How MSIT used a Power(ful) NAP to Improve Security Policy Compliance

Hot off the presses, Microsoft IT (aka MSIT) has published a case study around their use of Network Access Protection (aka NAP) --enabled with Windows Server 2008 -- to improve security and host policy compliance on our huge network.

Microsoft Improves Security Policy Compliance with Network Access Protection

Here's a brief synopsis of the paper:

With 71,000 highly mobile users worldwide, Microsoft wanted a new way to measure and improve its 300,000+ client computers’ compliance with corporate security policies. The company deployed Network Access Protection (NAP), a feature of the Windows Server® 2008 operating system, to improve the security policy compliance of its desktop computers, roaming portable computers, visiting portable computers, and unmanaged home computers. Now Microsoft is increasing compliance with security policies and adding efficiency to its security management process. The company also benefits from the scalability of NAP and the flexibility to deploy it for a variety of access scenarios—including virtual private network connections, Internet Protocol security access, and Dynamic Host Configuration Protocol address configurations—with varying levels of implementation.

One thing you'll likely note is MSIT is using IPsec as one of the main enforcement methods for our NAP deployment.  This builds on the existing Server and Domain Isolation deployment MSIT completed a few years back.

Why is that important?

Well, if you're looking for things you can start doing today to get your networks ready for the upcoming release of Windows Server 2008, consider evaluating Server and Domain Isolation. 

It's already supported on WS03, XP, etc. and can help you layout the enforcement scheme (with added security and compliance value even at this stage) for a future NAP deployment.

Happy reading!

-- Ian