Microsoft Network Access Protection (NAP)

Network access protection (NAP), introduced with Windows Server 2008, is Microsoft’s approach to controlling access to a network based on a determination of each device’s health.

Microsoft Network Access Protection (NAP) is a policy-based management feature of Windows Server 2008 that allows a network administrator to control access to network resources.

An endpoint device without malware protection, the latest operating system patches, a properly configured firewall and other well-proven security measures can pose a significant risk to the corporate network. NAP policies ensure that these and other features are in place and current before the endpoint device is allowed access to the network. Devices that are not in compliance may have their access restricted or blocked entirely.

NAP is built around a Network Policy Server (NPS) which replaces the older Internet Authentication Service (IAS) in Windows Server 2003. NPS is a RADIUS-compatible server designed to provide authentication and authorization for remote clients, and it acts as the "health evaluation server" for Network Access Protection. The NPS stores the administrator's NAP policies, which are also referred to as health policies

The actual evaluation of the rules in a policy is performed by an enforcement point, which is a compatible RADIUS client that's capable of communicating with NPS. 

NPS supports three types of policies:

  • Connection requests:  Determine general rules for requests from RADIUS clients, such as whether specific requests are handled by the NPS or proxied to another RADIUS server.
  • Network policies:  Define how connection attempts are either authorized or rejected.
  • Health policies:  Define health rules that must be met in order to connect.

Here is how NAP works:

During login, a NAP client reports system status to a NAP enforcement device such as a switch, VPN server, DHCP server, or other services. The NAP enforcement device reports the endpoint’s health to a Network Policy Server under Windows Server 2008 or Windows Server 2008 R2. The NPS evaluates the status against requirements established by the system administrator.

If the NAP client logging in meets the NPS requirements, it will be allowed to log into the corporate network normally. If the NAP client trying to log into the corporate network doesn’t comply with NPS requirements, the client can be blocked or placed on a network with restricted access until its health can be corrected by the user or through a remediation server containing the required patches, signatures or other content. Once the client’s health is updated and compliant, a new request for a health check can be made.

This was first published in February 2012

Continue Reading About Microsoft Network Access Protection (NAP)

Glossary

'Microsoft Network Access Protection (NAP)' is part of the:

View All Definitions

Dig deeper on Mobile data protection and authentication software

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

1 comment

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

File Extensions and File Formats

Powered by:

SearchEnterpriseDesktop

SearchVirtualDesktop

SearchVMware

SearchCIO

SearchSecurity

Close