Design an Exception Management Strategy
Updated: February 29, 2012
Applies To: Windows 7, Windows 8, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, Windows Vista
Before you deploy NAP, you must consider how to deal with client computers, servers, and other network devices that must be exempt from health checks. For example, you can choose to exempt domain controllers from health checks so that their network access is not limited. The following components are commonly made exempt from health checks:
Lab computers. Their access might already be restricted and they might have software requirements that are different from other computers on your network.
Servers. With some exceptions, they are not NAP clients because there is already a process in place to maintain them and keep them secure. Because servers must maintain high availability to function properly, you can exempt them from NAP health checks. For more information, see Appendix A: NAP Requirements.
Critical users. Do you have users who must be granted access at all times? Exceptions can be granted on a user or computer basis.
NAP-incapable devices. Networks often have a variety of devices that connect and access services, some of which are NAP-capable and some of which are not. Be sure to inventory these devices and account for the required NAP exceptions in your design.
The following are methods that you can use to filter computers and users for NAP exceptions:
User groups. You can exempt users who belong to a given security group. This method is available only when you are using 802.1X or VPN enforcement.
Machine groups. You can exempt computers that belong to a given security group.
Connection. You can exempt a range of IP addresses, a type of connection, or an authentication method.
RADIUS clients. You can exempt clients that connect through a specified network access point.
MAC address. You can exempt devices with certain MAC addresses and use pattern-matching syntax to exempt a group of MAC addresses.
Operating system. You can exempt devices running a specified version of the operating system.
The way in which you implement NAP exemptions will depend on the enforcement method. For example, you might use auto-enrollment of certificates to exempt a group of computers from NAP with IPsec enforcement. Exceptions are typically conditions in NPS network policies that grant access based on client credentials, but you can also exempt users or devices from health checks directly. For example, a server might be connected to a non-802.1X-authenticating switch port with access to the compliant computer’s VLAN.