Windows Server 2008 introduced a new PC protection technology that provides administrators an answer to a complex problem: How do you make sure that computers that use network resources are healthy? Network Access Protection (NAP) was engineered to provide an answer to this problem. For a more detailed understanding of NAP, go to http://blogs.technet.com/nap/ - Jeff Sigman maintains a remarkable site, with more real life information about NAP than you would ever imagine.
NAP offers many answers and opportunities for client health monitoring. One item worth looking at is a new Solution Accelerator that integrates Forefront Client Security (FCS) and NAP.
Quick Overview of the Microsoft Forefront Integration Kit for NAP
This Solution Accelerator was created to provide Forefront Client Security v1 the ability to work in harmony with NAP.
NAP provides out-of-the-box capability to monitor antivirus solutions using the Windows Security Health Agent (WSHA). However, its ability to distinguish between a full-fledged AV product such as FCS and a generic solution such as Bob and Doug's Famous AV does not exist. The WSHA was created to simply validate that an AV product was registered in Windows Security Center.
If I lost you in the last statement, think of it this way. Bob and Doug's Famous AV product is a fictional tool. However, if I were to write a small Visual Basic app that registered with Security Center as an AV tool, called it Bob and Doug's Famous AV, and installed it on a Windows Vista computer, the little status light in your Security Center (type 'Security Center' in the Start bar to see your Security Center status) would go from Red to Green.
And since the Windows SHA depends on this status, it would validate that an AV tool is installed and running and let you pass your health check.
The Forefront Client Security System Health Agent created by Solution Accelerators provides a much more integrated story. It's FCS-aware, which means that FCS must actually be installed and running properly—no funny stuff.
If you would like to read up on this Accelerator a bit more, you can find a more comprehensive description in this blog:
New Beta Available: Microsoft Forefront Integration Kit for Network Access Protection
The Customer Perspective
As with many projects at Microsoft, the best way to measure success is to have our customers provide us early feedback on our efforts. And feedback we got!
I'd like to highlight a few of the success stories for you.
Andrew from Allina Hospitals & Clinics has been using Forefront Client Security to protect his network assets, and he sought a way to ensure that computers protected by FCS stay protected. The integration with NAP provides this capability. In addition, he found that he can use NAP to provide a level of assurance to network jacks located in public areas such as conference rooms an added level of security.
Let's say you're concerned that anyone can walk into a conference room and jack in. If there is a virus on this person's computer, it now has the ability to infect your network. NAP provides the ability to create and enforce a simple policy such as "All conference room jacks require that you have an up-to-date installation of Forefront Client Security."
An 802.1x switch will provide NAP with the ability to enforce this health requirement on any computer that used the network port. In fact, all users who fail to comply can be placed into a managed network zone that gives them Internet access but protects the assets of the intranet. What a great idea!
Over the next week or so, I plan to provide several short follow-up blogs that showcase other great deployment stories.