Computer Performance, Windows Server 2008

3CX Phone System for Windows - VOIP IP PBX

3CX Phone System for Windows -
VOIP IP PBX

Get your 5 free applications now

Application Publishing with 2X ApplicationServer

Guy RecommendsGFi Events Manager

A solution to monitor, manage and archive thousands of events that are generated by devices across the entire network. 
Download FREE trial

Windows Server 2008 - NAP (Network Access Protection)

Windows Server 2008 - NAP (Network Access Protection)

Don't make the mistake of confusing Network Access Protection (NAP) with *Network Center.  Microsoft's NAP is a client server technology designed to protect your network from 'unhealthy' machines.  The way that NAP works is for Windows Server 2008 to compare the Vista clients SoH (statement of health) with their policies.  You can also configure NAP to only allow compliant computers on to the main network; one day, such clients could include XP with SP3.

*(The Network Center is a Control Panel container for troubleshooting IP settings and negotiating Wireless connections.)

NAP Topics

What NAP can do for you

Let us consider how computer viruses spread?  I take it that as read this article, you minimise virus attack by protecting the Internet connection with firewalls.  In addition, you scan Email attachments; what else can you do?  Ah yes, examine those laptops and other mobile devices that itinerant associates bring onto your network.  Thanks to Network Access Protection, you can isolate viruses which would otherwise attacks from via laptops.  An even better alternative is to specify a policy, which cleans the affected machines and when they are healthy, permits them access to parts of your production network.

NAP Philosophy

NAP is a client server technology which identifying machines that don't have the latest virus signatures, service packs or security patches.  Such machines are most likely to be laptops that have been offsite for a while, or home computers trying to connect via a VPN.  Apparently hackers, in commons with all cowards, target the older weaker members of the computer society.

Validating Machines:  The mission of NAP is to preserve the integrity of your network by allowing only healthy machines to have IP addresses that can connect to the main subnet.  You may find that validating machines is an ongoing task as your NAP policy will evolve over time with the release of new service packs, and sadly, new viruses.

Restricting Network Access:  Visiting laptops which don't meet your policy standards, whether or not they are riddled with viruses, can be restricted to the repair subnet.  As I hinted earlier, for safety, you may also need to exclude desktops that have missed a security patch until they have been remediated.

Fixing Unhealthy Machines: 

NAP provides a range of strategies once it detects such 'unhealthy' machines.  For example, you could configure the NAP servers to restrict all machines until they pass muster.  Or a better tactic is to direct them to a remediation server, which could apply SMS packages containing antivirus signatures, and thus cure their computer illnesses.  Another alternative would be to allow machines which don't meet all the criteria, limited access, for example visiting consultants laptops' get internet access only.

Remember that NAP is for validating a computer's software, unfortunately, it cannot protect against malicious hackers with a valid IP address.  For that you need different tactics.

Components of NAP

NAP is a classic client server technology.  All the necessary NAP components will be built into Vista clients and Windows 2008 Servers.  In addition, XP with SP3 will also be able to benefit from NAP.  What is unusual is that Microsoft are encouraging third party anti-virus vendors to participate in the technology in general, and the SHA (System Health Agent) in particular.

Remember that NAP is designed to protect your network from 'unhealthy' machines.  Tactics involve identifying what constitutes a healthy machine, configuring one or more policies and deciding what do about computers that fail to match your criteria.

When a Vista machines boots-up, a conversation takes place with the Health Registration Authority Server.   The client SHA sends a SoH (Statement of Health) to the Windows 2008 server.  This packet contains details of software updates and anti-virus signatures.  The server then compares the SoH with one or more of its policies.  If the Vista client lacks any of the components, you can predetermine what action to take. For example, whether to ban it from the production subnet, or try and remediate by adding patches.

NAP Network Access Protection

NAP Server Components
(Windows Server 2008 or Windows Server 2003)

Whenever you see lots of acronyms - as here with the NAP family, slow down the going gets tough.  It all begins to make sense if you install the Network Policy and Access Services Role (NPAS) on your Server 2008.  Incidentally, NPAS replaces IAS (Internet Authentication Service) in Windows 2003.

Microsoft's NAP Administration Server.  This main NAP Server checks the network policies (formerly RAS Policies), analyzes the Vista laptops or XP desktops and then decides whether or not to allow access to the network.  While it is a Windows Server 2008 machine, it does not have to be a domain controller, but as I mentioned earlier, do install the NPAS role.

System Health Validator (SHV).  This component determines whether the the SoH (Statement of Health) issued by the client's SHA (System Health Agent), matches the required health policy criteria on the server.

Quarantine Agent (QA). This reports the client's health status.

Health Policy.  This is a list of conditions, you can have a different policy for each of these technologies;  IPSEC, DHCP, 802.1 or VPN.

Accounts Database.  This is a portion of Active Directory that stores NAP properties for a computer or user.

Health Certificate Server, IIS on Windows Server 2008.

Remediation server (Optional).  This server is designed to help treat unhealthy clients, consequently it has the patches, virus signature updates, which may cure an unhealthy machine.  However, further policies decide which machines get the patches, for example, it would be too intrusive to add software patches to visitors' machines.  In practice, this remediation server could also be the anti-virus / update server.

Here are the NAP policy systems

You may have seen similar to these Network Policies in W2K3 RAS policies and profiles.

IPSec

This creates the most secure configuration.  IPSec and NAP work in tandem to ensure that all machines are healthy, and furthermore they only communicate using the encrypted IPSec protocol.

DHCP

Probably the most common implementation of NAP, every time the client asks to renew its IP address DHCP enforces health compliance.

802.1 (EAPHost)

Restricts access at the wireless access points until the clients are confirmed as healthy.

VPN

The VPN server enforces the policies whenever a client computer attempts a connection over the VPN.

NPS (Network Policy Server) / Radius

Similar to VPN.

You can also apply NAP and its policies to Terminal Server connections.

̃

Summary of NAP (Network Access Protection)

The idea of Network Access Protection (NAP) is to identify and then to isolate 'unhealthy' computers.  To be frank, the most likely source of 'unhealthy' computers is likely to be a visiting laptop.   NAP is a client server technology which gives you a range of options for dealing with machines that lack up-to-date virus signatures, patches or service packs.

Windows Server 2008 provides NP (Network Protection) policies and enforces their implementation.  As a result there is no excuse for virus ridden laptops to infect your network.  However NAP is not all 'bad guy', it can be configured to apply patches and so bring machines up to the standards required to communicate with your servers.

With NAP you configure policies for IPsec enforcement, 802.1X enforcement, VPN enforcement, DHCP , depending on their needs.  Microsoft provides an infrastructure and an API, which vendors and software developers can use to build their own health validation components.

TrainSignal - Recommended Vista Training VideosTrain Signal has just released their New Windows Server 2008 Training Course.  As an MCT trainer, I am a huge advocate of Train Signal’s products.  What impresses is me is that they demonstrate everything that they teach and they stay away from traditional 'lecture-style' training.  If you are looking for a complete DETAILED coverage of Windows Server 2008, then I highly recommend that you give this course a try.  I have reviewed their 6 hours plus of videos myself, and I guarantee that you will not be disappointed!

Watch a Windows Server 2008 Training Video Demo.

Microsoft Windows Server 2008 Topics:

• Server 2008 Home   • Overview   • What's New?   • Migration Advice  • Install   • Editions

• AD DC   • Roles   • Features   • Hyper-V   • UAC   • IPv6   • GP Preferences

^

Google
WebComputerperformance.co.uk

GFi Events Manager

Guy Recommends: GFi EventsManager

Here is a solution to monitor, manage and archive thousands of events that are generated by devices across your entire network.  Get your free evaluation copy of GFI EventsManager.

 

Home Copyright © 1999-2008 Computer Performance LTD All rights reserved

Please report a broken link, or an error.