Network Access Protection (NAP) is certainly one of the most interesting new features of Windows Server 2008. Originally, it was planned to be delivered together with Windows Server 2003 R2. After reading a couple of texts and playing a little with it, I understood why Microsoft postponed it to Windows Server 2008. It is a very complex application having countless different features. This post only contains the core essentials of NAP. Part of it is based on Mitch Tulloch's chapter about NAP in his Windows Server 2008 book.
- Pip install Boto3 - Thu, Mar 24 2022
- Install Boto3 (AWS SDK for Python) in Visual Studio Code (VS Code) on Windows - Wed, Feb 23 2022
- Automatically mount an NVMe EBS volume in an EC2 Linux instance using fstab - Mon, Feb 21 2022
NAP is a so-called Network Access Control (NAC) solution. It limits network access of computers based on predefined health requirements. If a computer doesn't comply with those requirements, it gets no or a limited access to the corpnet. The latter can be used to automatically remedy a client. So-called remediation servers make sure that a client fulfills the requirements before it gets full network access.
Windows Security Health Validator (SHV) policy
The SHV policy defines the aforementioned health requirements. NAP supports the following health requirements: desktop firewall is enabled, virus protection is on and up to date, antispyware application is on and up to date, automatic updating is enabled, clients received all/low/moderate/important/critical security updates.
NAP enforcement methods
NAC solutions can be distinguished according to their methods of enforcing compliance with the health requirements. NAP supports five different enforcement methods: DHCP enforcement, VPN enforcement, 802.1X enforcement, IPSec enforcement, and TS Gateway enforcement. Third-party vendors can extend NAP with their own enforcement methods.
DHCP enforcement allows you to specify special scope options for noncompliant machines which don't fulfill your SHV policy. For example, you could configure it so that the IP settings for noncompliant computers don't specify a router address. This will prevent those computers from accessing the internet. Furthermore, they can only access the remediation servers.
Noncompliant clients connecting to the corpnet using the Windows VPN client can be quarantined to a restricted network by applying packed filters. Clients can contact remediation servers in this restricted network to download updates, for example.
If your network switches support 802.1X authentication and allows VLAN assignment according to RADIUS attributes , then you can use this method to quarantine noncompliant clients to a certain VLAN.
Compliant NAP clients receive a health certificate from a certification authority (CA). This CA can also be installed on Windows Server 2003. If you want to work with so-called exemption groups (its members don't perform health checks), then you need a machine with Windows Server 2003/2008 Enterprise edition. Basically, IPSec enforcement defines an IPSec policy that assures that only clients with a certain health certificate can establish connections to other computers on the network. If you are using this method, you have to configure IPSec for all your computers. It is certainly the securest of all enforcement methods. But if it isn't configured correctly, your network will be dead.
TS Gateway enforcement
TS Gateway is a new feature of Windows Server 2008 Terminal Services. It allows the use of RDP over HTTPS to establish an encrypted connection to a TS Server. TS Gateway enforcement denies access to a TS server if the SHV policy is unmet. It is the only enforcement method which doesn't support auto-remediation.
Noncompliant computers can be automatically remediated. For example, NAP can automatically turn on Windows Firewall if you configured this as a health requirement.
NAP checks continuously if NAP clients comply with the SHV policy. When a client doesn't fulfill the health requirements anymore, NAP enforcement will be applied immediately.
NAP enforcement levels
NAP supports three different enforcement levels for noncompliant clients: access to a restricted network, full network access for a limited time, and full network access. The latter option can be used to test NAP for some time by running it in report mode.
Windows XP will support NAP when SP3 comes out. Windows Vista and Windows Server 2008 already come with built-in NAP clients. It is a service (Network Access Protection Agent) which doesn't start automatically by default. The NAP client consists of five Enforcement Agents which correspond to the aforementioned enforcement methods. They have to be enabled separately using napclcfg.msc on the client or centrally for the whole network using Group Policy (Computer Configuration\Windows Settings\Security Settings\Network Access Protection). NAP clients for Linux and Macs will be delivered by third-party vendors.
Network Policy Server (NPS)
The NPS, the heart of NAP, can be installed as a server role of Windows Server 2008. Most of the NAP configuration can be done using the NPS user interface. Some settings have to be configured on the backend application that corresponds to the enforcement method. For instance, if you work with DHCP enforcement, you have to configure the scope options of noncompliant clients on the DHCP server.