7/23/2019 Ms Nap Data Sheet v16

http://slidepdf.com/reader/full/ms-nap-data-sheet-v16 1/2

Network Access ProtectionEnsuring network health through policy-based access enforcement

What is Network Access Protection?

Network Access Protection (NAP) is a policy

enforcement platform built into Windows Vista

®

 andWindows Server ®

2008. It is designed to inspect,assess, ensure compliance to policy, and remediate,where necessary, endpoints (e.g. laptops or otherdevices) attempting to access networked resources,such as applications, data, and information.

Network Access Protection is designed to protectboth remote and local users from viruses, worms,and malicious software by helping to verify anddirectly update any computer attempting to accessthe network while restricting the network access ofnon-compliant clients. This set of technologies allowsan IT administrator to keep the endpoints healthyand provides flexible control to set the policy of whatis considered healthy enough to connect to thenetwork.

How does it work?

When a client tries to access the network, it mustpresent its system health state. If a client cannotprove it is compliant with the system health policy, itsaccess to the network can be restricted to a specialnetwork segment containing access to serverresources so compliance issues can be remedied. After the updates are installed, the client again

requests access to the network, presenting updatedhealth credentials. Now compliant, the client isgranted full access to the network based on theassociated access policy. For greater control andbetter user experience, health credentials arereusable for immediate access to the network untilthere is a change in client health state or systemhealth policy.

Solution Overview

Policy Validation

Determines whether endpoints are compliantwith health and security policy. Compliantendpoints are deemed healthy.

Network RestrictionRestricts network access based on validatedendpoint health state.

RemediationProvides necessary updates to enable endpointsto get to a healthy state. Once healthy, networkrestrictions are removed.

Ongoing ComplianceChanges to the health/security policy or to theendpoint’s health state may dynamically result innetwork restriction and remediation.

Flexibility of Enforcement Options

Network Access Protection is about defense in depthand customer choice. A customer can implementNetwork Access Protection using the enforcementmechanism best suited to the company’s businessneeds, threat model, existing infrastructure, andinfrastructure upgrade schedule.

Protect network access, host access, application access in anycombination, as needed, where appropriate.

EnforcementOption

HealthyClient

UnhealthyClient

IPsec Can communicate

with any trustedpeer

Connection requests

rejected by healthy peers

802.1X Full access Restricted VLAN

SSL applicationproxy

Full applicationaccess

 Access to restrictedset of resources

VPN Full access IP filters enforced atVPN servers

DHCP Full IP addressgiven, full access

Restricted set of routes

Network Access Protection Process

NPSPolicyServer

Network AccessDevice

Remediation Server  

Restricted Network

Corporate Network

Validation

Statementof Health

Client is issuedhealth certificate

Unhealthy

Healthy

Health Registration Authority 

7/23/2019 Ms Nap Data Sheet v16

http://slidepdf.com/reader/full/ms-nap-data-sheet-v16 2/2

Features List 

DHCP NAP 

RRAS/VPN NAP 

IPsec NAP 

Health Registration AuthorityServer  

Vulnerability AssessmentSystem Health Agent/Validator  

NAP Audit Only Mode 

NAP Enforcement Mode 

802.1X NAP

Improved NPS UI

Health Registration AuthorityServer Management

Integration with multiple Antivirus vendors

Interoperability with SystemsCenter Configuration Managerand Operations Manager

Interoperability with ForefrontClient Security

NAP Statement of Health(SOH) adopted by the TrustedComputing Group’s TNC. 

System Requirements

Windows Server ® 2008 

DHCP Server service 

Routing and Remote Accessservice 

Network Policy Server (NPS) 

Health Registration AuthorityServer  

Health Registration AuthorityServer Management

Client Support

Windows Vista® 

Windows® XP Service Pack 3

(SP3)

Licensable APIs for thirdparty vendors to write support

for Windows 2000, UNIX,Linux, or Mac clients

NAP agents for Mac andLinux clients availablethrough partners

Resources & Contacts

Web site and Whitepaperswww.microsoft.com/nap 

FAQhttp://www.microsoft.com/windowsserver2003/techinfo/overview/napfaq.mspx

SDK Distributionnapsdk@microsoft.com 

Partners

http://www.microsoft.com/windowsserver2003/partners/nappartners.mspx

Questions and Feedbackasknap@microsoft.com 

Industry Support A broad array of networking vendors have plans to innovate on top of the extensible architecture. This meansinvestments you have already made in your infrastructure can be readily leveraged and plugged ininterchangeably. To view a list of partners, please visit http://www.microsoft.com/nap.

© 2005 Microsoft Corporation. All rights reserved.This document is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.The names of actual companies and products mentioned herein may be the trademarks of their respective owners.

Network Access Protection

Microsoft ®