Network Access Protection (NAP) in Windows Vista

written by: Peter Y. Moss; article published: year 2007, month 03;


In: Root » Computers and technology » Windows » Network Access Protection (NAP) in Windows Vista

Dutch French Spanish Portuguese Italian German Japanese Chinese Korean Russian Arabic Bookmark and Share this Article

Business versions of Windows Vista include Network Access Protection (NAP) to prevent a Windows Vista–based client from connecting to your private network if the client lacks current security updates and virus signatures or otherwise fails to meet your computer health requirements. NAP is designed to protect client computers as well as your network from vulnerabilities that could otherwise be exploited if NAP wasn’t used and enforced.

Understanding Network Access Protection

Network Access Protection can be used to protect your network from local clients as well as remote access clients. At the heart of this feature are three components:

  • Network Access Protection Agent  A software component that allows a client running Windows to participate in Network Access Protection. This agent runs as a service on computers running Windows Vista.

  • NAP Client Configuration  A configuration tool that is used to define and enforce NAP requirements on clients. This tool is also used to specify health registration settings and designate trusted servers.

  • NAP Server Configuration  A configuration tool that is used to manage NAP and define NAP policy

The Network Access Protection Agent reports the health status of a client computer to a server called a Health Registration Authority. The report includes details about the client’s overall security health, such as whether the client has current security updates and up-to-date virus signatures installed. The security mechanism by which a client computer communicates with a Health Registration Authority is configured through a designated Request Policy.

Request Policies can be configured to use:

  • Any of a variety of private key algorithms, including asymmetric key algorithms based on Rivest-Shamir-Adleman (RSA), Digital Signal Algorithm (DSA), and other security specifications.

  • Any of a variety of signed and unsigned hash algorithms, including RSA MD5 hashing and DSA SHA1 hashing.

  • Any of a variety of Cryptographic Service Providers, including the Microsoft Enhanced

Cryptographic Provider version 1.0, the Microsoft Enhanced RSA and AES Cryptographic Provider, and the Microsoft Enhanced DSS and Diffie-Hellman Cryptographic Provider.

You can access the NAP Client Configuration tool, by following these steps:

  1. Click Start, and then click Control Panel.

  2. In Control Panel, click the System And Maintenance category heading link, and then click Administrative Tools.

  3. Double-click NAP Client Configuration.

Using Network Access Protection

Using the NAP Client Configuration tool, administrators can configure separate enforcement policies for Dynamic Host Configuration Protocol (DHCP) clients, remote access clients, and terminal services clients. Enforcement policy can also be configured for virtual private network (VPN) clients that use Extensible Authentication Protocol (EAP).

Administrators can use NAP to enforce health requirements for all computers that are connected to an organization’s private network, regardless of how those computers are connected to the network. You can use NAP to improve the security of your private network by ensuring that the latest updates are installed before users connect to your private network. If a client computer does not meet the health requirements, you can:

  • Prevent the computer from connecting to your private network.

  • Provide instructions to users on how to update their computers. (In some cases, you can update their computers automatically.)

  • Limit access to your network so that users with out-of-date computer security can access only designated servers on your network.

To allow NAP to be enforced when a computer is acting as a DHCP client, follow these steps:

  1. Start the NAP Client Configuration tool.

  2. In the left panel, select Enforcement Clients.

  3. Double-click DHCP Quarantine Enforcement Client.

  4. In the DHCP Quarantine Enforcement Client Properties dialog box, select the Enable This Enforcement Client check box.

You can enable enforcement for other types of connections using a similar procedure:

  • To enforce remote access NAP, open NAP Client Configuration tool, double-click Remote Access Quarantine Enforcement Client, and then select the Enable This Enforcement Client check box.

  • To enforce terminal services NAP, open NAP Client Configuration tool, double-click TS Gateway Quarantine Enforcement Client, and then select the Enable This Enforcement Client check box.

  • To enforce VPN protection, NAP Client Configuration tool, double-click EAP Quarantine Enforcement Client, and then select the Enable This Enforcement Client check box.

You configure the actual NAP policies that apply to clients by using the NAP Server Configuration tool.

Disclaimer

1) E-articles is not responsible for the information contained by this article as well for any and all copyright infringements by authors and writers. E-articles is a free information resource. If you suspect this article for any copyright infringement, please read the terms of service and contact us to investigate the problem.
2) E-articles is not responsible for inaccuracies, falsehoods, or any other types of misinformation this article may contain and will not be liable for any loss or damage suffered by a user through the user's reliance on the information gained here.

link to this article