Windows Vista – Network Access Protection (NAP)

Windows Vista – Network Access Protection (NAP)

Don’t make the mistake of confusing Network Access Protection (NAP) with Vista’s Network Center.  Microsoft’s NAP is a client server technology designed to protect your network from ‘unhealthy’ machines.  Built-in to Vista are client-side system health agents (SHA), the Windows Server 2008 or Windows 2003 Servers* compare the clients SoH (statement of health) with their policies.  You can configure NAP to only allow healthy machines on to the main network.  (The Network Center is a Control Panel container for troubleshooting IP settings and negotiating Wireless connections.)

*Windows 2003 Servers require an update, which is currently under testing before it can fulfil the NAP server role.

Introduction to Network Access Protection (NAP)

How do computer virus infections spread?  Let us assume that you minimise virus attack by protecting the Internet connection with firewalls and scanning Email attachments, what else can you do?  Ah yes, check those laptops and other mobile devices that itinerant associates bring to your network.  Thanks to Network Access Protection, virus attacks via laptops can be isolated, or if you specify a policy, the affected machines can be cleaned and then allowed onto your production network.

NAP Philosophy

The mission of NAP is to preserve the network by allowing access to only healthy machines.  Visiting laptops which don’t meet your policy standards, whether or not they are riddled with viruses, can be restricted to the repair subnet.  There, NAP remediation servers may be able to add SMS packages containing antivirus signatures and thus cure their deficiencies.

Remember that NAP focuses on the computer, unfortunately, it cannot protect against malicious users.

NAP is a client server technology which identifying machines that don’t have the latest virus signatures, service packs or security patches.  Such machines are most likely laptops that have been offsite for a while, or home computers connecting through a VPN.  Apparently hackers, in commons with all cowards, target the older weaker members of the computer society.

What strategy you employ once the server detects such ‘unhealthy’ machines is up to you.  You could configure the NAP servers to ban all machines until they pass muster, allow at least some of them onto the network, or better still point them to the remediation servers.  Another alternative would be to allow machines which don’t meet all the criteria limited access, for example visiting consultants laptops’ get internet access only.

Components of NAP

Remember that NAP is a classic client server technology.  All the necessary NAP components will be built into Vista clients and Longhorn Servers.  However, there is a talk of adding patches to XP (SP3) and Windows Server 2003 so that they can also benefit from NAP.

Your mission is to protect your network from ‘unhealthy’ machines.  Tactics involve identifying what constitutes a healthy machine, configuring one or more policies and deciding what do about computers that fail to match your criteria.

When a Vista machines boots up a conversation takes place with the NP (Network Protection) Server.   The client agent sends a SoH (Statement of Health), which details software updates and anti-virus signatures to the NP Server.  The server compares the SoH with one or more of its policies.  If the Vista client is deficient in any of the components, you can predetermine what action to take. For example, whether to try and remediate the client or just ban it from the production network.

Guy Recommends SolarWinds’ Free Network MonitorSolarwinds Network Device Monitor

Thus utility makes it easy to check the health of a router or firewall.  Check the real-time performance, and availability statistics, for any device on your network.  Get started with an extensive collection of "out-of-the-box" monitors for popular network devices. Give Network Monitor a whirl – it’s free. Download your free Network Device Monitor

If you need more comprehensive network analysis software:
Download a free trial of NPM (Network Performance Monitor)

NAP Server Components (Windows Server 2008 or Windows Server 2003)

Microsoft’s NAP Administration Server.  The main NAP Server reviews the policies, analyzes the clients and then decides whether or not to allow access to the network.

System Health Validator (SHV).  Determines whether the the SoH (Statement of Health) issued by the client’s SHA (System Health Agent), matches the required health criteria on the server.

Health Policy.  A list of conditions, you can have a different policy for each of these technologies;  IPSEC, DHCP, 802.1 or VPN.

Accounts Database.  A portion of Active Directory that stores NAP properties for a computer or user.

Health Certificate Server, IIS on Longhorn.

Optionally, a Remediation server.  This server is designed to help treat unhealthy clients, consequently it has any patches, virus signature updates that may cure a sickly machine.  However, further policies decide which machines get the patches, for example visitors machines would not have any software fixes applied. See more about NAP on Windows Server 2008.


Here are the five NAP policy systems.


This is the most secure configuration.  IPSec and NAP work in tandem to ensure that all machines are healthy and only speak the encrypted IPSec protocol.


Probably the most common implementation, every time the client asks to renew its IP address DHCP enforces health compliance.

802.1 (EAPHost)

Restricts access at the wireless access points until the clients are confirmed as healthy.


The VPN server enforces the policies any time a client computer attempts a connection over the VPN.

NPS (Network Policy Server) / Radius

Just works as a Policy Server.

Guy Recommends: SolarWinds Free Network Bandwidth MonitorFree Real-Time Bandwidth Monitor

This freeware monitor is great for checking whether your network’s load-balancing is performing as expected, for example, are two interfaces are getting about equal traffic?

It’s easy to install and straightforward to configure. You will soon be running tests to see how much network bandwidth your applications consume.

The GUI has a lovely balance between immediate network traffic data in the middle, combined with buttons to seek related data and configuration settings. Give this monitor a try, it’s free! 

Download your free network bandwidth monitor

If you need more comprehensive network analysis software:
Download a free trial of NPM (Network Performance Monitor)

Summary of Network Access Protection

The idea of Network Access Protection (NAP) is to identify and then to isolate ‘unhealthy’ computers.  The number one source of ‘unhealthy’ computers is likely to be a visiting laptop.   NAP is a client server technology which gives you a range of options for dealing with machines that lack up-to-date virus signatures, patches or service packs.


If you like this page then please share it with your friends


Configuring Windows Vista Topics:


     Vista Tools and Extras

   Tweak the Registry ebook

Download Your Tweak the Registry Ebook for only $6.45

This ebook will explain the workings of the registry.  I thoroughly enjoy tweaking the registry, and I want to distill the best of my experiences and pass them on to you.

Each registry tweak has two aims; to solve a specific problem, and to provide general learning points, which help you to master regedit. 

Over 60 pages ebook and PDF format