You use the Network Policy Server, a component of Windows Server 2008, to configure NAP policies. As with other NAC solutions, the policies use the client posture to determine the arguments for a policy decision. The policy then triggers enforcement in terms of network access granted. Enforcement of the client status is by 802.1X and VLAN assignment or by DHCP lease enforcement.
Policy configuration is simple due to its limited scope. For example, policies can only take into account device posture, without the per-port, time of day, and other fine-grained controls available in other systems. In short, NAP checks the status of anti-virus software, antispyware software, a firewall, and automatic updating.
[ Microsoft NAP can be integrated with Cisco NAC or other NAC products to form a more complete solution. See "When NAC meets NAP." ]
Although the NAP platform is the same for both Windows XP and Windows Vista, Vista offers a few additional capabilities. Vista provides an administration console for local and Group Policy configuration, and the Windows System Health Agent (the built-in "client" piece of NAP) takes advantage of Windows Defender support in the Security Center. Plus, the underlying enforcement technologies include some advanced features, such as authenticated IP for IPSec and single-sign-on support for 802.1X.
Secure or obscure
Client devices are assigned to a VLAN based on their posture, so they may, for instance, be restricted to accessing remediation servers, the Internet, or other limited resources until they are corrected. VLAN assignment is a more secure approach than DHCP leases, but requires the complexity of an 802.1X implementation, which is often onerous for an entire organization.
DHCP enforcement is a mixed bag. By using IP address assignment to move devices around a network, you can expect safe devices to be compliant to your plan -- and rogues to find ways to apply static IP addressing to get around it. Many are likely to be tempted by the relative simplicity of DHCP-based enforcement, especially for smaller deployments, but it is simply the latest version of "security by obscurity," and therefore no security at all.
Having trouble installing and setting up Win10? You aren’t alone. Here are many of the most common...
It's all about knowing how to build an open source community -- plus experience running applications in...
Win7 Update scans got you fuming? Here’s how to make the most of Microsoft’s 'magic' speed-up patch
The proliferation of insecure devices in every facet of our lives will have consequences far beyond the...
From a simple platform for beginners to an expert-level development workbench, there's an IDE for most...
You don't need to buy a new phone to add hours to your battery. All you need is to flip a few switches...
Look to these clever open source tools to keep secrets out of source code, identify malicious files,...