NAP
in Windows Server 2008 R2 is composed of a series of components that
provide for the ability to restrict client access to networks through
various mechanisms such as controlling who gets an IP address from a
DHCP server or who issues an IPSec certificate. NAP itself was developed
as an industry-independent technology, and was made with a published
set of APIs that allow third-party vendors, such as network
device makers and other software companies, to develop their own set of
devices that integrate together with Windows Server 2008 R2 devices.
Exploring the Reasons for Deploying NAP
Network Access Protection
was developed as a technology in response to the threats faced by
computers that are not up to date with the latest security patches or do
not have other security controls in place, such as up-to-date versions
of antivirus software or the lack of a local software firewall. These
systems are often the first to be compromised, and are often the target
of spyware attacks and are, subsequently, especially vulnerable.
Simply allowing these clients
unfettered access to a network is no longer an option. Compromised
systems inside an internal network pose an especially strong security
risk, as they could easily be controlled by malicious entities and could
compromise sensitive data. Identifying a method for controlling these
clients is becoming critical, which is why Microsoft developed the NAP
concept in Windows Server 2008 R2.
Outlining NAP Components
There are three
main characteristics of NAP, all of which are included within Windows
Server 2008 R2 functionality. These characteristics are as follows:
Health policy compliance—
The ability to fix the problem is central to a NAP platform.
Subsequently, compliance mechanisms, such as Windows Server Update
Services (WSUS) servers, System Center Configuration Manager 2007
agents, and other remediation services fill the health policy compliance
space of a NAP platform. Windows Server 2008 R2 can automatically refer
clients to a remediation server before granting full network access.
For example, a client that is out of date with patches can be referred
to a WSUS server to have their patches installed.
Health state validation—
Through agents on the client systems, the specific state of an
individual client can be monitored and logged. The administrator of a
NAP platform will be able to tell how many systems on the network are
out of date with patches, don’t have their firewalls turned on, and many
other health state statistics. In some cases, health status is simply
noted; in others, it is used to block access to clients.
Access limitation—
The cornerstone to an effective NAP platform is the ability to restrict
access to networks based on the results of the health state validation.
The type of access granted can be very granular. For example, clients
can have access to specific systems for patching, but not to other
clients. Windows Server 2008 R2 includes custom access limitation
capabilities in NAP, allowing administrators to create flexible
policies.
Understanding Windows Server 2008 R2 NAP Terminology
The following terms are useful to understand NAP concepts used in Windows Server 2008 R2:
Enforcement Client (EC)—
A client that takes part in a NAP infrastructure. Windows 7, Windows
Vista, and Windows XP SP3 support NAP and can be an EC in a NAP
topology, as they all contain the System Health Agent component.
Enforcement Server (ES)—
A server that takes part in a NAP infrastructure and enforces the
policies. In Windows Server 2008 R2, this is the Network Policy Server
(NPS) role.
System Health Agent (SHA)—
The actual agent that sends health information to the NAP ES servers.
In Windows 7, Windows Vista, and Windows XP SP3, this is the Windows
System Health Validator SHA, which is a service that runs on each client
and monitors the local Windows Security Center on the machines.
System Health Validator (SHV)—
An SHV is the server-side component of NAP that processes the
information received from the SHAs and enforces policies. The Windows
Server 2008 R2 SHV can be fully integrated into NAP products from other
vendors, as it is based on open standards.
Remediation Server—
A server that is made accessible to clients that have failed the NAP
policy tests. These servers generally provide for services that clients
can use to comply with policies, such as WSUS servers, DNS servers, and
System Center Configuration Manager servers.
Changes in NAP and NPS in Windows Server 2008 R2
NAP and NPS concepts
were originally built in to the original Windows Server 2008 operating
system. Windows Server 2008 R2 adds a few changes and improvements to
both technologies, including the following:
Multiconfiguration Service Health Validators—
The biggest change to NAP in Windows Server 2008 R2 is the ability to
create multiple SHVs across a single set of NAP health policy servers.
This allows for multiple policies, creating some which might be more or
less restrictive and providing for the creation of exceptions.
NPS templates—
Templates are now provided for elements such as RADIUS clients or
shared secrets. These templates can be exported for use on other NPS
servers.
Accounting improvements in NPS—
RADIUS accounting improvements have been added to NPS along with full
support for international character sets providing better logging and
tracking capabilities.
