The biggest challenge for any net¬work admin isto identify and restrict machines notcomplyif)g withsecurity standards from entering the network. To meet this challenge most organizations either ban the unauthorized machines from accessing the network or allow them only after a process of manual screening. But both these options seem non-realistic. in termsthatthenrstcan cause lossof produc¬tivity and the second would consu me hell lot of administrative time. So. to solve such is¬sues Windows Server 2008 is coming up with NAP or etwork Access Protection. Here the complete process of screening the machines entering the network is auto¬mated and driven by customizable policies. The machine is granted access to the net¬work if and only if it passes all thescreening tests. These tests can include a check for Firewall status (on or off). Antivirus Status (installed and updated or not). Windows Updates (on or off). Phishing Filter (on or off). etc.

Not only screening but a NAP server along with a remediation server can even go ahead and turn the settings on or off de¬pending on the policies before letting the machineenterthe network. So. (or example, if your laptop's Firewall is disabled and you try entering a network protected by NAP, it will automatically enable the firewall before leUi ng it enter the network. In th is article we will see how to install NAP and ensure that no machine without Firewall. Antivirus. and Anti-phishing enters the network.

Pre-requisites
Of course the nrst thing which you will re¬quire is a machine running Windows Server 2008 Beta 32- or 64-bit version. NexUs aclientwitb eitherWindowsXPSP3 Beta or Windows Vista. This is becauseNAP requiresan agent called the SVA or Security Validation Agent to be installed on the client machines and this agent is only available with either Windows Xl' SP3 Beta or Vista. Microsoft is also planning to release some agents for non-Microsoft ass. but they are still in the pipeline. So till then live with Win¬dows Xl' SP3 or Windows Vista.

Once you are done with the pre-requisites, the installation is actually very simple, All you havetodo isgotothe 'Server Manager' -> Roles -> Add Roles. A new wizard ap¬pears. Here select the Network Policy and Access Services and follow the wizard till it asks you for Role Services. Now select all the available services and continue. Once you process you'll see a new Window which asks you to provide a Certincation Authority. Select the first option 'Install a local CA to issue health certincates for tbe HRA server.' Proceed till it asks you to choose a Server Authentication Certificate for SSL Encryption. Now select the second option 'Create a self~signed certilkate for SSL encryption' and proceed. Click on next till the wizard finishes and starts the instal-Configuring DHCP
You can configure NAP at different protocol levels. For instance it can work with VPN, Dial-in Connection, DHCP, Terminal Server Gateways, etc, but here we are going to use it via DHCP. We configure a DHCP server, which has NAP capability, and a NAP server to validate the requests coming to the DHCP . server and allow the DHCP server to give IPs to only those machines which pass the NAP policies. For this, configure the DHCP server on a machine which supports NAP. Of course the best option would be to install it on the same machine where the NAP server is running. So first install theDHCP role from the 'Server Management' interface. The in¬stallation is very simple. Just select the DHCP role and keep clicking the next option till the inst"llation ends.

Once done. from the Administrative Tools open the DHCP MMC and create a new scope for your network. We are not covering the configuration of DHCP here as we presume our readers would know how to do so. After the required changes right click on the Scope and click on the property option. A new Win¬dow pops up. Now go to the Network Access Protection tab and click on the radio but¬tons 'Enable for this scope' and 'Use default Network Ac¬cess Protection profile' under Network Access Protection Settings. Apply the changes and restart your DHCP server.

Configuring NAP
Now comes the most important part. For configuring trative Tools and click 'Net- work Policy Server' option. From the left pane of the new Window, clickNPS (local) option. At the center of the Window is a drop-down menu called 'Select a Configu¬ration Scenario,' here select the Network Access protection (NAP) option. Now click on the option 'Configure NAP,' just below the drop-down menu. At the first page of the new wizard, expand the drop-down menu and select DHCP and press Next.
Keep pressing Next with the default values until the wizard ends. Once done, your NAP policies for the DHCP server are ready.

The only thing you have to do is to set the System Health Validator settings. Es¬sentially, here you need to define the rea¬sons for the machines to be either granted access or denied to join the network. To configure it, click and expand the NAP op¬tion at the left pane of the window. Now click on the System Health validator op¬tion. Double click on Windows System Health validator option at the center top of the window. A new window appears. Next, click on the configure option. In the next window you see two tabs: one for con¬figuring the SHV settings of Windows XP and the other for Windows Vista. From
here you can select and define the cases to which SHV will deny or grant access to the machines joining the network. So, for in¬stance, if you select the checkbox which says 1\ firewall is enabled for all network connections' then only those machines with a firewall enabled will get access to the network. Same is applicable for Virus Protection, Spyware protection, and Up¬dates. Once you select the desired settings close this Window and your NAP is ready to be used.