I can vividly remember the first day of the Blaster virus. I was sitting in my office working on some code, when all of the sudden LSASS.exe crashes and my machine states it must reboot in 30 seconds. I power cycled the box and started poking around, lo and behold, Blaster was upon us all.
When the Senior VP of Windows called for all Windows employees to jump on the phones and bail out our customers struck by Blaster, we all rose to the occasion and shared the pain. A valuable lesson about security and the impact of what we do in Windows was learned from that expensive exercise.
A special task force was formed to create the Windows Firewall for XP Service Pack 2. I joined-up to work on the various management pieces for the new and improved firewall. While these improvements were a good step in preventing a future Blaster, it was clear we had a bigger issue on our hands – how do we create "health-based policy" in the corporate environment, enforce it, and get machines patched-up without a call to helpdesk?
The technology exists today to systematically walk through every network endpoint, use various methods of assessing the "patch level" of the machine remotely, brute force disabling the port on the switch corresponding to the office which houses that endpoint, and forcing the end-user to call helpdesk with their MAC address to find out which switch port needs to be re-enabled (of course this is after the end-user has promised their out-of-compliance system is now fixed). What a painful experience.
Enter Network Access Protection (NAP) – wouldn’t it be cool if we could assess the "health" of any given network endpoint, compare it to a corporate defined policy, remove machines deemed out of compliance from the public network, fix-up those machines (sometimes automatically without user input), and then get them back on the public network. Yes, it is cool, and I want to show you how it works.
I will break-out our design architecture in my posts later this week. Let me know if I need to drill down deeper or higher (comments welcome).
Jeff Sigman [MSFT]
NAP Release Manager
* Remove the "online" to actually email me.
** This posting is provided "AS IS" with no warranties, and confers no rights.