Many of Windows Server 2008's new features have received a lot of press -- particularly big, glamorous features such as Hyper-V, read-only domain controllers and Windows PowerShell. Still, one of the more overlooked new security features, Network Access Protection (NAP), is worth some of your time, even though it might not be as glamorous as its cousins.
Basically, Microsoft designed Network Access Protection to make sure that the computers connecting to your network are up to your security standards. This includes the latest antivirus software, patches and so forth. Computers that don't meet security standards can be banned entirely or allowed only a limited set of connectivity (enough, for example, to contact a Windows Update server). NAP helps ensure that computers on the network are less likely to be infected with and spread malware. It was originally intended to be a Windows Server 2003 feature, but it took a while for Microsoft to make it work well enough to ship, and it's now here in Windows Server 2008.
Network Access Protection is a policy-based system, meaning you define policies that describe your security standards, and NAP enforces them. Because NAP is designed to ensure that machines stay updated, its features emphasize update distribution. For example, if your local Windows Server Update Services machine is unavailable, NAP can fall back to Windows Update or Microsoft Update. Network Access Protection is also compatible with Cisco's Network Admission Control (NAC) technologies, which provide infrastructure support for quarantining computers to a limited portion of the network.
NAP is built around a Network Policy Server, or NPS, which replaces the older Internet Authentication Service (IAS) in Windows Server 2003. NPS is a RADIUS-compatible server designed to provide authentication and authorization for remote clients, and it acts as the "health evaluation server" for Network Access Protection. The NPS stores your NAP policies, which are also referred to as health policies. The actual evaluation of those rules is performed by an enforcement point, which is a compatible RADIUS client that's capable of communicating with NPS.
NPS actually supports three types of policies:
Connection requests -- Determine general rules for requests from RADIUS clients, such as whether specific requests are handled by the NPS or proxied to another RADIUS server.
Network policies -- Define how connection attempts are either authorized or rejected.
Health policies -- Define health rules that must be met in order to connect.
Within a health policy, you would specify one or more System Health Validators, or SHVs. (I know, the acronyms get thick with this technology.) SHVs are little scanning engines that check various configuration settings and report on a computer's health. You also specify Remediation Server Groups, which are the servers a client can access if they don't meet their health check. Typically you'll include an update server of some kind in this group. Don't forget to include basic infrastructure services in the remediation group and to make sure those services are well-protected from malware, since they may be dealing with infected machines.
Microsoft includes a Windows Security SHV that works with both Windows XP and Vista. It allows you to require that a firewall and Automatic Updates are enabled and that antivirus and anti-spyware are enabled and up to date. Note that these checks all rely on the Security Center functionality introduced in Windows XP Service Pack 2. If your antivirus software doesn't report its status to the Security Center, then the SHV won't see it either.
One cool feature is the ability to specify a "troubleshooting URL," which is a URL clients are directed to when they're not healthy enough to be allowed on the full network. That gives you a way to explain what's happening and help users to remedy the problem.
You also have the ability to set up different rules. For example, having a firewall turned off might allow access to a larger remediation group than not having antivirus.
So how does all this work?
A client computer attaches to the network through whatever means – dial-up connection, VPN, etc. Part of that involves authenticating, which is (in the case, say, of a remote connection) connecting to a RADIUS server – which is an endpoint.
The endpoint sends a request to the Network Policy Server, which processes it according to its connection rules.
NPS evaluates the health information in the request, and passes each included Statement of Health to an SHV. The results are compared to a health policy.
NPS evaluates its network policies to determine if it will allow the request.
Based on all these evaluations, NPS grants unlimited access or limited access, or it denies access. It sends this decision to the enforcement point, which forwards it to the client. The enforcement point is responsible for enforcing the limited access.
For more information, check out this documentation from Microsoft on Network Access Protection policies in Windows Server 2008. It does a great job of showing you how to set up health policies, and really demonstrates what you can do.
ABOUT THE AUTHOR
Don Jones is a co-founder of Concentrated Technology LLC, the author of more than 30 IT books and a speaker at technical conferences worldwide. Contact him through his website at www.ConcentratedTech.com .
This was first published in November 2008