Network Access Protection
Published: April 17, 2009
Updated: December 1, 2009
Applies To: Windows 7, Windows Server 2008, Windows Server 2008 R2, Windows Vista
Network Access Protection (NAP) is a technology available in Windows 7, Windows Vista, Windows Server 2008 R2, and Windows Server 2008. NAP enforces health requirements on client computers that are attempting to connect to a network. Health requirements can include items like ensuring that the client is configured with up-to-date antivirus protection, and that all of the available critical security updates have been installed.
NAP includes client and server components that allow you to create and enforce health requirement policies that define the required software and system configurations for computers that connect to your network. When NAP determines that a client does not comply with the health requirements, NAP helps to protect other computers on the network by restricting network access for non-compliant computers. Typically, access for non-compliant computers is limited to only those servers that can provide remediation, such as a Windows Server Update Services (WSUS) server, or a server that can provide updated antivirus definition files. NAP does not allow unlimited network access until the client computer has been brought back into compliance.
NAP can use Windows Firewall with Advanced Security to enforce policy as part of a larger isolation strategy. Typically, NAP is implemented in a manner similar to an isolated domain, but requires computer certificates instead of Active Directory domain-based Kerberos for authentication. Only computers that are determined to be “healthy” are provisioned with the computer certificate that is required to authenticate. Network traffic from computers that are not “healthy” is dropped. Servers that can provide remediation by providing antivirus updates or the latest security updates are the only computers that are configured to accept unauthenticated traffic.