Introduction to Network Access Protection (NAP)

Before you start

Objectives: Learn what is Network Access Protection (NAP), its parts, and why it is used.

Prerequisites: no prerequisites.

Key terms: NAP, client, server, role, network access, protection.


 What is NAP

It is important for all computers in our network to have an antivirus software installed and to be up to date with the latest security fixes. Starting from Windows Server 2008 and 2008 R2, we have a new feature called Network Access Protection (NAP). NAP restricts network access based on a client computer health.

NAP can be configured to restrict network access based on:

  • Anti-virus software availability and if it is up to date
  • Anti-spyware software availability and if it is up to date
  • Status of the Firewall (if it is on)
  • Latest updates and if we have updates enabled

Based on these criteria, we can allow or deny access to our network. These settings are configured in Security Health Validator (SHV).

When a client connects to a network that has NAP enabled, the client will be scanned for the options configured in the SHV. If the computer is compliant with the our options, it will be given network access. Otherwise, they will be placed in a separate, isolated network, or be completely denied access to the network. In order for this to work, clients must have NAP aware software installed. NAP client will generate a Statement of Health (SoH) that reports the health of the client. The NAP client will actually prevent the system from accessing the network if it is not in compliance with health requirements. In the other side we have a NAP server which tracks the health requirements and verifies client compliance before gaining network access. A Windows Server running the Network Protection Service role is a NAP server. SHV runs on the NAP server and identifies the client health requirements. All clients will connect to the Enforcement Server (ES) (or enforcement point), which is a network connection point, and then submit the SoH for validation. The ES will forward the SoH to the NAP server for validation, which will then respond with an action. The ES then executes the action.

Non-compliant computers can be placed in a network called the Remediation network. While in the remediation network, they can be allowed access only to certain servers, called remediation servers (like Windows Update Server or Anti-virus server). These remediation servers are usually located in the remediation network and provide the necessary updates, patches and definitions, so unhealthy clients can be updated and reach a compliant state.

Clients can also perform some remediation steps automatically, like turning on Windows Update or enabling the Firewall. If the NAP policy specifies certain criteria that Windows clients are not compatible with, the Security Center will interact with the Action Center to automatically bring the client into a compliant state. Clients will also have to perform manual remediation, so we have to make sure that our users know what they should do to bring their computer into compliant state.