3CX Phone System for Windows -
VOIP IP PBX

Application Publishing with 2X ApplicationServer

Guy Recommends

A solution to monitor, manage and archive thousands of events that are generated by devices across the entire network.
Download FREE trial

Windows Vista - Network Access Protection (NAP)

Don't make the mistake of confusing Network Access Protection (NAP) with Vista's Network Center. Microsoft's NAP is a client server technology designed to protect your network from 'unhealthy' machines. Built-in to Vista are client-side system health agents (SHA), the Windows Server 2008 or Windows 2003 Servers* compare the clients SoH (statement of health) with their policies. You can configure NAP to only allow healthy machines on to the main network. (The Network Center is a Control Panel container for troubleshooting IP settings and negotiating Wireless connections.)

*Windows 2003 Servers require an update, which is currently under testing before it can fulfil the NAP server role.

Introduction to Network Access Protection (NAP)

How do computer virus infections spread? Let us assume that you minimise virus attack by protecting the Internet connection with firewalls and scanning Email attachments, what else can you do? Ah yes, check those laptops and other mobile devices that itinerant associates bring to your network. Thanks to Network Access Protection, virus attacks via laptops can be isolated, or if you specify a policy, the affected machines can be cleaned and then allowed onto your production network.

NAP Philosophy

The mission of NAP is to preserve the network by allowing access to only healthy machines. Visiting laptops which don't meet your policy standards, whether or not they are riddled with viruses, can be restricted to the repair subnet. There, NAP remediation servers may be able to add SMS packages containing antivirus signatures and thus cure their deficiencies.

Remember that NAP focuses on the computer, unfortunately, it cannot protect against malicious users.

NAP is a client server technology which identifying machines that don't have the latest virus signatures, service packs or security patches. Such machines are most likely laptops that have been offsite for a while, or home computers connecting through a VPN. Apparently hackers, in commons with all cowards, target the older weaker members of the computer society.

What strategy you employ once the server detects such 'unhealthy' machines is up to you. You could configure the NAP servers to ban all machines until they pass muster, allow at least some of them onto the network, or better still point them to the remediation servers. Another alternative would be to allow machines which don't meet all the criteria limited access, for example visiting consultants laptops' get internet access only.

Components of NAP

Remember that NAP is a classic client server technology. All the necessary NAP components will be built into Vista clients and Longhorn Servers. However, there is a talk of adding patches to XP (SP3) and Windows Server 2003 so that they can also benefit from NAP.

Your mission is to protect your network from 'unhealthy' machines. Tactics involve identifying what constitutes a healthy machine, configuring one or more policies and deciding what do about computers that fail to match your criteria.

When a Vista machines boots up a conversation takes place with the NP (Network Protection) Server. The client agent sends a SoH (Statement of Health), which details software updates and anti-virus signatures to the NP Server. The server compares the SoH with one or more of its policies. If the Vista client is deficient in any of the components, you can predetermine what action to take. For example, whether to try and remediate the client or just ban it from the production network.

NAP Server Components (Windows Server 2008 or Windows Server 2003)

Microsoft's NAP Administration Server. The main NAP Server reviews the policies, analyzes the clients and then decides whether or not to allow access to the network.

System Health Validator (SHV). Determines whether the the SoH (Statement of Health) issued by the client's SHA (System Health Agent), matches the required health criteria on the server.

Health Policy. A list of conditions, you can have a different policy for each of these technologies; IPSEC, DHCP, 802.1 or VPN.

Accounts Database. A portion of Active Directory that stores NAP properties for a computer or user.

Health Certificate Server, IIS on Longhorn.

Optionally, a Remediation server. This server is designed to help treat unhealthy clients, consequently it has any patches, virus signature updates that may cure a sickly machine. However, further policies decide which machines get the patches, for example visitors machines would not have any software fixes applied. See more about NAP on Windows Server 2008.

Here are the five NAP policy systems.

IPSec

This is the most secure configuration. IPSec and NAP work in tandem to ensure that all machines are healthy and only speak the encrypted IPSec protocol.

DHCP

Probably the most common implementation, every time the client asks to renew its IP address DHCP enforces health compliance.

802.1 (EAPHost)

Restricts access at the wireless access points until the clients are confirmed as healthy.

VPN

The VPN server enforces the policies any time a client computer attempts a connection over the VPN.

NPS (Network Policy Server) / Radius

Just works as a Policy Server.

Summary of Network Access Protection

The idea of Network Access Protection (NAP) is to identify and then to isolate 'unhealthy' computers. The number one source of 'unhealthy' computers is likely to be a visiting laptop. NAP is a client server technology which gives you a range of options for dealing with machines that lack up-to-date virus signatures, patches or service packs.

Guy recommends: The SolarWinds ipMonitor

My attraction to ipMonitor is because it inhabits that zone of part work, part play; Guy just could not put the dashboard away. This excellent performance monitor will get you started in the quest to remove bottlenecks on your network. SolarWinds provides this fully-functioning product free for 21 days. So download and install ipMonitor, then start scrutinizing your computers CPU, memory and disk performance. You can also select from zillions more performance counters such as fan temperature and battery level.

Installing ipMonitor is a breeze, but learn from gung-ho Guy's mistake and install SNMP on each computer that you wish to monitor. What sealed my unreserved recommendation of SolarWinds is their support team, you will get expert help even when you are evaluating the ipMonitor.

Download SolarWinds ipMonitor (21 days eval)

Train Signal has just released their New Windows Vista Training Course. As an MCT trainer, I am a huge advocate of Train Signal’s products. What impresses is me is that they demonstrate everything that they teach and they stay away from traditional 'lecture-style' training. If you are looking for a complete DETAILED coverage of Windows Vista, then I highly recommend that you give this course a try. I have reviewed their 18 hours of videos myself, and I guarantee that you will not be disappointed!

Watch a Vista Training Video Demo.

Configuring Windows Vista Topics:

Vista Tools and Extras

Download your Tweak the Registry Ebook for only $6.45

This ebook will explain the workings of the registry. I thoroughly enjoy tweaking the registry, and I want to distill the best of my experiences and pass them on to you.

Each registry tweak has two aims; to solve a specific problem, and to provide general learning points, which help you to master regedit.

Over 60 pages ebook and PDF format

Guy Recommends: GFi EventsManager

Here is a solution to monitor, manage and archive thousands of events that are generated by devices across your entire network. Get your free evaluation copy of GFI EventsManager.

Please report a broken link, or an error.