NAP functionality is built into the Windows Longhorn Server and Windows Vista client operating system, which enhances the functionality of the Network Access Quarantine Control feature in Windows Server 2003.
NAP is just a supplementary function
Instead of replacing other network security mechanisms, NAP does not prevent unauthorized users from accessing the network, but helps protect the network from attacks and malware from authorized users who connect to the network through patches, improperly configured, or unprotected computers.
Ii. NAP has two deployment modes: monitoring mode and isolation mode
If the monitoring mode is configured, they can access the network even if they find that the authorized user's computer does not conform to the policy, but the situation that does not conform to the policy is logged so that the administrator can instruct the user on how to make the computer conform to the policy. In isolation mode, computers that do not conform to a policy can only have limited access to the network, and they may find resources that match the policy on that network.
Third, you can choose the standard that meets the policy for the computer that connects to the network
Compliance criteria include requirements for service packs and security patches, anti-virus software, anti-spyware protection, firewalls, and Windows Automatic Updates. These standards are configured in the System Security Verifier (SHV) on the NAP server.
Four, the NAP server must be running Windows Longhorn Server
The NAP server is a Network policy server (NPS). NPS in Longhorn replaces the Internet Authentication Service (IAS) in Windows Server 2003, providing authentication and authorization capabilities. NAP services include: NAP Management Server and NAP execution server. The system security Validator (SHV) runs on the NAP server.
V. NAP requirements client install NAP client software
NAP client software is built into Windows Vista; After Windows Longhorn Server is released, NAP client software for Windows XP should also be available. The system security Agent (SHA) runs on the client computer. If computers on your network are running operating systems that do not support nap, you can allow exceptions to exist that do not meet security requirements so that they can still access the network. If exceptions are not allowed, computers that do not support nap can only have limited access to the network.
Vi. SHV Create a security statement based on the security status of the client (SoH)
NAP software submits Soh to SHV,SHV to communicate with the policy server to determine whether the security conditions provided in SOH meet security policy requirements. If it is compliant, the computer is allowed to have full access to the network. If it is not compliant (in isolation mode), the computer can only have limited access to the network.
Seven, you can use the security certificate to prove compliance with the policy
In this case, you need to run the Longhorn Server for Internet Information Services (IIS) and Certificate Services, act as a certificate authority, and issue a security certificate. This server is named Security Registration Authority (HRA). The NAP client sends Soh to HRA, which is then sent by HRA to the NPS server. After the NPS server communicates with the policy server, verify that the SOH is valid. If valid, HRA issues a security certificate for the client that can be used to establish an IPSec-based connection.
Eight, there are four kinds of nap execution methods
IPSec execution relies on HRA and X.509 certificates. 802.1x execution relies on the EAPHost nap execution client, a client that is connected through a 802.1x access point, which can be a wireless access point or an Ethernet switch. Access restricted profiles are placed on clients that are not compliant, and are restricted to restricted networks using packet filters or VLAN identifiers. VPN execution relies on the VPN server, which enforces security policies when the computer attempts to pass through a VPN and connect to the network. DHCP execution relies on a DHCP server to enforce security policies when the computer leases or updates an IP address. You can use one, several, or all of the execution methods on a network.
Ix. access is limited to a computer connected to the network through four methods of execution if it does not conform to the policy
DHCP execution is the easiest and most comprehensive approach because most computers require leased IP addresses (except computers that are assigned static addresses), but IPSec execution is the safest way to execute. When a computer has restricted access, it can still access DNS and DHCP servers, as well as remediation servers. However, you can place a secondary DNS server or a forwarding server on a restricted network, rather than a primary DNS server.
Ten, NAP differs from Network Access Quarantine Control in Windows Server 2003 (NAQC)
NAP can be applied to all systems on the network, not just to remote access clients. With NAP, you can also monitor and control the security status of your visiting laptops, even desktops. It is also easier to deploy because it does not require the creation of custom scripts and manual configuration using the command line, as NAQC does. In addition, Third-party software vendors can use the NAP API to develop NAP-compliant security state validation and network access restriction components. NAP and NAQC can be used at the same time, but general NAP acts as a replacement for NAQC.
Windows Vista is accompanied by a built-in Anti-spyware program called Windows Defender, which is a necessary part of Vista's hardening security mechanism.