Topic last updated—May 2008
In a production environment, implementing Network Access Protection (NAP) will require interaction and collaboration with a number of different groups across the enterprise. For example, these groups might include the following:
- Active Directory Domain Services architects
to designate which forest will be used to publish the NAP health
state references, and extend the schema with Configuration
Manager 2007 schema extensions.
- Active Directory Domain Services service
administrators to extend the schema and configure the System
Management container with required security permissions. The same
administrators might also be involved in creating or identifying
Windows security accounts or groups to be used when configuring the
System Health Validator point and NAP policies.
- Infrastructure architects to design the
network and server architecture that will be required to support
Network Access Protection, including deciding which enforcement
technologies will be used.
- Public key infrastructure (PKI) specialists
to provide certificate services if you are using an IPsec
enforcement solution with Network Access Protection.
- Windows Server administrators to build and
configure the Network Policy Servers and supporting Windows
- Firewall administrators to make configuration
changes on firewalls and network devices required to support
Network Access Protection.
- Security advisors to help determine the
criteria by which software updates are selected for NAP
enforcement, the date by which they will be enforced, and whether
non-compliant computers will be restricted until compliant.
- In-house Web designers to build a
comprehensive troubleshooting Web site for computers that fail to
remediate on the restricted network.
- Help Desk engineers who might receive calls
from users who cannot get access to the network because their
computers have restricted access, or when remediation fails.
- Configuration Manager software distribution
administrators to upgrade clients running a supported version of
Windows XP to Windows XP Service Pack 3 so that
these clients can support Network Access Protection.
- Configuration Manager software updates
administrators to configure software update points and create
software update packages on distribution points.
- Configuration Manager administrators to
configure System Health Validator points, configure the Network
Access Protection client agent, and then configure and monitor
Configuration Manager NAP policies.
- End users who will require training and
notification about the Network Access Protection processes, and
what to do if they encounter a problem.
Because a Network Access Protection solution involves so many roles, a successful implementation will depend on identifying who is responsible for the various roles and ensuring collaboration between groups when necessary. A successful ongoing implementation will depend on identifying and adhering to processes that coordinate the various functions between the roles.
Some of the consequences of not having and following defined processes when Network Access Protection is implemented in a production environment are as follows:
- The Help Desk is inundated with calls from
users who are getting Network Access Protection messages and
- Productivity drops and deadlines are missed
because users cannot access the network resources they need.
- Satisfaction levels for IT services drop and
Service Level Agreements (SLAs) are not met.
- Non-compliant computers are incorrectly given
full network access and put corporate resources at risk.
Use a methodology such as ITIL or Microsoft Operations Framework (http://go.microsoft.com/fwlink/?LinkId=88047) to help you implement Network Access Protection within a framework of defined processes. Make sure you document your design, testing procedures, the areas of responsibility, the processes to follow for configuring policies, remediation, and troubleshooting, and then disseminate this information, making sure that it is centrally available and updated.
|Review existing company security policies and, if necessary, modify them to include the implementation of Network Access Protection. Company security policies often drive downstream processes to enforce policy compliance.|
Role Separation in Configuration Manager
When you are determining the roles required for Network Access Protection in Configuration Manager, there is a potential overlap between software updates and Network Access Protection. These two roles can be combined or separated, depending on your business requirements. Typically, smaller organizations will combine the two roles, but some organizations will want to separate the roles. The Network Access Protection role in Configuration Manager might even be combined with other roles external to the product, such as Network Policy Server administrators or security administrators.
The role separation for software updates and Network Access Protection in Configuration Manager 2007 is supported by having a separate node for Network Access Protection in the Configuration Manager console. Use the Security tab on the properties of the Network Access Protection node to specify permissions to specific users or groups for tasks in Configuration Manager related to Network Access Protection. Then use the Security tab on the properties of the Software Updates node so that the Network Access Protection administrators do not have access to software updates. This configuration results in the following:
- Network Access Protection administrators can
view the resulting Network Access Protection statistics in the
Network Access Protection node.
- Network Access Protection administrators can
create, view, modify, and delete NAP policies.
- Network Access Protection administrators
cannot create, view, modify, or delete software update deployments,
packages, or templates.
Because the Policies node also has its own Security tab, you can refine the permissions further to control which Network Access Protection administrators can view, create, modify, and delete NAP policies.
However, because you can configure a software update to be enabled for NAP evaluation in the Deploy Software Updates Wizard and as a property of a packaged update, you cannot prevent software update administrators from also configuring Configuration Manager NAP policies from within the Software Updates node.
If you are using role separation in Configuration Manager, you might also want to configure security so that Network Access Protection administrators have access to the Reporting node, so that Network Access Protection administrators can run reports with the category Network Access Protection.
An administrator who only manages Network Access Protection in Configuration Manager 2007 would not need access to the collections, because Configuration Manager NAP policies are automatically targeted to all clients that are assigned to the site.
For more information about the security rights for Network Access Protection in Configuration Manager, see Network Access Protection Security Rights.
ConceptsAdministrator Workflow: Configure Network Access Protection for Configuration Manager
About NAP Health State References in Network Access Protection
About System Health Validator Points in Network Access Protection
About the Network Access Protection Process
Other ResourcesAdministrator Checklist: Configure Network Access Protection for Configuration Manager
Planning for Network Access Protection