Windows Server 2008 : Working with NAP (part 2)

NAP Health Policy Server

The NAP Health Policy Server is the heart of the NAP-supported network infrastructure. The NAP Health Policy Server runs Windows 2008 Server and has the NPS server role installed. The NPS server role is responsible for storing health requirement policies and provides health state validation for NAP.

Interestingly, the NPS server role replaces Internet Authentication Service (IAS), Remote Authentication Dial-In User Service (RADIUS), and proxy server provided by Windows 2003 Server. So NPS not only supports the NAP infrastructure but also acts as the authentication, authorization, and access (AAA) server in Windows 2008 Server. The NPS role can act as the RADIUS proxy to exchange RADIUS data packets with another NAP health policy server.

Health Requirement Server

Health requirement servers contain the data that NAP NPS servers check for current system health state for NAP NPS servers. Examples of the data that health requirement servers may provide are the latest virus DAT information files for third-party antivirus packages or updates for other software packages that the ISVs use the NAP API to develop.

Restricted Network

A restricted network is where NAP sends a computer that needs remediation services or to block access to the private network until remediation can take place. The restricted network can be a different subnet that has no routes to the private network or a different logical network in the form of a virtual local area network (VLAN). A good NAP design would place remediation servers located within the restricted network. Placing remediation servers inside the restricted network, enables NAP clients to get updated and then be allowed access to the private network.

The remediation server could be in the form of a Windows 2008 Server or Windows 2003 Server running Windows Server Update Services (WSUS). WSUS provides an easy way to update the NAP client system files using Microsoft Update Services. You could also place virus update files and other third-party critical update files on the remediation server.

Software Policy Validation

Before you actually start doing some exercises, it is important to understand what actually goes on during system-compliant testing and validation. NPS uses System Health Validators (SHVs) to analyze the compliance of a client computer. SHVs determine whether a computer is getting full access to the private network or if it will be isolated to the restricted network. The client has a piece of software installed called a System Health Agent (SHA) to monitor its system health. NPS uses SHVs and SHAs to determine the health of a client computer and to monitor, enforce, and remediate the client computer.

Built into Windows Server 2008 and Windows Vista are the Windows Security Health Agent (WSHA) and Windows Security Health Validator (WSHV). These agents are used to enforce the most basic compliance settings in a NAP infrastructure. The settings provided by WSHA and WSHV are:

• The client computer has firewall software installed and enabled.

• The client computer has antivirus software installed and enabled.

• The client computer has current antivirus updates installed.

• The client computer has antispyware software installed and enabled.

• The client computer has current antispyware updates installed.

• Microsoft Update Services is enabled on the client computer.

Even without third-party SHVs and SHAs, Microsoft has built very powerful tools into Windows Server 2008, Windows Vista, and Windows XP Service Pack 3 to validate the compliance and health of computers.