Network Access Protection
Many organizations have been affected by viruses or worms that entered their private networks through a mobile PC and quickly infected computers throughout the organization. Windows Vista, when connecting to a Windows Server 2008 infrastructure, supports Network Access Protection (NAP) to reduce the risks of connecting unhealthy computers to private networks directly or across a VPN. If a NAP client computer lacks current security updates or virus signatures-or otherwise fails to meet your requirements for computer health-NAP blocks the computer from having unlimited access to your private network. If a computer fails to meet the health requirements, it will be connected to a restricted network to download and install the updates, antivirus signatures, or configuration settings that are required to comply with current health requirements. Within minutes, a potentially vulnerable computer can be updated, have its new health state validated, and then be granted unlimited access to your network.
NAP is not designed to secure a network from malicious users. It is designed to help administrators maintain the health of the computers on the network, which in turn helps maintain the network's overall integrity. For example, if a computer has all the software and configuration settings that the health requirement policy requires, the computer is considered compliant, and it will be granted unlimited access to the network. NAP does not prevent an authorized user with a compliant computer from uploading a malicious program to the network or engaging in other inappropriate behavior.
NAP has three important and distinct aspects:
- Network policy validation When a user attempts to connect to the network, the computer's health state is validated against the network access policies as defined by the administrator. Administrators can then choose what to do if a computer is not compliant. In a monitoring-only environment, all authorized computers are granted access to the network even if some do not comply with health requirement policies, but the compliance state of each computer is logged. In an isolation environment, computers that comply with the health requirement policies are allowed unlimited access to the network, but computers that do not comply with health requirement policies or are not compatible with NAP are placed on a restricted network. In both environments, administrators can define exceptions to the validation process. NAP also includes migration tools to make it easier for administrators to define exceptions that best suit their network needs.
- Health requirement policy compliance Administrators can help ensure compliance with health requirement policies by choosing to automatically update noncompliant computers with the required updates through management software, such as Microsoft System Center Configuration Manager. In a monitoring-only environment, computers will have access to the network even before they are updated with required software or configuration changes. In an isolation environment, computers that do not comply with health requirement policies have limited access until the software and configuration updates are completed. Again, in both environments, the administrator can define policy exceptions.
- Limited access for noncompliant computers Administrators can protect network assets by limiting the access of computers that do not comply with health requirement policies. Computers that do not comply will have their network access limited as defined by the administrator. That access can be limited to a restricted network, to a single resource, or to no internal resources at all. If an administrator does not configure health update resources, the limited access will last for the duration of the connection. If an administrator configures health update resources, the limited access will last only until the computer is brought into compliance.
NAP is an extensible platform that provides an infrastructure and an application programming interface (API) set for adding features that verify and remediate a computer's health to comply with health requirement policies. By itself, NAP does not provide features to verify or correct a computer's health. Other features, known as system health agents (SHAs) and system health validators (SHVs), provide automated system health reporting, validation, and remediation. Windows Vista, Windows Server 2008, and Windows 7 include an SHA and an SHV that allow the network administrator to specify health requirements for the services monitored by the Windows Security Center.
When troubleshooting client-side problems related to NAP, open Event Viewer and browse the Applications And Services Logs\Microsoft\Windows\Network Access Protection Event Log.
In this tutorial:
- Windows 7 Client Protection
- Understanding the Risk of Malware
- User Account Control in Windows 7
- UAC for Standard Users
- UAC for Administrators
- UAC User Interface
- Secure Desktop
- How Windows Determines Whether an Application Needs Administrative Privileges
- How to Control UAC Using Application Properties
- How UAC Examines the Application Manifest
- UAC Heuristics
- UAC Virtualization
- UAC and Startup Programs
- Compatibility Problems with UAC
- How to Configure UAC
- Group Policy Settings
- Control Panel
- Msconfig.exe
- How to Configure Auditing for Privilege Elevation
- Other UAC Event Logs
- Best Practices for Using UAC
- AppLocker
- AppLocker Rule Types
- Auditing AppLocker Rules
- DLL Rules
- Custom Error Messages
- Using AppLocker with Windows PowerShell
- Using Windows 7 Defender
- Understanding Windows Defender
- Automatic Scanning
- Real-Time Protection
- Windows Defender Alert Levels
- Understanding Microsoft SpyNet
- Configuring Windows Defender Group Policy
- Configuring Windows Defender on a Single Computer
- How to Determine Whether a Computer Is Infected with Spyware
- Best Practices for Using Windows Defender
- How to Troubleshoot Problems with Unwanted Software
- Network Access Protection
- Forefront