Viruses and malware are often stopped by software defenses that run on the desktop; in fact, the antivirus, antispyware, and other security suite software business has rapidly become a very lucrative industry. As useful as those protections are, however, the best solution would be such threats never getting a chance to access the network—like the old saying goes, "The quickest way out of something is to never have been in it."

In Windows Server 2008, there is a technology that allows computers to be examined against a baseline set by an administrator, and if a machine doesn't stack up in any way against that baseline, the system can be prevented from accessing the network—quarantined, as it were, from the healthy systems until the user fixes his broken machine. This functionality is called Network Access Protection (NAP).

You might know of NAP's predecessor, Network Access Quarantine Control, or NAQC. It debuted in Windows Server 2003 as a more limited form of quarantine protection. NAQC is limited to protecting your corporate network against remote users: it prevents unhindered access to a network for a remote user until after his computer has been verified as meeting certain baselines set by a network administrator.

Under NAQC, when a client establishes a connection to a remote network's endpoint, the client will receive an IP address, but Internet Authentication Service establishes a quarantine mode that is lifted only after health verification is complete. ...