help ensure compliance with health requirement policies by choosing to automatically update noncompliant computers with the required updates through management software, such as Microsoft System Center Configuration Manager. In a monitoring-only environment, computers will have access to the network even before they are updated with required software or configuration changes. In an isolation environment, computers that do not comply with health requirement policies have limited access until the software and configuration updates are completed. Again, in both environments, the administrator can define policy exceptions.
  • Limited access for noncompliant computers Administrators can protect network assets by limiting the access of computers that do not comply with health requirement policies. Computers that do not comply will have their network access limited as defined by the administrator. That access can be limited to a restricted network, to a single resource, or to no internal resources at all. If an administrator does not configure health update resources, the limited access will last for the duration of the connection. If an administrator configures health update resources, the limited access will last only until the computer is brought into compliance.

NAP is an extensible platform that provides an infrastructure and an application programming interface (API) set for adding features that verify and remediate a computer's health to comply with health requirement policies. By itself, NAP does not provide features to verify or correct a computer's health. Other features, known as system health agents (SHAs) and system health validators (SHVs), provide automated system health reporting, validation, and remediation. Windows Vista, Windows Server 2008, and Windows 7 include an SHA and an SHV that allow the network administrator to specify health requirements for the services monitored by the Windows Security Center.

When troubleshooting client-side problems related to NAP, open Event Viewer and browse the Applications And Services Logs\Microsoft\Windows\Network Access Protection Event Log.

[Previous] [Contents] [Next]