Network Access Protection
   HOME

TheInfoList



Click Here for Items Related To - Network Access Protection
OR:
Network Access Protection on:   [Wikipedia]   [Google]   [Amazon]

Network Access Protection (NAP) is a Microsoft technology for controlling network access of a computer, based on its health. With NAP, system administrators of an organization can define policies for system health requirements. Examples of system health requirements are whether the computer has the most recent operating system updates installed, whether the computer has the latest version of the
anti-virus software Antivirus software (abbreviated to AV software), also known as anti-malware, is a computer program used to prevent, detect, and remove malware. Antivirus software was originally developed to detect and remove computer viruses, hence the name. ...
signature, or whether the computer has a host-based firewall installed and enabled. Computers with a NAP client will have their health status evaluated upon establishing a network connection. NAP can restrict or deny network access to the computers that are not in compliance with the defined health requirements. NAP was
deprecated In several fields, especially computing, deprecation is the discouragement of use of some terminology, feature, design, or practice, typically because it has been superseded or is no longer considered efficient or safe, without completely removing ...
in
Windows Server 2012 R2 Windows Server 2012 R2, codenamed "Windows Server 8.1" or "Windows Server Blue", is the seventh version of the Windows Server operating system by Microsoft, as part of the Windows NT family of operating systems. It was unveiled on June 3, 2013 a ...
and removed from
Windows Server 2016 Windows Server 2016 is the eighth release of the Windows Server Server (computing), server operating system developed by Microsoft as part of the Windows NT family of operating systems. It was developed concurrently with Windows 10 and is the su ...
.


Overview

Network Access Protection Client Agent makes it possible for clients that support NAP to evaluate software updates for their statement of health. NAP clients are computers that report their system health to a NAP enforcement point. A NAP enforcement point is a computer or device that can evaluate a NAP client's health and optionally restrict network communications. NAP enforcement points can be IEEE 802.1X-capable switches or
VPN A virtual private network (VPN) extends a private network across a public network and enables users to send and receive data across shared or public networks as if their computing devices were directly connected to the private network. The be ...
servers,
DHCP The Dynamic Host Configuration Protocol (DHCP) is a network management protocol used on Internet Protocol (IP) networks for automatically assigning IP addresses and other communication parameters to devices connected to the network using a cli ...
servers, or Health Registration Authorities (HRAs) that run
Windows Server 2008 Windows Server 2008 is the fourth release of the Windows Server operating system produced by Microsoft as part of the Windows NT family of the operating systems. It was released to manufacturing on February 4, 2008, and generally to retail on F ...
or later. The NAP health policy server is a computer running the
Network Policy Server Network Policy and Access Services (NPAS) is a component of Windows Server 2008. It replaces the Internet Authentication Service (IAS) from Windows Server 2003. NPAS helps you safeguard the health and security of a network. The NPAS server role inc ...
(NPS) service in Windows Server 2008 or later that stores health requirement policies and provides health evaluation for NAP clients. Health requirement policies are configured by administrators. They define criteria that clients must meet before they are allowed undeterred connection; these criteria may include the version of the operating system, a
personal firewall A personal firewall is an application which controls network traffic to and from a computer, permitting or denying communications based on a security policy. Typically it works as an application layer firewall. A personal firewall differs from ...
, or an up-to-date antivirus program. When a NAP-capable client computer contacts a NAP enforcement point, it submits its current health state. The NAP enforcement point sends the NAP client's health state to the NAP health policy server for evaluation using the
RADIUS In classical geometry, a radius ( : radii) of a circle or sphere is any of the line segments from its center to its perimeter, and in more modern usage, it is also their length. The name comes from the latin ''radius'', meaning ray but also the ...
protocol. The NAP health policy server can also act as a RADIUS-based authentication server for the NAP client. The NAP health policy server can use a health requirement server to validate the health state of the NAP client or to determine the current version of software or updates that need to be installed on the NAP client. For example, a health requirement server might track the latest version of an antivirus signature file. If the NAP enforcement point is an HRA, it obtains health certificates from a
certification authority In cryptography, a certificate authority or certification authority (CA) is an entity that stores, signs, and issues digital certificates. A digital certificate certifies the ownership of a public key by the named subject of the certificate. Thi ...
for NAP clients that it deems to be compliant with the relevant requirements. NAP clients can be placed on a restricted network if they are deemed non-compliant. The restricted network is a logical subset of the intranet and contains resources that allow a noncompliant NAP client to correct its system health. Servers that contain system health components or updates are known as remediation servers. A noncompliant NAP client on the restricted network can access remediation servers and install the necessary components and updates. After remediation is complete, the NAP client can perform a new health evaluation in conjunction with a new request for network access or communication.


NAP client support

A NAP client ships with
Windows Vista Windows Vista is a major release of the Windows NT operating system developed by Microsoft. It was the direct successor to Windows XP, which was released five years before, at the time being the longest time span between successive releases of ...
,
Windows 7 Windows 7 is a major release of the Windows NT operating system developed by Microsoft. It was released to manufacturing on July 22, 2009, and became generally available on October 22, 2009. It is the successor to Windows Vista, released nearly ...
,
Windows 8 Windows 8 is a major release of the Windows NT operating system developed by Microsoft. It was released to manufacturing on August 1, 2012; it was subsequently made available for download via MSDN and TechNet on August 15, 2012, and later to ...
and Windows 8.1 but not with
Windows 10 Windows 10 is a major release of Microsoft's Windows NT operating system. It is the direct successor to Windows 8.1, which was released nearly two years earlier. It was released to manufacturing on July 15, 2015, and later to retail on J ...
. A limited NAP client is also included in Windows XP Service Pack 3. It has no MMC snap-in and does not support AuthIP-based
IPsec In computing, Internet Protocol Security (IPsec) is a secure network protocol suite that authenticates and encrypts packets of data to provide secure encrypted communication between two computers over an Internet Protocol network. It is used in ...
enforcement. As such, it can only be managed via a command-line tool called
netsh In computing, netsh, or network shell, is a command-line utility included in Microsoft's Windows NT line of operating systems beginning with Windows 2000. It allows local or remote configuration of network devices such as the interface. Overview ...
, and the IPsec enforcement is
IKE Ike or IKE may refer to: People * Ike (given name), a list of people with the name or nickname * Dwight D. Eisenhower (1890–1969), Supreme Commander of the Allied forces in Europe during World War II and President of the United States Surname ...
-based only. Microsoft partners provide NAP clients for other operating systems such as
macOS macOS (; previously OS X and originally Mac OS X) is a Unix operating system developed and marketed by Apple Inc. since 2001. It is the primary operating system for Apple's Mac computers. Within the market of desktop and lapt ...
and
Linux Linux ( or ) is a family of open-source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991, by Linus Torvalds. Linux is typically packaged as a Linux distribution, w ...
.


See also

* Access control * Network Admission Control * Network Access Control *
Network security Network security consists of the policies, processes and practices adopted to prevent, detect and monitor unauthorized access, misuse, modification, or denial of a computer network and network-accessible resources. Network security involves th ...
*
Computer security Computer security, cybersecurity (cyber security), or information technology security (IT security) is the protection of computer systems and networks from attack by malicious actors that may result in unauthorized information disclosure, t ...
* PacketFence


References


External links


Microsoft's Network Access Protection Web page

Microsoft's Network Access Protection Web page on Microsoft Technet

NAP Blog on Microsoft Technet

Microsoft's Network Access Protection Design Guide on Microsoft Technet

Microsoft's Network Access Protection Deployment Guide on Microsoft Technet

Microsoft's Network Access Protection Troubleshooting Guide on Microsoft Technet
{{Windows Components Microsoft Windows security technology Windows Server