To determine a policy strategy for Network Access Protection with Configuration Manager 2007, a number of people must collaborate to decide on objectives, requirements, and processes. This will likely involve the Configuration Manager administrator, the Network Policy Server administrator, and representatives from the security team, the infrastructure team, and possibly the help desk.
Configuring Network Access Protection policies for Configuration Manager requires the configuration of two sets of policies: the Network Access Protection policies defined in Configuration Manager; and Network Access Protection policies defined on the Network Policy Server:
- The Network Access Protection policies in
Configuration Manager determine which software updates computers
must have by a defined date. As a result of these, Configuration
Manager passes to the Network Policy Server the computer's health
state, and if necessary a list of servers required for
- The Network Access Protection policies on the
Network Policy Server determine whether clients have full network
access or restricted network access, and whether non-compliant
computers are remediated. The decision is based on the computer's
health state received from Configuration Manager. Policies on the
Network Policy Server can be configured as follows:
- NAP-capable clients that are compliant have
full network access.
- NAP-capable clients that are non-compliant
have restricted network access until remediated.
- NAP-capable clients that are non-compliant
have full network access for a limited time and are immediately
- NAP-ineligible clients have full network
- NAP-ineligible clients have restricted
network access but will not be remediated.
- All error conditions, by default, result in
computers having restricted access (with remediation if supported
by the client), but they can be configured for full network
- NAP-capable clients that are compliant have full network access.
|If health policies are not enforced in the network policy on the Network Policy Server, Network Access Protection in Configuration Manager cannot remediate non-compliant computers. Compliance in this case can be achieved through the defined Configuration Manager software updates functionality. If health policies are enforced in the network policy on the Network Policy Server, Network Access Protection in Configuration Manager always attempts to remediate non-compliant computers, even if the option to auto-remediate non-compliant computers is not enabled in the network policy.|
When you have decided on the policy strategy for your network, you should configure connection request policies, health policies, and network policies. The network policies should include settings for the following:
- Computers that are NAP capable and compliant.
- Computers that are NAP capable and non-compliant.
- Computers that are NAP ineligible and therefore you cannot tell
if they are compliant or non-compliant.
Typically, these policies are configured as follows:
- Compliant computers have full network access.
- Non-compliant computers have either limited network access and
are remediated, and then have full network access; or they have
full network access for a limited time, and they are immediately
remediated on the unrestricted network.
- NAP-ineligible computers have full network access. However, in
a high-security environment where the health status of these
computers cannot be assessed, it might be appropriate for them to
have restricted network access although they cannot be remediated
and therefore will never be able to access the full network.
When you have decided on how the majority of computers will work with Network Access Protection, you can then plan more detailed policies for specific conditions. For example, you might have the following exceptions and exemptions:
- Specified people will never have restricted
- Standard networked computers will have full
network access for a limited time if non-compliant, whereas home
computers will have limited access if non-compliant.
- During the hours that a local helpdesk is not
available, non-compliant computers will have full network access
for a limited time rather than limited access.
- Specified machines will be exempt from health
policies. As an example, this exemption is appropriate if the
Configuration Manager client must not be installed on selected
Implementing policies for exceptions and exemptions is achieved through policy conditions and ordering. The first policy that matches a connecting computer will be used, which means you usually need to order the more specific policies (the exceptions) before the general policies. If you need policy exemptions for people or computers, create the necessary Microsoft Windows groups to be selected from the Network Policy Server.
|If you have NAP-capable computers in Configuration Manager site that is enabled for Network Access Protection but they do not have the Configuration Manager client installed, you must have either exemption policies for these computers that do not reference the Configuration Manager System Health Validator or a means by which computers on the restricted network can install the Configuration Manager client (for example, by providing an installation link on the troubleshooting Web site as part of the user experience).|
ConceptsConfiguring Connection Request Policies for Configuration Manager Network Access Protection
Configuring Network Policies for Configuration Manager Network Access Protection
Configuring Failure Categories for Configuration Manager Network Access Protection
Configuring Health Policies for Configuration Manager Network Access Protection
Configuring Remediation Server Groups for Configuration Manager Network Access Protection
Configuring the Remediation User Experience for Configuration Manager Network Access Protection