Protect Corporate Headquarters from Noncompliant Computers

Applies To: Windows 7, Windows 8, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, Windows Vista

NAP provides a means for network administrators to enforce compliance with network health policies. By keeping client computers in compliance with the policies you create and restricting access to computers that are noncompliant, NAP can provide an enhanced level of protection for the corporate headquarters. Although NAP can reduce the attack surface of your network and help to mitigate the risk of harmful applications by providing defense-in-depth, you should not rely on NAP to secure a network from malicious users. NAP does not prevent an authorized user with a compliant computer from uploading a malicious program to the network. It is up to the administrator to secure the network against unauthorized or malicious users.

Protection provided by NAP

NAP protects corporate headquarters by restricting the access of noncompliant or non-NAP-capable computers to network resources and by enhancing the defensive capability of client computers, making client computers less vulnerable to unauthorized access and malicious software.

With NAP, access restriction means that noncompliant client computers are granted access to only the resources that you specify. The type of access restriction provided by NAP depends on the enforcement method you use. The following table lists the network restriction methods and protection provided by the enforcement methods:

NAP enforcement method Network restriction method Protection provided

IPsec enforcement

IPsec policies

Protects resources by authenticating inbound connection.

802.1X enforcement

Virtual LAN (VLAN) or access control list (ACL)

Protects resources accessed using IEEE 802.1X-authenticated wireless or wired devices.

VPN enforcement

IP packet filters

Protects resources accessed using a virtual private network (VPN) connection.

DHCP enforcement

Classless IP subnet and removal of default gateway

Protects resources accessed using an IP address provided by a NAP-enabled DHCP server.

If a NAP client is determined to be noncompliant with network health policy, it is prevented from contacting protected resources either at the point of network access or, for IPsec enforcement, on a peer-to-peer basis. The point of access can be local, remote, or over the Internet. See the following diagram.

NAP can protect the corporate headquarters at multiple access points

Each NAP enforcement method works differently to protect the network. NAP with IPsec enforcement protects corporate resources at the host level per connection by requiring IPsec authentication for inbound communications. NAP with 802.1X enforcement protects the network with port-based access control. VPN enforcement protects remote connections to the corporate headquarters. DHCP enforcement controls LAN access using the client computer’s IP address configuration. Enforcement methods can also be combined to provide protection at multiple points of access.

Whichever enforcement method you use, NAP protects corporate resources by integrating network access with health compliance, and enabling the administrator to monitor and report compliance measurements.

  • Authorization tied to health: All NAP enforcement methods can protect the corporate network by ensuring that only compliant computers have unrestricted network access. For example, by ensuring recent antivirus and anti-malware updates have been installed before a computer gains access, NAP helps to prevent the spread of malicious software. By combining health compliance with automatic remediation and dynamic network access, NAP enables administrators to leverage network health policies in a way that helps minimize risk on the network.

  • Compliance reporting and tracking: NAP allows you to create a health profile for your network that identifies the severity and location of potential threats. By tracking health compliance at different times and locations in your network, you are better able to evaluate threats and prioritize efforts to enhance network health. The tracking and reporting of health compliance on the network can highlight security weaknesses that were previously unknown or perceived to be less severe. Using this information, you can proactively address issues before they cause harm to your network.