Network Access Protection in SCCM 2007

  • Article

Network Access Protection (NAP) is a cool new feature of the next Windows Server release.  In short, NAP is a mechanism that allows administrators to configure policy that will control network accuss until client computers meet certain security requirements.  NAP policy is configured based on what System Health Validators (SHV's) are available to NAP.  The standard NAP implementation comes with the standard Windows SHV which can be used to check the configuration of Windows Firewall and whether Antivirus software is installed.  In addition to the standard Windows SHV, third party SHV's may be available as well. 

Once settings are configured, NAP compliance is evaluated when a system attempts to come on the network and, in some cases, perodically while the system is on the network.  There are three avenues for network access that trigger NAP evaluation - DHCP, RAS and IPSec.  If a client atttempts to renew or aquire a DHCP address, attempts to access the network via RAS or attempts to negotiate an IPSec session, a NAP check will be performed (depending on NAP configuration) to see if the system is allowed access.  If not, the system is allowed to attempt remediation so that it can become healthy and access the network.

More information regarding WIndows NAP may be found at https://www.microsoft.com/technet/itsolutions/network/nap/default.mspx

SCCM 2007 makes use of NAP by providing it's own SHV for use in evaluating software update compliance.  Using this SHV allows the SMS administrator to define software updates that are required to be installed prior to the system accessing the network.  If these software updates are not installed NAP will detect this and flag the client as unhealthy, which will generally trigger remediation, and the client will not be allowed on the network until the updates are applied.  It's important to note that software update evaluation is only one of several potential reasons a client may be noted as unhealthy by NAP and restricted from the network - so it is important to understand what SHV's are installed on NAP to fully understand all possible reasons a client can be deemed unhealthy.

I'll spend the next several entries discussing NAP as it relates specifically to the SMS SHV.  A good general illustration of NAP functionality with SMS can be found in the animated NAP process flow available at https://www.microsoft.com/downloads/details.aspx?familyid=bf4107e8-849d-48d3-a70a-ee258aeab28d&displaylang=en

Steve