Entries:
Comments:
Posts:

Loading User Information from Channel 9

Something went wrong getting user information from Channel 9

Latest Achievement:

Loading User Information from MSDN

Something went wrong getting user information from MSDN

Visual Studio Achievements

Latest Achievement:

Loading Visual Studio Achievements

Something went wrong getting the Visual Studio Achievements

Network Access Protection with MSIT

Download

Right click “Save as…”

After months of cajoling, Adam was finally able to convince Jeff Sigman from the NAP team and Brent Atkison from MSIT to sit still for 30 minutes to talk about why we created NAP, and how we went about deploying it worldwide at Microsoft.  Ah, who am I kidding.  Jeff's been asking me for months to put his blue anime hair up on Channel9.  Here you go Jeff.  Persistance pays off.
Network Access Protection is a new feature in Windows Server 2008 that allows you to enforce computer health requirements before allowing machines to communicate on the network.  It's the answer to the question "do I trust that this machine is patched and won't infect other machines on my network?"
These guys have done some pretty impressive stuff.  The NAP team worked with a list of partners as long as your arm to make sure NAP will play nicely with whatever switch hardware you've invested in.  Brent shares some impressive sizing guidelines for implementing NAP:  Microsoft turned reporting and deferred enforcement on 120,000 machines worldwide, using a very small number of servers.  Very small.  Less than 3.  Total help desk calls as a result?  Also a very small number.  Oh, and he did that deployment using beta builds of Longhorn Server 2008.

Follow the Discussion

  • If NAP prevents a non-healthy computer from acquiring an ip address i.e. lacking Windows patches or an antivirus, then how is it able to acquire them conveniently?

    Or is it connected to another server exclusively dedicated to this function?
  • you can specify what to do with unhealthy machines.  Typically, you'd configure your network to put the machines on a remediation v-lan where they can only access a remediation server that pushes down any required patches, antivirus signatures, etc.
    You might also have a v-lan that has internet access only, so guests on your network that don't meet your criteria for health can still get to the net.

  • It does not prevent you from acquiring an IP address - it provides an IP with a set of settings that prevents you from communicating with any machines on the network other than those specified via the access policy.  These are termed as 'fixup servers'.

    Please see documents/whitepapers/other info at http://www.microsoft.com/nap for more information.

    -Chris
  • NAPDudeNAPDude NAP'ing the World
    No comment (oh wait) on Adam's hair (or lack thereof), since he had to mention mine!


    Jeff Sigman


    PS - Thanks to Adam for making this video happen! Let us know if you like it and we can continue a series all about NAP. Make sure to check out the NAP blog.
  • Any key differences between this and any standard NAC appliance?
  • Enterprise CA required or Standalone okay to test?
  • NAPDudeNAPDude NAP'ing the World

    Hey Matt, good question.

    1.) Integrated client available in XP SP3 and Vista.
    2.) Able to enforce NAP orthogonally to the logged-on user (since it is an NT service).
    3.) 3rd parties can build on top of client and server and extend the scope of what "health" means.
    4.) The TCG adopted our Statement of Health (SoH) protocol as a standard - anyone can read the standard and interoperate.
    5.) Check out this demo video I made to get a better idea of the experience.

    I hope you try it out for yourself!


    Jeff Sigman
    Senior Program Manager - NAP

  • ZippyVZippyV Fired Up
    So, a networking guy hit by blaster because he didn't have his firewall on. Hmmm, fake story!
  • NAPDude wrote:
    

    Hey Matt, good question.

    1.) Integrated client available in XP SP3 and Vista.
    2.) Able to enforce NAP orthogonally to the logged-on user (since it is an NT service).
    3.) 3rd parties can build on top of client and server and extend the scope of what "health" means.
    4.) The TCG adopted our Statement of Health (SoH) protocol as a standard - anyone can read the standard and interoperate.
    5.) Check out this demo video I made to get a better idea of the experience.

    I hope you try it out for yourself!


    Jeff Sigman
    Senior Program Manager - NAP



    The live meeting site says that the webcast has expired.
  • NAPDudeNAPDude NAP'ing the World
    Zippy, every word I uttered was true. Can't you see it on my face? My machine rebooting while I was coding was very troubling! :->

    Jeff Sigman
  • NAPDudeNAPDude NAP'ing the World
    Hey Matt - I am looking for another copy of the demo now. If I can't find it, I will make another one!

    Jeff Sigman
  • NAPDudeNAPDude NAP'ing the World

    CannedSoda, Enterprise CA or Standalone will work fine!

    Check out the step-by-step for more information.

    Jeff Sigman

  • NAPDudeNAPDude NAP'ing the World

    Turns out my full 802.1x NAP Live Meeting demo (Server Beta 3) is gone and I can't locate another copy of it. I will create a brand spanking new one and post it on the NAP blog. I have some ideas how to make it better anyway, like showing you how I set up the HP Procurve 802.1x Switch to work with NAP (it is a snap).

    Please let me know if there is anything you specifically want to see, and I will consider demoing it. Otherwise just come see me at TechEd / IT Forum Europe and introduce yourself!

    Jeff Sigman

  • ZippyVZippyV Fired Up
    Another thing: I heard you saying that NAP is new to Windows Server 2008 but I was under the impression that this feature already existed in Server 2003 SP1. The feature had Quarantine in the name I think.
  • ZippyV,
    You're right, Server 2003 included a feature called Quarantine Services, you can read more about it here.  Brent talks about it a bit in the video when he talks about Microsoft's Remote Access implementation.  Quarantine services work only on VPN connections, and rely on custom scripts to do all the inspection on the client.  NAP can be used on VPN, IPSEC, 802.1x, or DHCP, and uses client issued health statements for the inspection.  It covers more scenarios and is a faster inspection process.
  • Hi,

    Just wondering is NAP compatible with all managable switches, i use a wide range and ages of intelligent switches, vlans are not currently setup however with the introduction of NAP it is an ideal oppertunity to do so.

    Regards James!
  • raf hernandezraf hernandez

    iam coplane,no have chanel please sign in

Remove this comment

Remove this thread

close

Comments Closed

Comments have been closed since this content was published more than 30 days ago, but if you'd like to continue the conversation, please create a new thread in our Forums,
or Contact Us and let us know.