Network Access Protection (NAP) is a client-server feature that is one of the main attractions of Windows Server 2008. The idea behind NAP is that the configuration of clients connecting to the network can be verified against a preset policy, and if clients are non-compliant, they can be refused access to the network, or permitted access only to a restricted section of the network.

For example, administrators could define policies requiring certain patches to be installed, the firewall to be on and antivirus software to be up-to-date. If you've attempted to use the VPN quarantine features (or Network Access Quarantine Control) in ISA Server 2004 and Windows Server 2003, then this may seem familiar to you. NAP however is a much better and easier to use implementation than VPN quarantine.

NAP consists of a number of separate components.

A System Health Agent (SHA) runs on the client. Microsoft ships a Windows SHA for Windows Vista, and also for Windows XP SP2 (when the optional NAP client is installed – this is currently in beta). The SHA evaluates the current state of the machine and returns this to the server component

A Network Policy Server (NPS) – known previously as Internet Authentication Server (IAS) – handles System Health Validators (SHV). These are where administrators define policies for their clients. Microsoft will ship an SHV for Windows, and third party ISVs can ship SHVs for their products (e.g. AV vendors). The NPS will compare the information returned by the SHA against the policy defined in the SHV (wow – a lot of acronyms) and depending on whether the client passes or not, the client may be placed into quarantine, or it may be permitted access to the network.

Actual enforcement of quarantine can occur through separate options. The first, and the easiest to implement, will be through DHCP. The client can be issued a DHCP address on a restricted subnet, and permitted access only to servers (e.g. an update server) that will allow the client to return to a compliant state. This would provide protection in cases where only machines managed by the corporation are placed onto the network, and users do not have the ability to manually set their own IP addresses.

The second enforcement technology is via 802.1x technologies. Here the NPS can instruct compatible switches or wireless access points to place non-compliant machines into a restricted network. This mechanism is much more robust that DHCP-based access control, but does rely on having the necessary network infrastructure in place.

The third enforcement technology is via IPSec. The NPS server can instruct a compatible Certificate Authority (CA) to issue a short-lived certificate to the end client that can be used by the client to connect to various services. This is the most robust enforcement mechanism, but IPSec does place workloads on servers in setting up the necessary IPSec communication channels.

Clients that are not compliant can be placed into a restricted network. This network may be permitted internet access (e.g. when guest users come into your building), or may have access only to low value servers, or may have access only to remediation servers (e.g. an AV update server, or WSUS server).

Personally, I think Network Access Protection (NAP) is going to be one of the most evaluated features of Windows Server 2008 when it ships. As network boundaries become more and more porous with laptops, PDAs and other storage devices frequently moving on/off the corporate network, network administrators can no longer rely on have a tough edge boundary (firewalls) whilst having a “soft” inner centre.

For more information on NAP, see the Microsoft NAP centre, and their FAQ