The Low Down on Configuration Manager NAP Remediation (SCCM + NAP)
I’m Carol Bailey, Senior Technical Writer for System Center Configuration Manager 2007 (formally SMS 2003), and I’m involved with many of the security-related features in Configuration Manager – including Internet-based client management, desired configuration management, ….. and Network Access Protection (NAP).
NAP was always one of the principal new features for Configuration Manager, and I’ve been with the Configuration Manager NAP feature team right from Beta 1, over three years ago now. I’ve seen it through from specs, to test passes, TAP exit criteria, Dogfooding, and to its implementation on the MS IT network. It’s really exciting to know that with the release of Windows Server 2008, it’s now fully supported on customer production networks. Despite Configuration Manager being released in August last year, we couldn’t fully support our NAP feature when the dependent operating system wasn’t yet released.
Because of my involvement with Configuration Manager NAP, I was asked to attend the RSA Conference in San Francisco to help with the expo booths that were running NAP demos. We had demos that showed a noncompliant computer being restricted and remediated for a software update, Windows security settings, and the Forefront services. You can watch a similar demo, with callouts: NAP clickthrough
This demo shows the user experience of NAP, and the administrator interface for the configuration piece, but what’s really going on under the hood? This post gives you the technical low down of how NAP works in Configuration Manager.
But before we look at what’s happening when the noncompliant computer connects to the network, we need to step back to see what’s in place to ensure that noncompliance is reported and remediation is possible (NAP setup). Then we can work through how NAP compliance is evaluated and how NAP remediation works.
As a prerequisite for NAP in Configuration Manager, the administrator has performed the followed actions:
- Extended the Active Directory schema for Configuration Manager 2007; created the System Management container and configured the required permissions; installed a Configuration Manager site and configured it to publish to Active Directory Domain Services.
- Deployed Configuration Manager clients and assigned them to the site.
- Configured the software updates feature, and downloaded software updates that will be enabled for NAP evaluation.
- Enabled the Network Access Protection client agent and ensured that clients can support NAP – either natively by using Windows Vista, or by deploying the Network Access Protection client to computers running Windows XP (available in XP SP3).
- Installed the System Health Validator (SCCM SHV) point on a Windows Server 2008 computer that is configured as a NAP health policy server (NPS), and on this server policies are configured to restrict network access if the Configuration Manager client is noncompliant.
- Verified the underlying NAP infrastructure is working by ensuring that a NAP client with the Windows firewall disabled is restricted and remediated by the Windows NAP health policy server.
Note: There a number of configuration options available when configuring a site for Network Access Protection, but here we will assume that all defaults are used. There’s more information about the configuration options in the Configuration Manager documentation library: Configuring Network Access Protection .
NAP Setup:
- The administrator enables the Configuration Manager Network Access Protection client agent (SCCM SHA). This triggers two actions: the first is to include a Network Access Protection policy within the Configuration Manager client’s policy, which the client downloads on a schedule. This instruction tells the client that if any software updates are marked for NAP evaluation, it must assess its compliance. It also includes a health state reference, which acts like a timestamp (it is actually a sequential string of numbers rather than based on any time value). The second action is for the site server to publish the same health state reference to Active Directory Domain Services, as an attribute of the site object.
- This health state reference in Active Directory Domain Services is retrieved by the System Health Validator (SCCM SHV) point when it first starts, and on a regular basis. It is used as part of the validation process, as we will see later. This health state reference means that the System Health Validator (SCCM SHV) point never directly communicates with the site server, which allows for cross-forest implementation.
- The administrator configures a software update to be included in NAP evaluation. There are multiple ways to achieve this, but one method is to run the New Policies wizard from under the Network Access Protection node. From the wizard, you can select the software updates that you want to be included in NAP evaluation, and configure the effective date – when you want the compliance evaluation of the software update to begin. Configuring a software update for NAP results in creating a Configuration Manager NAP policy in the console (visible in the Policies node), and enables a property of the software update. For more information about how to configure a software update for NAP evaluation, see How to Create a Configuration Manager NAP Policy for Network Access Protection.
- Although each software update that is enabled for NAP evaluation creates a new Configuration Manager NAP policy in the console, in the background there is actually only one NAP policy for the site (the one that was created when the Network Access Protection client agent was enabled), and each software update configured for NAP evaluation is added to it. Every time this policy is modified, the health state reference is incremented to denote the change – in both the policy and Active Directory Domain Services.
NAP compliance is evaluated, and remediation is initiated when needed:
Taking the scenario in the demo where the laptop has been off the network for a period of time, missed the deployment of the software update that is now configured for NAP, and the effective date is due:
- The computer connects to the network and is asked for its statement of health. The Configuration Manager Network Access Protection client agent (SCCM SHA) evaluates its compliance according to the client policy that it downloaded some time ago. This doesn’t include the software update that the administrator has now configured for NAP evaluation, so it doesn’t know at this point that it’s not compliant. It sends its compliance information to the Configuration Manager System Health Validator (SCCM SHV), which includes its compliance status of compliant, its site code, and the health state reference.
- The System Health Validator (SCCM SHV) point receives the client’s statement of health and runs through its validation checks – it doesn’t just take the client’s word for it that it is compliant. When it gets to the check for the health state reference, it compares the client’s health state reference to the one that it downloaded from Active Directory Domain Services, for the client’s site. They don’t match – the client’s health state reference is older, so it knows that the compliance information is out of date. At this point it tells the client and the NAP heath policy server that the computer is noncompliant.
- According to the policies on the NAP health policy server (NPS), the client is restricted and remediation is called.
- Remediation in this case is to download the latest client policy from the client’s management point, which includes the new software update configured for NAP evaluation. The client re-evaluates its compliance, and this time sends a statement of health (SoH) with a current health state reference but a compliance status of noncompliant.
- The Configuration Manager System Health Validator (SCCM SHV) again runs through its checks, and this time the health state reference check passes – so the client’s compliance status is validated. However, because the client is noncompliant with the software update, the System Health Validator (SCCM SHV) again sends a noncompliant status to the client and to the NAP health policy server. This time however, remediation involves downloading and installing the software update.
- After the client has installed the software update, it re-evaluates its compliance once again and sends the results in the statement of health. This time the health state reference is current and the compliance status is compliant. The Configuration Manager System Health Validator (SCCM SHV) returns a compliant status to the client and the NAP health policy server (NPS) – and according to the policies configured on the NAP health policy server (NPS), the client has full network access.
There are other checks that the Configuration Manager System Health Validator (SCCM SHV) performs in addition to the health state reference and the compliance status. For more information, see About System Health Validator Points in Network Access Protection.
In my next post, I’ll highlight some gotchas, FAQs, best practices, and tips for implementing NAP in Configuration Manager.
The documentation for Configuration Manager NAP can be found in the feature section of the Configuration Manager documentation library: Network Access Protection in Configuration Manager. Related to the information in this post, you might find the following useful:
Background information
Overview of Network Access Protection
About the Statement of Health (SoH) in Network Access Protection
About NAP Health State References in Network Access Protection
About Network Access Protection Remediation
Verification tasks
How to Verify Client Statements of Health for Network Access Protection
How to Verify Clients are Going into Remediation with Network Access Protection
Flowcharts
System Health Validator Point: Validation Process for Network Access Protection
SoH Response to Non-Compliant Configuration Manager Client with Network Access Protection
If you have any questions or feedback about the documentation for Configuration Manager NAP, you can e-mail me (Carol.Bailey@Microsoft.com) or my documentation team (SMSDocs@Microsoft.com).
- Carol
This posting is provided AS IS with no warranties and confers no rights.