Enterprise considerations for Microsoft Network Access Protection

Having a MS-NAP implementation in place will provide your network an extra level of protection at the entry point. There are certainly networks that need the maximum level of security for every point of connectivity; however, only the business or your technology situation can determine what you need from the perspective of network access protection. The MS-NAP implementation uses many different communication mechanisms if fully implemented. A strong point for MS-NAP is that the MS-NAP implementation can be utilized with some or all of the features and roles. In this article, we'll take a look at some of things you need to take into consideration from an enterprise perspective.

Enforcement types for MS-NAP
If you are considering MS-NAP for your environment, you cannot invest enough time in the planning and testing phases. Deciding on the best enforcement type for a policy is critically important. The means of enforcing MS-NAP are varied in their functionality and complexity.

Enforcement types
The MS-NAP implementation can enforce the compliance policy through these four mechanisms:

VPN: The VPN server relays the policy from the Network Policy Server (NPS) to the requesting client and performs the validation. This is not to be confused with Windows Server 2003's Network Access Quarantine Control feature.
DHCP: The DHCP server interacts with the policies from the NPS to determine the client's compliance.
IPSec: The IPSec enforcement of MS-NAP is Microsoft's strongest offering for network access protection. It enforces the policy and configures the systems out of compliance with a limited access local IP security policy for remediation.
802.1X: The MS-NAP client authenticates over an 802.1X authenticated network and is the best solution when integrating hardware from other vendors. Luckily, the 802.1X authentication protocol was developed jointly by Microsoft, Cisco, HP, Trapeze, and Enterasys.
Each enforcement type will direct the client that is out of compliance to the remediation network where a resolution should be able to occur before accessing the desired network. The remediation network should be given some thorough planning. Making the remediation network a place where clients (managed or unmanaged) can gain the requisite updates or programs without support staff intervention will be critical in making the entire MS-NAP implementation a success. Choosing an enforcement method is an important first step in a successful implementation.

Planning what can happen on the remediation network is very important as well. Question whether updates be accessed from this network; if anti-virus updates/installations be accessed there; and, most importantly, whether the users perform the required updates automatically or without involving the client support staff.

Network Policy Server (NPS) mastery
In planning a MS-NAP implementation, a deep-level understanding of the NPS role of Windows Server 2008 should be reached. This server role will determine where systems will go based on their configuration. This is especially important because this server role touches other server roles or equipment depending on the enforcement mechanism selected. The NPS role also acts as a RADIUS server for the MS-NAP clients.

Real-world administration effort and support
Many network administrators are overworked and can have a difficult time perceiving a time where they could allocate the time to properly plan a network access protection system much less fully test and implement such a solution. The common response from a quick, unscientific survey of network administrators is "It would be nice, but I don't have the time" for a network access protection solution. Regardless of it being a Microsoft or a networking company solution, the responses are fairly consistent.

From an ongoing support perspective, the MS-NAP implementation can go one way or the other. If the remediation network has a way for the users to become compliant and a robust, intuitive way of doing such, the support effort will be minimized for ongoing access to networks from systems that have dipped out of compliance.

Networking hardware support
If the 802.1X enforcement method is selected, a unique challenge is presented. This method is unique because it would require maintaining support for the MS-NAP implementation from a networking hardware and server operating system perspective. While the implementations offered by the networking hardware vendors offer 802.1X authentication for an individual port, it takes an additional administration effort to ensure end-to-end compatibility.

New services on clients and domain group policy objects
For the client elements using the MS-NAP implementation, there are new services and local configuration elements that are required to utilize the functionality. Pushing these configuration elements to managed systems through an Active Directory domain GPO is the best way to deploy to large numbers of existing systems. The new configuration elements for the MS-NAP implementation are not available in Active Directory domains running at Windows Server 2003 level, but are available for Windows Server 2008 level domains. There are other ways to configure the new services for clients, but it would be optimal to be native in the domain group policy editor and link the new GPO to an OU or a domain.

It is not clear what implementation configuration would be required for Windows XP clients since Service Pack 3 is not yet available; nor is it clear how a Windows XP MS-NAP client would be managed -- if at all possible -- from a Windows Server 2008 functionality level Active Directory domain.