Problem solve Get help with specific problems with your technologies, process and projects.

Five NAC-like endpoint settings enforced with group policy

Complexity and cost may keep you from investing in NAC. Fear not, endpoint integrity enforcement, for example, can be achieved through directory group policies.

For most people, one of the features synonymous with network access control (NAC) is the concept of endpoint integrity. Endpoint integrity is the evaluation of a connecting endpoint (such as a laptop, desktop, or mobile device) against an organization's policy of allowed security postures to determine whether it should be granted full access, limited access, or no access.

More NAC and endpoint
security resources
Tradeoffs and advantages of network access control with Microsoft NAP: Microsoft NAP's endpoint security policy compliance checks and integration with third-party security products make it an attractive option over traditional network access control solutions.
Handling the politics of network access control policies: Midmarket IT staffs need to think beyond network security policies in a NAC rollout, and take into consideration business needs such as HR policies, compliance mandates and partnerships.
VIDEO NAC Basics: Implementation and integration: What is NAC, how can you know if it's right for your business and how can you implement a NAC configuration?

Common integrity checks may look for signs of direct security threats, such as vulnerabilities to viruses and malware, as well as an endpoint status that may indirectly affect security by compromising the integrity of the overall infrastructure: running unapproved applications or accessing online resources that are below an accepted level of integrity.

Due to the complexity and cost of most current NAC solutions, many organizations have sought alternatives to implementing the features of NAC through other means. Endpoint integrity enforcement is no exception. One of simplest alternatives has been enforcement of policy compliance through directory group policies. In many cases, group policies are a first step for IT departments working toward an NAC or NAP solution.

The use of directory services is ubiquitous in organizations of all sizes; from the largest enterprises down to the small business and midmarket segments. While granular enforcement of endpoint postures may require a little research and know-how, this solution rarely requires any additional products or licenses.

To determine the technical practicality of using group polices as a means of endpoint integrity enforcement in lieu of NAC, it makes sense to first consider the checks and tests most organizations are seeking when looking at NAC. The top five desired endpoint integrity checks for most security and network administrators include:

  1. Operating system(s) allowed Verifying the operating system installed on managed endpoints allows network administrators to contain the footprint of vulnerabilities and ensure systems with known issues are kept off the production network.
  2. Minimum operating system patch level allowed Enforcing minimum patch levels for operating systems and key applications is critical in the enterprise as zero-day exploits in popular office applications (including Microsoft Office, Adobe and others) continue to grow.
  3. Browser configurations and security One of the biggest threats to enterprises and midmarket organizations is the constant evolution of viruses and malware, delivered most often today through the browser. Protecting users from themselves by locking browser security settings won't guarantee your security, but it's a great start and often an effective edition to gateway protection.
  4. Client firewall configuration In addition to browser configurations, controlling a client's host firewall settings can help protect against Trojans and malware containing back door access.
  5. Presence of antivirus and antimalware software Traditional viruses have morphed into forms of malware with nastier payloads and expanded delivery methods. Keeping these definitions and signatures up to date on the client is still a key part of endpoint security.

Other frequently requested endpoint checks may include Automatic Update settings, locking of registry entries and software installation, third-party patches and network security postures. Although group policy settings cannot compete against the third-party support available in most agent-based NAC products, most or all of the checks identified as primary or critical by an administrator can be satisfied with these directory policies.

With advanced directory services such as Active Directory in the latest Microsoft Windows Server 2008 R2, the possibilities are limitless. Well, perhaps not limitless, but there are certainly enough options to overwhelm even the most seasoned professionals. All in all, group policies are a great place to start for any organization with specific endpoint security requirements. Just be sure your organization's IT policies for endpoint postures are reflecting the written organizational policies already in place.

Jennifer Jabbusch is an infrastructure security consultant with Carolina Advanced Digital, Inc., a security integrator based in North Carolina. She specializes in areas of network security, NAC/NAP, 802.1X and wireless security, and consults for a variety of government agencies, educational institutions and Fortune 100 and 500 corporations. She serves as a contributing SME on access control, business continuity and telecommunications, and lead SME in the cryptography domains of the official (ISC)2 CISSP courseware and maintains blog.

Send comments on this technical tip to

Dig Deeper on Microsoft endpoint security management

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.