System Health Agents (SHAs) that are available from Microsoft

Greetings, fellow disciples of NAP!

Here is a summary of the different system health agents (SHAs) that are currently available from Microsoft.

Note: The following text was shamelessly “leveraged” from our own Greg Lindsay’s upcoming Network Access Protection Design Guide. Thanks Greg!

Microsoft provides the following SHAs for the NAP platform:

· Windows Security Health Agent (WSHA)

· System Center Configuration Manager SHA (SCCM SHA)

· Forefront Client Security SHA (FCS SHA)

For the SHAs available from our NAP partners, click here.

Note Each of these SHAs has a corresponding system health validator (SHV).

Windows Security Health Agent (WSHA)

The WSHA is included with Windows Vista and Windows XP with Service Pack 3 and monitors the operational status of the Windows Security Center (WSC) on NAP client computers. The WSHA monitors the following:

· Firewall: If required, the NAP client must have a firewall enabled for all network connections.

· Virus Protection: If required, the NAP client computer must have an antivirus application installed, registered with WSC, and turned on. The NAP client can also be required to have an up-to-date antivirus signature file installed.

· Spyware Protection: If required, the NAP client must have an antispyware application installed, registered with WSC, and turned on. The NAP client can also be required to have an up-to-date antispyware signature file installed. Spyware protection only applies to NAP clients running Windows Vista.

· Automatic Updating: If required, the NAP client must be configured to check for updates from Windows Update. You can also require the NAP client to automatically download and install updates.

· Security Update Protection: If required, the NAP client must have security updates installed based on one of four possible values that match security severity ratings from the Microsoft Security Response Center (MSRC). You can also specify the use of Windows Server Update Services (WSUS) or Windows Update to obtain security updates.

Common point of confusion: The capability of the NAP platform is sometimes equated to the capability of the WSHA and if there is a system health check that is not supported by WSHA, then the NAP platform cannot support it. This is, of course, not correct, and is most likely based on an oversimplification of NAP functionality that is included with Windows. However, just like Windows includes basic functionality for drawing (the Paint program) and supports much more capable drawing programs (such as Adobe Illustrator), NAP is a platform that allows any kind of system health check through the installation of additional SHAs, which can be developed using the NAP APIs. Additional SHAs can verify all kinds of things, from contacting an intrusion detection system (IDS) to ensure that your computer is not performing an address scan on the intranet (an IDS SHA) to automatically calling your Aunt Brenda to make sure that she is wearing her sweaters around the house because it is starting to get cold (the AB SHA :>).

System Center Configuration Manager SHA (SCCM SHA)

The SCCM SHA monitors a NAP client computer for compliance with required software updates that you specify. When a computer connects to the network, the SCCM SHA provides the current state of compliance, a site code, and a health state reference. The health state reference and site code are used to check whether or not a client computer has received the latest software update requirements from a Microsoft Systems Management Server (SMS) management point. If the health state is determined to be out of date, the client computer downloads a new set of requirements and health is evaluated again.

When you deploy a software update with SCCM, you can select the update for NAP evaluation and specify a date and time when the policy will become effective. Only those updates that have been enabled for NAP evaluation in the Configuration Manager console are required to be installed on compliant NAP clients.

For more information about SCCM and NAP, see Network Access Protection in Configuration Manager.

Forefront Client Security SHA (FCS SHA)

The FCS SHA monitors the operational health of FCS on the client computer. The administrator-defined health policy on the SHV determines whether the client computer is compliant before it is allowed to access the network. To monitor and report on FCS-related aspects of computer health, the FCS SHA queries NAP client registry settings, checks the status of system services, and verifies that the NAP client has the latest patches and malware signature definitions. The FCS SHA also sends data to the FCS server management system, which provides manageability, data collection, and reporting services.

The FCS SHA monitors the NAP client’s level of Forefront protection. Noncompliance with the FCS SHA does not necessarily mean that the computer has a virus or some other active threat, but that the FCS configuration is either incorrect or not up-to-date as defined in the health policy. The FCS SHA can restart services on noncompliant NAP clients, automatically update configuration settings, and install software updates if required.

For more information about the FCS SHA, see the Microsoft Forefront Integration Kit for Network Access Protection.

Joe Davies
Senior Program Manager

This posting is provided "AS IS" with no warranties, and confers no rights.