Network Access Protection

From Wikipedia, the free encyclopedia

Network Access Protection (NAP) is a Microsoft technology for controlling network access of a computer host based on the system health of the host, first utilized in Windows XP Service Pack 3, Windows Vista and Windows Server 2008.

With Network Access Protection, system administrators of an organization's computer network can define policies for system health requirements. Examples of system health requirements are whether the computer has the most recent operating system updates installed, whether the computer has the latest version of the anti-virus software signature, or whether the computer has a host-based firewall installed and enabled. Connecting or communicating computers have their health status evaluated. Computers that comply with system health requirements can communicate with other compliant computers and have normal access to the network. Computers that do not comply with system health requirements will be unable to communicate with compliant computers and can have restricted access to the network.

[edit] Overview

The Network Access Protection (NAP) system consists of NAP clients which are computers that request access to a NAP-enforcing network. NAP policies are enforced at NAP Enforcement Points which lie at the edge of a protected network. NAP Enforcement Points are systems through which an unprotected network can connect to the internal network; these may be NAP-capable routers, VPN servers, DHCP servers proxy servers, or specialized computers called Health Registration Authorities (HRA) which run Windows Server 2008. The NAP enforcement points use a Health Policy Server (HPS), to determine the health of the computers that are to be admitted, according to the health policies that are set by the administrator in the health policy server. The NAP system also uses the Health Registration Authority (HRA), and the Health Requirement Server (HRS).

When a NAP-capable client computer accesses a NAP enforcement point to gain access to a NAP-protected network, the NAP enforcing agents contact the HPS to check what health parameters are to be checked for. The HPS must be running Network Access Policy service in Windows Server 2008, and is configured to act as health policy servers. The administrator specifies the health policies to be enforced via the HPS, such as having the latest antivirus signatures, or latest patches for the OS or other software. The HPS can also act as authentication server for the client, in order to authenticate the incoming client. The HRS (Health Requirement Servers) specify the version of software that need to be checked for. For example, it might track the latest version of antivirus signatures or OS updates. The NAP enforcement agents contact the HRS to find out the software configuration to look for in the client, and then verifies it is configured as such. If the enforcement agent is a HRA server, it can obtain client certificates from certification authorities to validate health policies. If the configuration of the client matches or exceeds the criteria specified, it is granted access.

If some criteria is not satisfied, the client is either rejected access to the network or placed in a restricted network subset. The restricted network is a logical partition in the network whose resources can be accessed by a computer which does not conform to health policies. The restricted network may optionally have a Remediation Server, which hosts the software updates as required by the Health policy. The client can access the server, and install the necessary updates. After that, it can again request access to the network.

[edit] See also

[edit] External links

v  d  e
Microsoft Windows components
Core
Management
tools
Applications
Games
Kernel
Services
File systems
Server
Architecture
Security
Compatibility