Using Network Access Protection

Network Access Protection (NAP) has become the standard when protecting your environment. It is not just a policy to restrict infected computers from the network. But a policy to encourage computers to comply with security and health requirement policies and reduce the risk of malware spreading.  Non-compliant clients can be restricted from accessing intranet resources or communicating with compliant computers. Using Network Access Protection (NAP), IT administrators can require client computers to be healthy and comply with corporate health requirement policies. For example, client computers can obtain a full connection to the intranet only if they have recent security updates, anti-malware definitions, and other security settings.

Using NAP requires that NAP-enabled clients submit a health certificate for authentication when creating the initial connection with the Network Policy server. The health certificate contains the computer’s identity and proof of system health compliance. A NAP-enabled client obtains a health certificate by submitting its health state information, either to a Health Registration Authority (HRA) that is located on the Internet, or to an internal HRA server accessible using the infrastructure tunnel.

By using NAP, a non-compliant client computer that becomes infected with malware can still connect to all the specified management servers (for example, DNS, DC, HRA, and remediation servers) through the infrastructure tunnel, but it cannot connect to all other intranet resources. Access to the remediation servers is crucial to remediate the non-compliant state of the client.

The video installation tutorial and lab is available for viewing at http://youtu.be/yxNfo6KCSQY

By: Adnan Cartwright