NAP Time With Windows Server 2008

Using network access protection (aka NAP) is critical for keeping networks secure — not only do users need to be authenticated properly, but client machines need to have the latest security updates and policies in place.

Threats from malware and viruses are not only increasing they are also becoming more sophisticated.

Enterprise networks also have a larger mix of global users accessing the companies’ intranet, Internet and databases; these global users include customers, contractors, consultants, suppliers, partners, and internal employees.

More users are also connecting using Wireless LAN, Wi-Fi, and 3G which creates the need for ever increasing enforcement of security policies.

Windows Server 2008 has a built in core security feature called Network Access Protection. NAP requires a client computer to be compliant with system health policies before it can connect to other computers within the network.

Once NAP is set up properly the system administrator should be able to rest easier.

In this article I’ll give you an overview of how NAP can protect your network from malware and other threats and talk about the required services and configurations you’ll need to run and setup NAP.

When a client computer attempts to connect with a computer within the network, NAP monitors and accesses the health of the client computer. If a client computer meets all of the required software and configuration settings it is considered to be healthy and the client is granted access to the network.

If client computers are non-compliant with NAP policies they can be automatically updated to meet current security policies. They may need the latest operating system updates or an anti-virus signature. Clients that don’t meet certain health policy standards may be granted restricted access or connected to various remediation resources, where health status can be updated.


NAP is a core windows component with Windows Server 2008 and can run with clients using Windows XP with Service Pack 3, Windows Vista, and Windows 7. The server components include a Network Policy Server (NPS) which provides centralized health policy configuration. NPS is a replacement for Internet Authentication Service (IAS) in Server 2003.

A System Health Validator (SHV) must be configured to define computer requirements for connecting to the network. It is possible to have a multi-configuration SHV and some or all of the following may be required on a client computer:

  • Firewall Configuration
  • Virus Protection
  • Spyware Protection
  • Security Update Protection

A Health Registration Authority (HRA) is used to validate client credentials by checking with NPS to make sure that the credentials are compliant with the networks health requirements. A Remediation Server is used to provide updates when the client does not pass the health requirements to access the network.

In order for NAP to work on the client computer the NAP Agent and System Health Agent (SHA) must be installed.


NAP Enforcement

Once the client and server requirements for NAP are met the mode of enforcement must be configured. There are four different enforcement configurations for NAP:

  • IPSec
  • 802.1X
  • VPN
  • DHCP

These can be configured alone or combined for even more protection. Let’s go into a little detail about each one.

Dynamic Host Configuration Protocol (DHCP) is one of the easiest NAP enforcements to deploy because all DHCP client computers must lease an IP address. Therefore if the client computer does not meet the health policy requirements the DHCP server will either assign an invalid IP address, such as, to the client or route the client to the remediation server for updates. This way the client can only access the IP address of the network if all health requirements are met.

IPSec enforcement is a stronger more robust system that works at the Internet layer of the TCP/IP protocol. With IPSec policy settings the administrator can limit access on a per-server and per-application basis. The way IPSec works is that it divides the network into three logical networks consisting of a secure network, a boundary network, and a restricted network.

802.1X enforcement is port based enforcement that requires 802.1X compliant switches and wireless access points. This enforcement provides more security than DHCP enforcement because connections are only allowed after the client health is validated and the identity is authenticated.

VPN enforcement is used by creating a VPN server at the perimeter of the network. There are many different configurations that can be used in this set up, but the basic process is a NAP client computer will request network access through a VPN connection. If the client is compliant it will be granted access otherwise access will be denied or the client will be routed to a remediation server.
Windows 7 And Server 2008 R2

Implementing NAP security in a network takes careful planning and usually should be rolled out in stages ensuring that clients that need access to the network will continue to have access until all health policy updates have been applied. Once the policies have been implemented securing and managing the network should be easier.

With the advent of Windows 7 and Server 2008 R2 more improvements have been made to NAP including NPS templates and template management, RADIUS account improvements, support for non-English character sets, multi-configuration SHV, and multiple NAP client user interface improvements.

With continued efforts to streamline the network security process with NAP and other Server 2008 enhancements the days of network vulnerabilities could be coming to an end. Network administrators won’t have to worry about internal employees showing up after a long weekend and infecting the entire network by plugging in their laptop.


This site uses Akismet to reduce spam. Learn how your comment data is processed.