Network Access Protection

Network Access Protection (NAP) is a Microsoft technology for controlling network access of a computer, based on its health. With NAP, system administrators of an organization can define policies for system health requirements.[1] Examples of system health requirements are whether the computer has the most recent operating system updates installed, whether the computer has the latest version of the anti-virus software signature, or whether the computer has a host-based firewall installed and enabled. Computers with a NAP client will have their health status evaluated upon establishing a network connection. NAP can restrict or deny network access to the computers that are not in compliance with the defined health requirements.

NAP was deprecated in Windows Server 2012 R2[2] and removed from Windows Server 2016.[3]

Overview

Network Access Protection Client Agent makes it possible for clients that support NAP to evaluate software updates for their statement of health.[4] NAP clients are computers that report their system health to a NAP enforcement point. A NAP enforcement point is a computer or device that can evaluate a NAP client’s health and optionally restrict network communications. NAP enforcement points can be IEEE 802.1X-capable switches or VPN servers, DHCP servers, or Health Registration Authorities (HRAs) that run Windows Server 2008 or later. The NAP health policy server is a computer running the Network Policy Server (NPS) service in Windows Server 2008 or later that stores health requirement policies and provides health evaluation for NAP clients. Health requirement policies are configured by administrators. They define criteria that clients must meet before they are allowed undeterred connection; these criteria may include the version of the operating system, a personal firewall, or an up-to-date antivirus program.

When a NAP-capable client computer contacts a NAP enforcement point, it submits its current health state. The NAP enforcement point sends the NAP client’s health state to the NAP health policy server for evaluation using the RADIUS protocol. The NAP health policy server can also act as a RADIUS-based authentication server for the NAP client.

The NAP health policy server can use a health requirement server to validate the health state of the NAP client or to determine the current version of software or updates that need to be installed on the NAP client. For example, a health requirement server might track the latest version of an antivirus signature file.

If the NAP enforcement point is an HRA, it obtains health certificates from a certification authority for NAP clients that are determined to be compliant with health requirements. If the NAP client is determined to be noncompliant with health requirements, it can optionally be placed on a restricted network. The restricted network is a logical subset of the intranet and contains resources that allow a noncompliant NAP client to correct its system health. Servers that contain system health components or updates are known as remediation servers. A noncompliant NAP client on the restricted network can access remediation servers and install the necessary components and updates. After remediation is complete, the NAP client can perform a new health evaluation in conjunction with a new request for network access or communication.

NAP client support

A NAP client ships with Windows Vista, Windows 7, Windows 8 and Windows 8.1 but not with Windows 10.[3] A limited NAP client is also included in Windows XP Service Pack 3. It has no MMC snap-in and does not support AuthIP-based IPsec enforcement. As such, it can only be managed via a command-line tool called netsh, and the IPsec enforcement is IKE-based only.[5][6]

Microsoft partners provide NAP clients for other operating systems such as Mac OS X and Linux.

See also

References

  1. ^ Network Access Protection
  2. ^ Features Removed or Deprecated in Windows Server 2012 R2
  3. ^ a b What's New in DHCP in Windows Server Technical Preview
  4. ^ "How to Enable the Network Access Protection Client Agent". technet.microsoft.com. Retrieved 2016-07-15.
  5. ^ Sigman, Jeff (8 November 2007). "XP NAP Rude Q and A". Network Access Protection (NAP) blog. Microsoft.
  6. ^ Sigman, Jeff (20 June 2007). "NAP demystified (hopefully)". Network Access Protection (NAP) blog. Microsoft.

External links

Administrative share

Administrative shares are hidden network shares created by Windows NT family of operating systems that allow system administrators to have remote access to every disk volume on a network-connected system. These shares may not be permanently deleted but may be disabled. Administrative shares cannot be accessed by users without administrative privileges.

Conficker

Conficker, also known as Downup, Downadup and Kido, is a computer worm targeting the Microsoft Windows operating system that was first detected in November 2008. It uses flaws in Windows OS software and dictionary attacks on administrator passwords to propagate while forming a botnet, and has been unusually difficult to counter because of its combined use of many advanced malware techniques. The Conficker worm infected millions of computers including government, business and home computers in over 190 countries, making it the largest known computer worm infection since the 2003 Welchia.

DirectAccess

DirectAccess, also known as Unified Remote Access, is a VPN-like technology that provides intranet connectivity to client computers when they are connected to the Internet. Unlike many traditional VPN connections, which must be initiated and terminated by explicit user action, DirectAccess connections are designed to connect automatically as soon as the computer connects to the Internet. DirectAccess was introduced in Windows Server 2008 R2, providing this service to Windows 7 and Windows 8 "Enterprise" edition clients. In 2010, Microsoft Forefront Unified Access Gateway (UAG) was released, which simplifies the deployment of DirectAccess for Windows 2008 R2, and includes additional components that make it easier to integrate without the need to deploy IPv6 on the network, and with a dedicated user interface for the configuration and monitoring. Some requirements and limitations that were part of the design of DirectAccess with Windows Server 2008 R2 and UAG have been changed (see requirements below). While DirectAccess is based on Microsoft technology, third-party solutions exist for accessing internal UNIX and Linux servers through DirectAccess. With Windows Server 2012, DirectAccess is fully integrated into the operating system, providing a user interface to configure and native IPv6 and IPv4 support.

IBM BigFix

IBM BigFix formerly IBM Endpoint Manager, Tivoli Endpoint Manager (TEM) and before that, BigFix, is a systems-management software product developed by IBM for managing large groups of computers running Windows, Mac OS X, VMware ESX, Linux or UNIX, as well as various mobile operating systems such as Windows Phone, Symbian, iOS and Android. IBM BigFix provides system administrators with remote control, patch management, software distribution, operating system deployment, network access protection and hardware and software inventory functionality.

Intel vPro

Intel vPro technology is an umbrella marketing term used by Intel for a large collection of computer hardware technologies, including Hyperthreading, Turbo Boost 3.0, VT-x, VT-d, Trusted Execution Technology (TXT), and Intel Active Management Technology (AMT). When the vPro brand was launched (circa 2007), it was identified primarily with AMT, thus some journalists still consider AMT to be the essence of vPro.

Internet Authentication Service

Internet Authentication Service (IAS) is a component of Windows Server operating systems that provides centralized user authentication, authorization and accounting.

List of Microsoft Windows components

The following is a list of Microsoft Windows components.

Microsoft System Center Configuration Manager

Microsoft System Center Configuration Manager (SCCM, also known as ConfigMgr), formerly Systems Management Server (SMS) is a systems management software product developed by Microsoft for managing large groups of computers running Windows NT, Windows Embedded, macOS (OS X), Linux or UNIX, as well as Windows Phone, Symbian, iOS and Android mobile operating systems. Configuration Manager provides remote control, patch management, software distribution, operating system deployment, network access protection and hardware and software inventory.

Network Access Control

Network Access Control (NAC) is an approach to computer security that attempts to unify endpoint security technology (such as antivirus, host intrusion prevention, and vulnerability assessment), user or system authentication and network security enforcement.

Network Policy Server

Network Policy and Access Services (NPAS) is a component of Windows Server 2008. It replaces the Internet Authentication Service (IAS) from Windows Server 2003. NPAS helps you safeguard the health and security of a network. The NPAS server role includes Network Policy Server (NPS), Health Registration Authority (HRA), and Host Credential Authorization Protocol (HCAP). In Windows Server 2003, IAS is the Microsoft implementation of a Remote Authentication Dial-In User Service (RADIUS) server. In Windows Server operating systems later than Windows Server 2003, IAS is renamed to NPS.

Routing and Remote Access Service

Routing and Remote Access Service (RRAS) is a Microsoft API and server software that makes it possible to create applications to administer the routing and remote access service capabilities of the operating system, to function as a network router. Developers can also use RRAS to implement routing protocols. The RRAS server functionality follows and builds upon the Remote Access Service (RAS) in Windows NT 4.0. RRAS was introduced with Windows 2000 and offered as a download for Windows NT 4.0.

Multiprotocol router - The computer running RRAS can route IP, IPX, and AppleTalk simultaneously. All routable protocols are configured from the same administrative utility. RRAS included two unicast routing protocols, Routing Information Protocol (RIP) and Open Shortest Path First (OSPF) as well as IGMP routing and forwarding features for IP multicasting.

Demand-dial router - IP and IPX can be routed over on-demand or persistent WAN links such as analog phone lines or ISDN, or over VPN connections.

Remote access server - provides remote access connectivity to dial-up or VPN remote access clients that use IP, IPX, AppleTalk, or NetBEUI.Routing services and remote access services used to work separately. Point-to-Point Protocol (PPP), the protocol suite commonly used to negotiate point-to-point connections, has allowed them to be combined.

RRAS can be used to create client applications. These applications display RAS common dialog boxes, manage remote access connections and devices, and manipulate phone-book entries.

Security and Maintenance

Security and Maintenance (formerly known as Action Center, and Security Center in earlier versions) is a component of the Windows NT family of operating systems that monitors the security and maintenance status of the computer. Its monitoring criteria includes optimal operation of antivirus software, personal firewall, as well as the working status of Backup and Restore, Network Access Protection (NAP), User Account Control (UAC), Windows Error Reporting (WER), and Windows Update. It notifies the user of any problem with the monitored criteria, such as when an antivirus program is not up-to-date or is offline.

Security and safety features new to Windows Vista

There are a number of security and safety features new to Windows Vista, most of which are not available in any prior Microsoft Windows operating system release.

Beginning in early 2002 with Microsoft's announcement of its Trustworthy Computing initiative, a great deal of work has gone into making Windows Vista a more secure operating system than its predecessors. Internally, Microsoft adopted a "Security Development Lifecycle" with the underlying ethos of "Secure by design, secure by default, secure in deployment". New code for Windows Vista was developed with the SDL methodology, and all existing code was reviewed and refactored to improve security.

Some specific areas where Windows Vista introduces new security and safety mechanisms include User Account Control, parental controls, Network Access Protection, a built-in anti-malware tool, and new digital content protection mechanisms.

Windows IoT

Windows IoT, formerly Windows Embedded, is a family of operating systems from Microsoft designed for use in embedded systems. Microsoft currently has three different subfamilies of operating systems for embedded devices targeting a wide market, ranging from small-footprint, real-time devices to point of sale (POS) devices like kiosks. Windows Embedded operating systems are available to original equipment manufacturers (OEMs), who make it available to end users preloaded with their hardware, in addition to volume license customers in some cases.

In April 2018, Microsoft released Azure Sphere, another operating system designed for IoT applications running on the Linux kernel.

Windows Server 2008

Windows Server 2008 is a server operating system produced by Microsoft. It was released to manufacturing on February 4, 2008, and reached general availability on February 27, 2008. It is the successor of Windows Server 2003, released nearly five years earlier.

Windows Server 2016

Windows Server 2016 is a server operating system developed by Microsoft as part of the Windows NT family of operating systems, developed concurrently with Windows 10. The first early preview version (Technical Preview) became available on October 1, 2014 together with the first technical preview of System Center. Windows Server 2016 was released on September 26, 2016 at Microsoft's Ignite conference and became generally available on October 12, 2016. It has two successors: Windows Server 2019, and the Windows Server Semi-Annual Channel, which excludes the graphical user interface and many older components.

Windows Vista networking technologies

In computing, Microsoft's Windows Vista and Windows Server 2008 introduced in 2007/2008 a new networking stack named Next Generation TCP/IP stack,

to improve on the previous stack in several ways.

The stack includes native implementation of IPv6, as well as a complete overhaul of IPv4. The new TCP/IP stack uses a new method to store configuration settings that enables more dynamic control and does not require a computer restart after a change in settings. The new stack, implemented as a dual-stack model, depends on a strong host-model and features an infrastructure to enable more modular components that one can dynamically insert and remove.

Zero-day (computing)

A zero-day (also known as 0-day) vulnerability is a computer-software vulnerability that is unknown to, or unaddressed by, those who should be interested in mitigating the vulnerability (including the vendor of the target software). Until the vulnerability is mitigated, hackers can exploit it to adversely affect computer programs, data, additional computers or a network. An exploit directed at a zero-day is called a zero-day exploit, or zero-day attack.

In the jargon of computer security, "Day Zero" is the day on which the interested party (presumably the vendor of the targeted system) learns of the vulnerability. Up until that day, the vulnerability is known as a zero-day vulnerability. Similarly, an exploitable bug that has been known for thirty days would be called a 30-day vulnerability. Once the vendor learns of the vulnerability, the vendor will usually create patches or advise workarounds to mitigate it.The fewer the days since Day Zero, the higher the chance no fix or mitigation has been developed. Even after a fix is developed, the fewer the days since Day Zero, the higher is the probability that an attack against the afflicted software will be successful, because not every user of that software will have applied the fix. For zero-day exploits, the probability that a user has patched their bugs is zero, so the exploit should always succeed. Zero-day attacks are a severe threat.

Management
tools
Apps
Shell
Services
File systems
Server
Architecture
Security
Compatibility
API
Games
Discontinued
Spun off to
Microsoft Store

This page is based on a Wikipedia article written by authors (here).
Text is available under the CC BY-SA 3.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.