Network Access Protection provides limited access enforcement components for the following technologies:

• Internet Protocol security (IPsec)
• IEEE 802.1x authenticated network connections
• Dynamic Host Configuration Protocol
• Virtual private networks (VPN)

How NAP works:

1. Client requests access to network and presents current health status

2. DHCP, VPN or Switch Router relays health status to Microsoft’s Network Policy Server

3. The Network Policy Server validates this against IT-defined health policies

4. If the machine is policy compliant, it’s given immediate access to the corporate network

5. If the machine is not policy compliant, it is put in a restricted VLAN and given access to fix up resources to download patches, configurations, signatures, etc. Repeat 1-3.

On the Network Policy Server (NPS), administrators set the policy against which computer compliance will be measured before granting connecting computers access to the network. On the image below you can see which protection you can select onto the NAP protected client. For example you could decide that the client computer needs a firewall enabled, Antivirus enabled and up to date, Spyware protection enabled and up to date and if your client computer is updated through the WSus server we can enforce that the updates must be applied.

NAP Scenarios:

• Check the health and status of roaming laptops
• Ensure the health of desktop computers
• Determine the health of visiting laptops
• Verify the compliance and health of unmanaged home computers

Network Access Protection is not designed to secure a network from malicious users. It is designed to help administrators maintain the health of the computers on the network.

Previous Posts in this series:

Part 5: Server Core

Part 4: Server Hardening

Part 3: Internet Information Services 7.0

Part 2: Windows PowerShell

Part 1: Server Management Improvements