Implement Network Access Protection with Windows Server 2008

Today we live in the era of the mobile workforce. With PDAs, cell phones and Laptops with cellular links to the Internet we are never truly out of touch. We can email, text, Facebook and Twitter ourselves to death 24 hours a day. The challenge for Network Administrators is how to preserve security when someone wants to reconnect their laptop or desktop to the corporate network.  Is that computer infested with viruses, malware and worms? Has that computer been updated with the latest security patches? Is the systems firewall enabled?

Network Admins that worry about such things are right to be concerned. The Internet has thousands of spyware, trojans and other threats that can attack an unpatched system. When that computer reattaches to the network these exploits can instantly spread and infect other computers. What can be done to protect against this threat?

Microsoft and Cisco have co-developed a new Network Access Protection Platform Architecture that can ensure that no computer can access the network that does not meet the requirements of that network’s health policy. The health policy can be customized to the requirements of the organization and can include an antivirus component, up to date security patches, firewall settings and even extended to criteria specified by 3rd party developers.

Windows Server 2008 is the Platform that does the heavy lifting for NAP. In a large implementation NAP server-side components can be spread across multiple servers in order to handle many clients requesting access. The central player on the server side is the Network Policy Server that stores the health requirement policy and issues health policy validations to health clients. NPS includes RADIUS server functionality which can authenticate, authorize and log connections made to the network. VPN, DHCP, Dial-up servers,  terminal server gateways, 802.1X compliant switches and wireless access points can all be RADIUS clients that send connection requests to the NPS server for approval. Network Access Protection also requires a Health Registration Authority (HRA) that obtains health certificates for healthy computers from a Certificate Authority.

Window Vista, Window XP service pack 3 and Server 2008 have the NAP client side components that send the computers health status to the NAP servers for evaluation. If a computer is deemed unhealthy it is directed to a Restricted Network where remediation servers automatically correct the health policy violations. Remediation servers include software update server and antivirus servers. Once the computer is brought in health policy compliance it is allowed full access to the internal network. Users of a healthy system will usually experience a slight delay during the health check.

Network Access Protection is a comprehensive solution that can guard you network against access by unsafe computers.  An informative white paper can be found at

-Mark Menges

Related Courses:

Defending Windows Networks

Configuring, Managing, and Maintaining Server 2008

In this article

Join the Conversation