When I first read about NAP (Network Access Protection), Microsoft's new Network Access Control (NAC) solution in Windows Server 2008, I was quite surprised how complex it has become. All the papers, I have read about its infrastructure, were somewhat confusing. This post lists all the important NAP components accompanied by a brief description of their function. Just in case you didn't read my post about the NAP essentials yet, I recommend having a look at it first.
- Poll: How reliable are ChatGPT and Bing Chat? - Tue, May 23 2023
- Pip install Boto3 - Thu, Mar 24 2022
- Install Boto3 (AWS SDK for Python) in Visual Studio Code (VS Code) on Windows - Wed, Feb 23 2022
If you have read already some of Microsoft's white papers about this topic, you'll realize that my description is quite simplified. But, I think, it is easier to understand and memorize this way.
The NAP client consists of three layers: the System Health Agents (SHA), the NAP Agent, and the Enforcement Clients (EC). There are also APIs allowing third-party vendors to integrate their own SHAs and ECs in Microsoft's NAP infrastructure.
System Health Agent (SHA)
The SHA checks if certain system health requirements are fulfilled. The SHA that comes with Vista and Windows Server 2008 can verify whether the following conditions are met: Windows Firewall is on; antivirus and antispyware software are installed, enabled, and updated; Microsoft Update Services is enabled, and the most recent security updates are installed. If the system is not in the required state, the SHA can then start a process to remedy the situation. For example, it can enable Windows Firewall or contact a remediation server to update the antivirus signatures.
Sometimes this component is also called Quarantine Agent. It maintains the health state information and facilitates the communication between the SHAs and the ECs.
Enforcement Client (EC)
Sometimes you will also find this as the Quarantine Enforcement Client (QEC). Each NAP enforcement method has its own EC. So there is a DHCP EC and an IPsec EC, for example. Usually, they are integrated with the corresponding service client. So the DHCP EC is a part of the DHCP client. Its main function is to communicate with the server side NAP infrastructure, thereby, enforcing the quarantine of the client if the health requirements are not met. It is the only client component that interacts with the NAP infrastructure on the server side.
Let's look at the server side of the NAP infrastructure.
Enforcement Server (ES)
This can also be referred to as the Quarantine Enforcement Server (QES). The NAP ES communicates with its corresponding NAP EC. Each enforcement method has its own ES and is integrated in the corresponding service. For example, the DHCP ES is a part of the DHCP Server. Essentially, the ES has the same functions as the EC. It is the interface between the server side NAP infrastructure and the client side, and ensures that noncompliant clients are quarantined. For example, the DHCP ES would make sure that a DHCP server issues the network mask 255.255.255.255 to noncompliant clients. This way they can't access other computers in the network.
A NAP server is just another name for a NAP-enabled server component. So a DHCP server supporting NAP is a NAP server, for example. Don't confuse it with a NAP Health Policy Server.
NAP Health Policy Server (NPS)
The NPS consists of the NPS Service, the NAP Administration Server and the System Health Validator (SHV) components.
System Health Validator (SHV)
Each SHV has a corresponding SHA on the client side. It is here where you define the health requirements for your whole network. Windows Server 2008 comes with just one SHV allowing you to choose among the health requirements mentioned above (Windows Firewall enabled, antivirus software updated etc). Third-party vendors can integrate their own SHVs here.
NAP Administration Server
The NAP Administration Server is kind of a distributor and integrator for NAP information. Information that comes from the NPS service is distributed to the different SHVs. Each SHV only receives the information which is relevant for it. The information that comes from the different SHVs is integrated in one message and passed on to the NPS Service.
The NPS Service communicates with the NAP Server using the RADIUS protocol. It is kind of an interface between the NAP server and the NAP Administration Server.
The figure below is a simplified representation of the NAP infrastructure. It assumes that just one enforcement method (DHCP) is used and no third party extensions are involved. The arrows signify the communication paths between the NAP components.
Subscribe to 4sysops newsletter!
Related: Windows Server 2008: Network Access Protection (NAP) essentials
Want to write for 4sysops? We are looking for new authors.