Problem solve Get help with specific problems with your technologies, process and projects.

Tradeoffs and advantages of network access control with Microsoft NAP

Microsoft NAP's endpoint security policy compliance checks and integration with third-party security products make it an attractive option over traditional network access control solutions.

The constant development of built-in network access control solutions, such as Microsoft NAP, have created a lot of confusion about the functions, features and implementation options available to organizations. Much of the information floating around is outdated and therefore incorrect. Let's have a quick overview of the current state and future roadmap of Microsoft NAP and answer a few questions, such as: Is NAP easy to implement? How does it compare to other NAC solutions? What options are available for non-Microsoft devices?

More network access controls and NAP resources
Video: NAC Basics: Part 1 and Part 2: What is NAC, how can you know if it's right for your business and how can you implement a NAC configuration? In this second video of a two-part series, Joel Snyder explains NAC implementation and integration basics.
Understand the differences in network access control solutions: Overcome the industry's varied and poor definitions for network access controls. Learn which type of NAC best fits your organization by understanding its enforcement method.
Handling the politics of network access control policies: Think beyond network security policies in a NAC rollout, and take into consideration business needs such as HR policies, compliance mandates and partner relationships.
How to handle noncompliant network machines: There are four options for network administrators when it comes to dealing with network devices that do not comply with policy.

Contrary to popular thought, Microsoft NAP is not designed to manage only Microsoft environments. Following through on original promises, Microsoft was pretty quick to release NAP agents for both Linux and Mac platforms, making it a viable option for most organizations. Admittedly, during NAP's early life, it's recommended to stay close to home when starting a rollout with Microsoft NAP and I wouldn't suggest getting too creative until you're comfortable with it in its native state.

Specifically in Microsoft environments, clients with Windows XP SP3 and later are already equipped with the NAP client and servers from Windows Server 2008 R2 currently have the most functionality in management options. In general, the newer the platform, the more options are available for endpoint control.

Most organizations looking at NAC are interested in one of two things: 1) endpoint integrity (verifying the posture of the endpoints) or 2) port security (controlling Layer 2 or 3 access to the network at the edge). Although Microsoft NAP offers access enforcement options such as 802.1X comparable to most other NAC solutions, it wasn't designed to ease port security enforcement. The planning and integration on the infrastructure side is just as tedious with Microsoft NAP as with any NAC solution using port security features. Here's one place where traditional NAC products and Microsoft NAP are pretty equal in implementation.

If, on the other hand, an organization is most interested in endpoint integrity, then Microsoft NAP offers an option with much less cost and complexity than traditional NAC solutions. When implementing endpoint integrity rules, the most common policy checks include:

  • Verification of operating system versions and patch levels.
  • Verification of host firewall configurations.
  • Verification of the presence and signature status of antivirus or antimalware.
  • Verification of the presence of antispyware.
  • Restriction of access to specific applications.

While there are organizations with more specific needs, the majority are looking for only a handful of critical postures such as those listed above.

In its raw native state, Microsoft NAP includes built-in checks for security postures directly related to Microsoft components, such as a Microsoft operating system, Microsoft updates, Microsoft firewall, etc. In environments that are 100% Microsoft, these checks may be enough to verify basic corporate policy compliance for endpoints. In fact, Microsoft NAP native checks in combination with Active Directory Group Policies can deliver endpoint security similar to many traditional NAC solutions.

For organizations that are not all Microsoft, or have specific needs outside of the built-in checks, the Microsoft NAP platform easily integrates third-party evaluations, via support for additional system health agents on the client and system health validators on the server. Most technology in use in enterprise endpoints (Symantec, McAfee, Citrix, ConfigureSoft, Sophos, Intel, RSA, Shavlik, Kapersky, LanDesk ) have Microsoft NAP APIs already created. Even more vendors are on board with the TCG's (Trusted Computing Group) TNC (Trusted Network Connect) framework for NAC and security communications, which Microsoft NAP also integrates with. Although third-party integration is not widely implemented yet, as the technology grows and adoption rates increase, the integration will be more familiar of a task, requiring just a few extra check boxes of configuration.

Based on experiences with this platform, I can say the Microsoft NAP agent is easy to manage on endpoints, and the Microsoft NPS (Network Policy Server) is pretty intuitive to use, especially for administrators familiar with creating RADIUS policies. Most organizations looking for endpoint integrity control generally allow grace periods for remediation, favoring network availability over immediate security by quarantine. In those environments, the statement of health checks available with Microsoft NAP (native or third party) can deliver an easy solution for endpoint health compliance without the added hassles of managing port security, policy servers and additional agents in traditional NAC products.

Jennifer Jabbusch is an infrastructure security consultant with Carolina Advanced Digital, Inc., a security integrator based in North Carolina. She specializes in areas of network security, NAC/NAP, 802.1X and wireless security, and consults for a variety of government agencies, educational institutions and Fortune 100 and 500 corporations. She serves as a contributing SME on access control, business continuity and telecommunications, and lead SME in the cryptography domains of the official (ISC)2 CISSP courseware and maintains blog.

Send comments on this technical tip to

Dig Deeper on Microsoft security integration and centralized management