Now-a-days security is put to the test so many times, when vulnerabilities are exploited - from hackers to viruses. Again it can be controlled with the applications that are running on systems, that are used to prevent those threats. But what if we get technology in the form of pro-activeness? Microsoft 2008 Server has a feature called Network Access Protection and I really like it a lot. With it you can create policies for a system which is not compliant to patches and it will prevent those systems from communicating over the network unless it gets updated. Polices can be created with virus definitions for those systems that are not updated with latest signature and those systems will also not communicate unless the latest signatures are present. Again it depends what policies and what you need to control with those policies. It truly depends upon the administrator who is creating those policies. It sounds really cool. Yes, it will minimize the threats and unwanted downtime that can arise due to these threats.
Network Access Protection, NAP, has the feature that can restrict the clients to communicate over the network if the client has some security concerns. I mean if the security patches are not updated or antivirus updates are not updated, NAP will prevent those clients from communicating over the network. To achieve this, Policy Server needs to be configured. After configuring you link those polices to clients using local Windows system health agent. Let's look at it in detail.
Why you need NAP?
NAP was developed to minimize the security threats that are posed to business world from:
- Outbreaks due to lack of security patches
- Virus outbreaks due to system not having latest virus definitions
Windows 2008 server has three features of NAP
- Health policy compliance - This is compliance task that is carried by Windows 2008 Server. It is a remedial process of NAP, for e.g. - if the system antivirus is not updated with antivirus server then it can help to get updated.
- Health State - The state of clients can be logged with the agents that are present in client systems. From this you will know which systems are not updated with patches or systems which are not updated with antivirus definitions.
- Access limitations - Restrict clients based on health policies.
Terms used in NAP
- System Health Validator (SHV) - Is a server component for NAP which is used to process the data that is received from SHAs to enforces policies.
- System Health Agent (SHA) - Agent that sends health information to NAP servers. The service that is use to monitor in Vista and XP is Windows System Health Validator SHA.
- Enforcement Server - A server that is use to enforce the policies.
- Enforcement Client - Workstation that is part of NAP polices are called enforcement clients. Windows XP sp3 and Vista both are supported.
- Remediation Server - Those servers that are provided access to the client who has failed health checks due to non-update of patches or antivirus update
What is NPS server?
The server that handles NAP is Network Policy server. It also becomes your SHV and ES server, the role for this component of server has been detailed in above notes.
What polices can be created?
- Internet Protocol Security (IPSec)
- 802.1X authentication
- Virtual private network (VPN) connections
- Dynamic Host Configuration Protocol (DHCP) addresses
Again these policies are created based on systems health.
How to Install NPS server?
- Open server manager, a new tool that is included in Windows 2008 server
- Click on add and than roles, click next
- Select NAP and access services from the role list
- On select role service page select which role you need to configure your server as per your requirement and than click next
- The certificate of authority page will come for issuing health certificates to clients, choose whether you have existing CA or want to install new COA server.
- If you want to configure HRA it will issue certificates to domain authenticated users and not workgroup users select as per your needs.
- Select the server authentication certificate to encrypt network traffic
- After getting all the prerequisites above select install and then click close when the process of installation is finished
You have just install NPS server , after installation you need to create policies for your clients, which is not covered in this article, In this you learn what is NAP, what terms used in NAP and how to install NAP.