Network Access Protection (NAP)

Applies To: Windows Server 2008, Windows Server 2008 R2

In this section

Network Access Protection (NAP) is a client health policy creation, enforcement, and remediation technology that is included in Windows Vista and Windows Server 2008. With NAP, you can establish health policies that define such things as software requirements, security update requirements, and required configuration settings for computers that connect to your network.

When you deploy NAP, a server running Network Policy Server (NPS) serves as a health policy server. You create health policies in NPS that specify the required configuration of NAP-capable computers that connect to your network, and then configure one or more network policies with the health policy. NPS then performs health checks while processing the network policy and performing authorization.


In Windows Server 2003, network policies were named remote access policies.

NAP enforces health policies by inspecting and assessing the health of client computers, restricting network access when client computers are noncompliant with health policy, and remediating noncompliant client computers to bring them into compliance with health policy before they are granted full network access. NAP enforces health policies on client computers that are attempting to connect to a network; NAP also provides ongoing health compliance enforcement while a client computer is connected to a network.

NAP is an extensible platform that provides an infrastructure and an application programming interface (API) set for adding components to NAP clients and NPS servers that check a computer's health, enforce network health policy, and remediate noncompliant computers to bring them into compliance with health policy.

By itself, NAP does not provide components to verify or remediate a computer's health. Other components, known as system health agents (SHAs) and system health validators (SHVs), provide client computer health state inspection and reporting, validation of client computer health state compared to health policy, and configuration settings to help the client computer become compliant with health policy.

The Windows Security Health Agent (WSHA) is included in Windows Vista as part of the operating system. The corresponding Windows Security Health Validator (WSHV) is included in Windows Server 2008 as part of the operating system. By using the NAP API set, other products can also implement SHAs and SHVs to integrate with NAP. For example, an antivirus software vendor can use the API set to create a custom SHA and SHV. These components can then be integrated into the NAP solutions that customers of the software vendor deploy.

If you are a network or system administrator planning to deploy NAP, you can deploy NAP with the WSHA and WSHV that are included with the operating system. You can also check with other software vendors to find out if they provide SHAs and SHVs for their products.

For more information, see Network Access Protection in NPS in the NPS Help in the Windows Server 2008 Technical Library at