Windows Server 2008 Network Access Protection (NAP) Explained
NAP is a Server 2008 feature that allows computers to be inspected against security polices set by an administrator. If the computer doesn’t meet security requirements, it can be quarantined to a separate vlan. When using DHCP based enforcement, If the computer doesn’t meet security requirements only IP address and subset of routes are provided.
NAP Components
- Enforcement Client (EC)
Enforcement Client (EC) is a client—Windows Vista or Windows XP SP3 that is part of NAP infrastructure. This is usually a client that is being validated. Only Windows Vista and Windows XP3 is supported as Enforcement Client as System Health Agent component is pre-installed.
- Enforcement Server (ES)
As the name implies, this server enforce security policies against the clients in NAP infrastructure. This is the Server 2008 with Network Policy Server (NPS) role installed
- System Health Agent (SHA)
This is the agent/service on Enforcement Client (EC) that sends health information to Enforcement Server (ES). Windows System Health Validator SHA is included in Windows Vista and Windows XP SP3.
- System Health Validator (SHV)
This is the service side component that validates information from the SHAs to enforce polices.
- Remediation Server
This server provides remediation service for quarantined clients.
How Network Access Protection (NAP) Works
1. When computer obtain IP address automatically, it presents its health state to DHCP Server. System health agents (SHA) and system health validators (SHV) are included in Vista.
2. DHCP Server sends computer’s health state to Microsoft Network Policy Server.
3. Microsoft Network Policy Server compare computer’s health states with the policy set by an administrator and place the computer on the correct VLAN.
You can install implement Network Access Protection (NAP) from Server Manager > “Add Roles” > Network Policy Server role. Network Policy Server role is the Server 2008 role that handles NAP