My review of Information Week’s “Rolling Review: Microsoft NAP”
Greetings, keepers of the NAP flame!
On August 2, Information Week published an article titled “Rolling Review: Microsoft NAP.” I would like to comment on it on behalf of the NAP product team and add technical clarity where I can.
1. Opening paragraph:
“it's to Microsoft (NSDQ: MSFT)'s credit that early on the company moved away from trying to develop a proprietary system. Instead, it built a framework; developed a set of APIs for third-party integration; and, most important, aligned itself with the most widely accepted standards body in the NAC space, the Trusted Computing Group.”
We heartily agree with this statement. We decided to create NAP as a platform in conjunction with industry standards, rather than provide a proprietary solution that attempts to address every kind of system health check and every kind of enforcement method.
2. 4th paragraph
“the Cisco NAC agent provides the administrator with the ability to scan for specific registry keys or other system values, and make policy decisions based on those values. The NAP agent does not.”
The built-in Windows Security Health Agent (WSHA) does not provide these abilities. The NAP Agent service running on a NAP client can host multiple system health agents (SHAs) and third-party vendors can supply additional SHAs to extend the set of health checks. The more accurate statement for the last sentence in this quote is: “The NAP agent with the built-in WSHA does not.”
3. Explanation of DHCP enforcement
“Clients that fail a health check are provided with an IP address and subnet mask, but no default gateway. However, these clients are provided with host routes to remediation servers, where updates can be downloaded and installed automatically or manually.”
Clients that fail system health evaluation are allocated an IPv4 address with a subnet mask of 255.255.255.255, which means that they will not be able to reach other locations on their subnet.
Whether updates are downloaded and installed automatically or manually is a function of the SHAs and related system software that is running on the NAP client. With the correct logic within the SHA and access to remediation servers, SHAs can automatically install and configure components and updates.
4. Explanation of IPsec enforcement
“If a system that lacks a valid health certificate tries to connect to a network that requires one for access, the connection will be dropped.”
IPsec enforcement is combination of health certificates and IPsec policy that requires protected communication with health certificates for authentication. The enforcement is done end-to-end between two communicating nodes, rather than at a connection point to the network.
5. Explanation of VPN enforcement
“VPN enforcement is most easily achieved through the use of Microsoft's Routing and Remote Access server, but third-party VPNs can be made to work with NAP.”
The exact details and requirements for using a third-party VPN server or concentrator with NAP and the VPN enforcement method is something that I am investigating. I will publish the results in a future NAP blog post.
6. Explanation of 802.1X enforcement
“When a system attempts to log on, the NAP client packages its Statement of Health and logon credentials into an EAP authentication request.”
Actually, there are separate EAP authentication methods and message exchanges for authentication and the passing of system health information.
7. Factors for system health
“Out of the box, you can check for the status of Windows firewall and antivirus/anti-spyware software, as well as Windows Updates and the update policy.”
The built-in WSHA monitors the services and components of the Windows Security Center (WSC), which provides system health checks for the following:
· Whether a host-based firewall that is registered with the WSC is enabled. This includes the built-in Windows Firewall and third-party firewall products.
· Whether an antivirus application that is registered with WSC is enabled and up to date. This includes third-party antivirus products.
· Whether an antispyware application that is registered with WSC is enabled and up to date. This includes the built-in Windows Defender for Windows Vista and third-party antispyware products.
· Whether automatic updating is enabled.
· Whether security updates of a specified level have been installed, the time interval within which the client must check for new security updates, and the sources of the updates (Windows Update or Windows Server Update Services).
8. How strict your policies are
“Microsoft recommends a phased implementation where NAP is initially deployed in a reporting-only mode. Once you're comfortable that enforcing health standards won't grind business to a halt, you can move gradually to an auto-remediated enforcement policy.”
NAP can be used to determine the overall system health compliance of your network (reporting mode) and to enforce system health requirements by restricting the access of noncompliant computers (full enforcement mode). Depending on the needs of your organization, either of these modes are acceptable destinations for a NAP deployment. Additionally, autoremediation can be enabled for either deployment mode.
9. The “Two Microsoft NAP Deployment Scenarios” figure
Two points of technical clarification:
· For DHCP enforcement, the NAP client requests an IPv4 address, not access. Therefore, the labels on the arrows between the NAP client and the DHCP server should be “Address requested” and “Address granted.”
· The interaction between NPS and Active Directory for DHCP enforcement is only to verify security group membership. For 802.1X enforcement, NPS uses Active Directory to also validate the credentials of the 802.1X client.
10. “Out for a Spin” section
A. “That's because DHCP in Windows 2008 is NAP-aware and includes the additional user classes and scope options necessary to dynamically black-hole clients that fail health checks.”
I would replace the term “black hole” with “restrict the access of”. The term “black hole” in my mind implies no access, whereas typical NAP deployments contain remediation servers that noncompliant clients must access to correct their system health.
B. “Only Windows XP SP3 and Vista have built-in NAP clients”
Windows Server 2008 also has a built-in NAP client, although it does not include the WSHA.
C. “we had to configure a group policy to get clients to start up the service automatically and participate in DHCP enforcement.”
The location of the Group Policy setting to automatically start the NAP Agent service is Computer Configuration\Policies\Windows Settings\Security Settings\System Services\Network Access Protection Agent.
D. “To our surprise, these non-NAP-capable PCs were quarantined, as though they had failed a health check.”
This behavior is based on the default settings of the Define NAP Health Policy page of the Configure NAP wizard. To prevent non-NAP capable computers from having their access limited, select Allow full network access to NAP-ineligible client computers on the Define NAP Health Policy page.
11. Bottom line paragraph
A. “NAP is a great value for organizations that have yet to invest in NAC”
We agree! :> NAP deployments require NAP infrastructure servers that are running Windows Server 2008 and client computers running a version of Windows that includes a NAP client. For most organizations, this means upgrading your user computers to Windows Vista or Windows XP with Service Pack 3.
B. “Microsoft Network Access Protection is difficult to configure, even for simple enforcement methods.”
The areas of configuration for NAP consist of the following:
· NAP clients: Specific NAP enforcement clients must be enabled and, in the case of Windows XP with SP3, the NAP Agent service must be configured to start automatically. Both of these elements of configuration can be done with Group Policy or a script.
· NAP enforcement points: Depending on the NAP enforcement method, you must enable and configure NAP or restricted access functionality.
· NAP health policy servers: The set of policies for a given enforcement method can be automatically created with the Configure NAP wizard in the Network Policy Server snap-in.
Although we respectfully disagree with their blanket statement about NAP configuration, especially relative to other NAC solutions in the marketplace, we agree that there is room for improvement to investigate in future updates for NAP.
C. “We'd like to see a more intuitive auto-install process for an antivirus or anti-spyware client as part of the auto-remediation process”
As described previously, automatic installation of system health software is a function of the SHA, not the NAP platform. The WSHA does not perform this function, but third-party SHAs can.
Joe Davies
Senior Program Manager