Network Access Protection Security Best Practices

Do not rely on NAP to secure a network from malicious users Network Access Protection is designed to help administrators maintain the health of the computers on the network, which in turn helps maintain the network’s overall integrity. For example, if a computer has all of the software updates required by the Microsoft System Center Configuration Manager 2007 NAP policy, the computer is considered compliant, and it will be granted the appropriate access to the network. Network Access Protection does not prevent an authorized user with a compliant computer from uploading a malicious program to the network or disabling the NAP agent.

Use consistent NAP policies throughout the site hierarchy to minimize confusion Misconfiguring NAP policy could result in clients accessing the network when they should be restricted or valid clients being erroneously restricted. The more complicated your NAP policy design, the higher the risk of misconfiguration. Configure the Configuration Manager 2007 NAP client agent and Configuration Manager 2007 System Health Validator points to use the same settings throughout the hierarchy, or through additional hierarchies in the organization if clients might roam between them.

Important
If a Configuration Manager client with the Network Access Protection client agent enabled roams into a different Configuration Manager hierarchy and has its client statement of health validated by a System Health Validator point from outside its hierarchy, the validation process will fail the site check. This will result in a client health state of unknown, which by default is configured on the Network Policy Server as non-compliant. If the Network Policy Server has network policies configured for limited network access, these clients cannot be remediated and risk being unable to access the full network. An exemption policy on the Network Policy Server could give Configuration Manager clients that roam outside their Configuration Manager hierarchy unrestricted network access.

Important

If a Configuration Manager client with the Network Access Protection client agent enabled roams into a different Configuration Manager hierarchy and has its client statement of health validated by a System Health Validator point from outside its hierarchy, the validation process will fail the site check. This will result in a client health state of unknown, which by default is configured on the Network Policy Server as non-compliant. If the Network Policy Server has network policies configured for limited network access, these clients cannot be remediated and risk being unable to access the full network. An exemption policy on the Network Policy Server could give Configuration Manager clients that roam outside their Configuration Manager hierarchy unrestricted network access.

Do not enable the Network Access Protection client agent immediately on new Configuration Manager sites Although the site servers publish the Configuration Manager health state reference to a domain controller when Configuration Manager NAP policies are modified, this new data might not be immediately available for retrieval by the System Health Validator point until Active Directory replication has completed. If you enable the Network Access Protection client agent before replication has completed, and if your Windows Network Policy Server will give non-compliant clients limited network access, you can potentially cause a denial of service attack against yourself.

Do not rely on NAP as an instantaneous or real-time enforcement mechanism There are inherent delays in the NAP enforcement mechanism. While NAP helps keep computers compliant over the long run, typical enforcement delays may be on the order of several hours or more due to a variety of factors, including the settings of various configuration parameters.

See Also

Other Resources