9.4. The Purpose of Microsoft NAP

Unmanaged home computers that are not a member of the company's Active Directory Domain Services domain can connect to a managed company network through a VPN connection. Unmanaged home computers provide an additional challenge to administrators because they do not have physical access to these computers. Lack of physical access makes enforcing compliance with health requirements (such as the use of antivirus software) even more difficult. However, with NAP, network administrators can verify the health state of a home computer every time it makes a VPN connection to the company network and limit the access to a restricted network until system health requirements are met.

The purpose of Microsoft NAP is virtually identical to that of Cisco Clean Access and the Cisco NAC Framework. It protects the corporate LAN from devices whose security posture is deficient. Microsoft describes NAP as follows:

With Network Access Protection, you can create customized health policies to validate computer health before allowing access or communication, to automatically update compliant computers to ensure ongoing compliance, and, optionally, to confine noncompliant computers to a restricted network until they become compliant.

Based upon the technical solution as it's been described in this chapter, let's now compare how the solution stands up to the various types of users who may be accessing the network.

9.4.1. Unauthorized Users

As with any LAN-based NAC/NAP solution, companies look at Microsoft NAP to control unauthorized access to their LANs. Used in conjunction with 802.1x, Microsoft NAP can prevent unauthorized access to the LAN or restrict unauthorized users to specific areas of the LAN. Microsoft NAP aside, using just an 802.1x solution can provide this functionality.

9.4.2. Authorized Users with Deficient Security Postures

Microsoft NAP can assess the security posture of devices a number of different ways. The WSHA can provide information as to the state of components included in the Windows Security Center, while vendor-specific SHAs from other security solutions can be used to communicate their state to the NAP Agent. If the security posture of the device is deficient, it can be restricted, or access to the network can be blocked. An opportunity to remediate the deficiency can be made available if the access to remediation servers is provided while in a quarantined state. There isn't a Microsoft NAP-specific remediation server component that is part of the Microsoft NAP solution.

Figure 9-13. Microsoft NAP protection for mobile devices

9.4.3. Mobile Users

Mobile users can be assessed at two points with this solution. The first is when the user physically returns to the LAN, and the second is when the user VPNs back into the network. While this provides a layer of protection to the LAN, this solution does not provide any protection to the mobile device while the device is mobile. The assessment, quarantining, and remediation elements are not in play while the device is mobile. Figure 9-13 illustrates how Microsoft NAP protects the LAN from mobile devices as they attempt to gain access to the network.