Would it be interesting to use NAP to secure branch servers?

My focus today is to write most of the content for my sessions on our upcoming TechNet Server Launch tour which is visiting cinemas in five cities across the UK in April and May. I'm co-presenting a session with Viral titled "How to overcome the challenges of small offices and branch offices" and can't help wondering whether customers are likely to consider using Network Access Protection for their branch servers.

Many customers are excitied about using NAP to reduce the risk posed by laptops being out of security policy compliance. I haven't heard of anyone planning to use NAP for branch office servers. I'm thinking out loud here but I can see that it may make sense to do so. NAP is great for managed machines that may fail to meet aspects of corporate policy due to them being offline when security updates and/or configuration changes are issued.

Note: NAP is also good for making routing decisions such as "should I allow limited network access" for unmanaged resources such as employees home machines.

There are often good reasons why managed laptops fall out of compliance due to staff holidays and transient network connectivity. We advocate managing machines using Group Policy objects and grouping machines (via Organisational Units) into those of similar business function. In an ideal World branch servers would have reliable network connections and hence should theoretically always be in compliance. A decision needs to be made by the security team at each customer whether the added complexity of implementing NAP @ the branches warrants the risk of machines being out of compliance.

I'll put some more thought into this and in the meantime would love to hear your views.


Comments (0)

Skip to main content