Best Practices for Network Access Protection
Applies To: System Center Configuration Manager 2007, System Center Configuration Manager 2007 R2, System Center Configuration Manager 2007 R3, System Center Configuration Manager 2007 SP1, System Center Configuration Manager 2007 SP2
Use the following best practices for Network Access Protection (NAP) in Configuration Manager 2007, and see also Network Access Protection Security Best Practices.
Confirm the successful installation of software updates on the unrestricted network using the software updates feature in Configuration Manager before configuring software updates for Network Access Protection.
Successful remediation of Configuration Manager clients that are non-compliant with software updates relies on the standard software updates operation. If the software updates feature is not operating correctly before introducing Network Access Protection, there is a high risk that clients will fail to access the unlimited network, and troubleshooting will be more difficult.
For more information about configuring the software updates feature, see Software Updates in Configuration Manager.
Confirm Windows Network Access Protection is working with successful remediation before introducing Configuration Manager Network Access Protection.
Several step-by-step guides are available from the Windows Network Access Protection Web site (http://go.microsoft.com/fwlink/?LinkId=59125). Use these guides to confirm that your Windows Network Access Protection infrastructure is operational with the Windows system health agent and system health validator—for example, by disabling the Windows firewall on a test client and confirming that it is automatically re-enabled. If the underlying Windows infrastructure is not operating correctly, Network Access Protection in Configuration Manager cannot be successful.
Plan for how to install the Configuration Manager client on the restricted network with manual remediation steps in the troubleshooting Web site.
Automatic remediation in Configuration Manager cannot include repairing or installing the Configuration Manager client. When health policies include the Configuration Manager System Health Validator, NAP-capable clients that do not have a Configuration Manager client installed will result in failed compliance. This can result in these computers having limited network access without automatic remediation.
This means that the Configuration Manager client must be installed manually (or policies are configured to exempt the computer). Have an installation script available on the in-house Network Access Protection Web site so that users can install the Configuration Manager client themselves.
Aim to streamline this installation script for the most efficient installation, particularly if users are connecting over a slow network, such as a virtual private network (VPN).
For more information about the Windows Network Access Protection troubleshooting Web site, see Configuring the Remediation User Experience for Configuration Manager Network Access Protection.
Test average remediation times to set expectations.
If your network policies remediate non-compliant computers on the restricted network, it is important to know how long computers might have limited network access and to confirm that this is an acceptable interruption to business continuity. Inform Help Desk engineers and end users, if applicable, of how long it might take for a non-compliant computer to regain full network access so that they understand the length of the delay during normal operation and do not call the Help Desk unnecessarily.
Educate users in advance to encourage them to install software updates before the NAP effective date.
Providing users with an opportunity to install the software updates themselves or having the software updates feature automatically install critical software updates on the unlimited network is always preferable to limiting network access. Consider a communication method to notify users which software updates are marked for Network Access Protection and warn them of the date by which their computers might have limited network access if they are not compliant, and then provide instructions for how they can ensure that their computers are compliant. This notification can help to increase compliance levels and reduce user dissatisfaction if computers remain non-compliant and consequently have limited network access until remediated.
Identify computers that should not have Configuration Manager client installed, and configure exemption policies on the Network Policy Server.
If some computers should not have the Configuration Manager client installed, they will require exemption policies. For more information, see Determine Your Policy Strategy for Network Access Protection and Configuring Exemption Policies for Configuration Manager Network Access Protection.
Do not install the WSUS system health agent on a computer that has the Configuration Manager client installed with the Network Access Protection client agent enabled.
Both the WSUS system health agent and the Network Access Protection client agent connect to a WSUS server and perform the same job of keeping a computer compliant with software updates. Using both system health agents together can result in conflicting configuration and unnecessary processing.
For additional information, see Configuration Manager 2007 Information and Support.
To contact the documentation team, email SMSdocs@microsoft.com.