One of the things Im most excited about with Windows Server 2003 R2 next year is the new Network Access Protection stuff. We had some of this stuff present when Windows Server 2003 shipped with the VPN quarantine service but now this takes it to a new level and will give you similar functionality on the LAN. Why is it important? Businesses have been hit with viruses and security breaches by contractors and employees bringing in notebook machines to the corporate LAN after they were infected on the their user's home broadband network. VPN Quarantine went part of the way to ensure that any machine that connected into the corporate network remotely got screened and checked to make sure that it complied with corporate policy. Though because of the physical transportation of the machine from home to work, this meant the traditional perimeter security strategy of many organisations fell down in the face of this “sneaker net” style of virus transportation. Enter Network Access Protection. As the doc says:
”...It will provide three key functions: network policy validation to determine whether the remote computers are compliant with the company’s security policy; network restriction to restrict access and provide necessary updates to allow the computer to “get healthy;” and network policy compliance to permit access to the network once the users’ computer meets policy requirements...“
So it goes further than just checking to see if the machine meets software patch and virus signature lists. It can also check to see whether a machine is even allowed on the LAN period. Think of the rogue access point that some interesting person has placed under their desk that you want to ensure doesnt get a Corporate IP address and start broadcasting...Defense in Depth!