This section presents other factors that should be taken into account when creating plans for deploying NAP.
The organization must consider which characteristics will be checked on the client devices for them to be considered compliant. It may decide to use only what is already present on the client devices; conversely, it may find merit in the idea of rolling out additional technologies for system health checks and remediation in conjunction with the NAP deployment. The NAP client is able to verify a range of items when conducting the system compliance check:
Are malware-prevention technologies, such as antivirus and antispyware software, enabled and up to date?
Are automatic updates for Windows-based computers enabled?
Are all current security updates installed?
Is a host-based firewall enabled and configured correctly?
Network Access Protection Policies in Windows Server 2008 at http://www.microsoft.com/downloads/details.aspx?FamilyID=8e47649e-962c-42f8-9e6f-21c5ccdcf490&displaylang=en.
Chapter 15, "Preparing for Network Access Protection," in Windows Server 2008 Networking and Network Access Protection (NAP). Microsoft Press, 2008. This information is also available as part of the Windows Server 2008 Resource Kit. Microsoft Press, 2008.
The steps presented in this guide may imply that each enforcement technology will be implemented alone, but it is possible to use multiple enforcement methods simultaneously. An organization might invest additional resources into combining these enforcement technologies, because they have complementary strengths and weaknesses. RRAS can be used to enforce organizational compliance policies on remote client devices; IPsec could be used for local client devices. The 802.1X protocol and IPsec offer a particularly robust combination, because together they can restrict network connectivity at multiple layers of the network protocol stack. Keep in mind, however, that the complexity of the NAP deployment can increase when combining enforcement methods.
Table 3 illustrates potential ways to combine enforcement methods. The rows represent the primary NAP enforcement method, and the columns represent other methods that can be combined with it.
Table 3. Potential NAP Technology Combinations
IPsec |
802.1X |
VPN |
DHCP | |
IPsec |
✓ |
✓ |
✓ | |
802.1X |
✓ |
X |
✓ | |
VPN |
✓ |
X |
X | |
DHCP |
✓ |
✓ |
X |
All NAP enforcement methods rely on NPS in Windows Server 2008 to validate the compliance status of NAP clients. Using DHCP enforcement requires the DHCP service in Windows Server 2008. Using IPsec enforcement requires HRA service in Windows Server 2008. When 802.1X is used, the network devices must be capable of supporting NAP and 802.1X. Using VPN enforcement requires RRAS in Windows Server 2008.