Vista: 10 notes for deploying NAP

The NAP function is built in Windows Longhorn Server and Windows Vista client operating systems. It enhances the "Network Access Isolation Control" feature in Windows Server 2003.

I. NAP is only a complementary function

NAP does not replace other network security mechanisms. It cannot prevent unauthorized users from accessing the network, but helps protect the network, attackers and malware from unauthorized users who connect to the network through unpatched, improperly configured, or unprotected computers.

2. Two deployment modes are available for NAP: monitoring mode and Isolation Mode.

If the monitoring mode is configured, even if the computer of the authorized user is found to be out of compliance with the policy, the user can still access the network, but the non-compliance will be recorded in the log, in this way, the administrator can instruct the user how to make the computer comply with the policy. In isolated mode, computers that do not comply with the policy can only have limited access to the network, on which they can find resources that comply with the policy.

3. You can select a policy-compliant standard for the computer connected to the network

Compliance with policy standards includes: requiring service packages and security patches, anti-virus software, anti-spyware protection, firewall and Windows automatic updates. These standards are configured in the system security validator (SHV) on the NAP server.

4. the NAP Server must run Windows Longhorn Server.

The NAP Server is a network policy server (NPS ). The NPS in Longhorn replaces the Internet Authentication Service (IAS) in Windows Server 2003 and provides verification and authorization functions. NAP services include: NAP management server and NAP execution server. The system security validator (SHV) runs on the NAP server.

5. NAP requires the client to install the NAP customer software

NAP customer software is built in Windows Vista. After Windows Longhorn Server is released, the NAP customer software for Windows XP should also be released. The System Security Proxy (SHA) runs on the client. If a computer on the network is running an operating system that does not support NAP, exceptions can be allowed, and the computers can still access the network without meeting the security requirements. If exceptions do not exist, computers that do not support NAP can only access the network.

6. Create a security statement (SoH) based on the security status of the client)

The NAP software submits SoH to SHV, and SHV communicates with the policy server to determine whether the security conditions provided in SoH meet the security policy requirements. If yes, allow the computer to fully access the network. If it does not match (in isolated mode), the computer can only have limited access to the network.

7. You can use the security certificate to verify compliance with the policy

In this case, you need to run the Longhorn server of Internet Information Service (IIS) and Certificate Service, act as the certificate management authority, and issue security certificates. The server is named HRA ). The NAP client sends SoH to HRA and then HRA sends it to the NPS server. After the NPS Server communicates with the policy server, check whether the SoH is valid. If valid, HRA issues a security certificate to the client, which can be used to establish an IPSec-based connection.

8. There are four NAP execution methods

IPSec execution depends on HRA And X.509 certificates. 802.1x execution relies on EAPHost NAP to execute the client, which is used to connect to clients through 802.1x access points (which can be wireless access points or Ethernet switches. Access Restricted configuration files are placed on clients that do not comply with the policy, and they are restricted to the restricted network by using packet filters or VLAN identifiers. VPN execution depends on the VPN Server. When the computer tries to connect to the network through VPN, it executes the security policy. DHCP execution depends on the DHCP server. When the computer rents or updates the IP address, the security policy is enforced. One, several, or all of the execution methods can be used on a network.

9. If the policy is not met, access to a computer connected to the network through one of the four methods will be restricted.

DHCP execution is the easiest and most comprehensive method, because most computers need to lease IP addresses (except computers with static addresses allocated), but IPSec execution is the safest method. After the computer's access is restricted, it can still access the DNS and DHCP servers and the remediation server. However, secondary DNS servers or forwarding servers can be placed on the restricted network, rather than the primary DNS server.

10. NAP is different from network access Isolation Control (NAQC) in Windows Server 2003)

NAP can be applied to all systems on the network, not just remote access to the client. With NAP, you can also monitor and control the security of visiting laptops and even desktops. It is easy to deploy, because it does not need to create custom scripts as NAQC does and use command lines for manual configuration. Third-party software vendors can use the nap api to develop security verification and network access restriction components that comply with the NAP. NAP and NAQC can be used at the same time, but NAP generally acts as a replacement for NAQC.

Windows Vista comes with a built-in anti-spyware program named Windows Defender, which is a necessary part of Vista's security reinforcement mechanism.