Why Would I Need Network Access Protection?

People ask me all the time why I need network access protection. One of the most time-consuming challenges that network administrators face is ensuring that computers that connect to private networks are up to date and meet health policy requirements. This complex task is something we prefer to as maintaining computer health. Enforcing requirements is even more difficult when the computers, such as home computers or traveling laptops, are not under the administrator’s control. Yet failure to keep computers that connect to the network up to date is one of the most common ways to jeopardize the integrity of a network. For example, attackers create malicious software that targets out-of-date computers. Users who do not update their computers with the most recent operating system updates or antivirus signatures risk exposing private network assets to attacks and viruses. Administrators frequently lack the time or resources to ensure that all the software they would like to require is, in fact, installed and up to date. Additionally, administrators cannot easily manage or change requirements as often as they want.

Network Access Protection (NAP) for Windows Server 2008, Windows Vista, and Windows XP Service Pack 3 provides components and an application programming interface (API) that help administrators enforce compliance with health requirement policies for network access or communication. With Network Access Protection, developers and administrators can create solutions for validating computers that connect to their networks, provide needed updates or access to needed health update resources, and limit the access or communication of noncompliant computers. The enforcement features of Network Access Protection can be integrated with software from other vendors or with custom programs. Administrators can customize the health maintenance solution they develop and deploy, whether for monitoring the computers accessing the network for health policy compliance, automatically updating computers with software updates to meet health policy requirements, or limiting the access of computers that do not meet health policy requirements to a restricted network.

Network Access Protection is not designed to protect a network from malicious users. It is designed to help administrators automatically maintain the health of the computers on the network, which in turn helps maintain the network’s overall integrity. For example, if a computer has all the software and configuration settings that the health policy requires, the computer is compliant and will be allowed unlimited access to the network. Network access Protection does not prevent an authorized user with a compliant computer from uploading a malicious program to the network or engaging in other inappropriate behavior.

Aspects of Network Access Protection

We usually say that Network Access Protection has three important and vital aspects:

• Health state validation  When a computer attempts to connect to the network, the computer’s health state is validated against the health requirement policies as defined by the administrator. Administrators can also define what to do if a computer is not compliant. In a monitoring-only environment, all computers have their health state evaluated and the compliance state of each computer is logged for analysis. In a limited access environment, computers that comply with the health requirement policies are allowed unlimited access to the network. Computers that do not comply with health requirement policies can have their access limited to a restricted network.
• Health policy compliance  Administrators can help ensure compliance with health requirement policies by choosing to automatically update noncompliant computers with missing software updates or configuration changes through management software, such as Microsoft Systems Management Server. In a monitoring-only environment, computers will have access to the network before they are updated with required updates or configuration changes. In a limited access environment, noncompliant computers have limited access until the updates and configuration changes are completed. In both environments, computers that are compatible with NAP can automatically become compliant and administrators can define exceptions for computers that are not compatible with Network Access Protection.
• Limited access  Administrators can protect their networks by limiting the access of noncompliant computers, as defined by the administrator. Limited network access can be based on a specific amount of time or on what the noncompliant computer can access. In the latter case, administrators define a restricted network containing health update resources and the limited access will last until the noncompliant computer is brought into compliance. Administrators can also configure exceptions so that computers that are not compatible with NAP do not have their network access limited.