9.4. The Purpose of Microsoft NAP
Unmanaged home computers that are not a member of the company's Active Directory Domain Services domain can connect to a managed company network through a VPN connection. Unmanaged home computers provide an additional challenge to administrators because they do not have physical access to these computers. Lack of physical access makes enforcing compliance with health requirements (such as the use of antivirus software) even more difficult. However, with NAP, network administrators can verify the health state of a home computer every time it makes a VPN connection to the company network and limit the access to a restricted network until system health requirements are met.
The purpose of Microsoft NAP is virtually identical to that of Cisco Clean Access and the Cisco NAC Framework. It protects the corporate LAN from devices whose security posture is deficient. Microsoft describes NAP as follows:
With Network Access Protection, you can create customized health policies to validate computer health before allowing access or communication, to automatically update compliant computers to ensure ongoing compliance, and, optionally, to confine noncompliant computers to a restricted network until they become compliant.
Based upon the technical solution as it's been described in this chapter, let's now compare how the solution stands up to the various types of users who may be accessing the network.
9.4.1. Unauthorized Users
As with any LAN-based NAC/NAP ...
Get Implementing NAP and NAC Security Technologies: The Complete Guide to Network Access Control now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
