Group Policy Tip Of The Week: NAP the world ~ Ask The Admin

Tuesday, July 22, 2008

Group Policy Tip Of The Week: NAP the world

In my last Group Policy tip of the week for, I talked about XP/SP3.

And, I just want to put (quickly) to rest that I was trying to suggest that you should positively avoid it.

Au contrare.

I was simply suggesting that if you haven't done your testing yet, then there IS a possible way to prevent it from being blasted upon your machines without your consent.

Okay, now with that behind us, let's take a second to examine XP/SP3.

Not all of XP/SP3, just one little piece.

First, remember some years ago, how Microsoft drew a little line in the sand and said "Service packs won't have new features." Well, just in case you missed the updated memo -- those days are over. As you'll recall, XP/SP2 was like "XP 2.0." And, even though XP/SP3 doesn't bring a zillion things to the table like XP/SP2 did, it does bring one very interesting, and not-all-that-well-known tidbit to the mix.

The tidbit is already built into Vista clients, and is now backwardly-available for XP/SP3. This piece is the NAP client. NAP means Network Access Protection.

What the heck is NAP, anyway? Well, instead of talking about NAP directly, let's check out an alternate situation that I'm sure a lot of us have had to deal with.

If you've ever had to put a child in public school (or a dog in doggy day care), you know that you need to get your kid (or "fur kid") vaccinated first. Then, you need a certification of health that proves they've actually had the necessary vaccinations. Let's say that when you introduce your kid to this one particular school on the first day, the Principal at the front door of the school looks at the vaccination report, and validates that the kid is really vaccinated (and is likely healthy enough not to infect others), and then permits your kid to come inside the building.

If your kid hasn't been vaccinated, this school will cheerfully give you two options: walk down a specific hallway that has no kids that your child could possibly infect, and meet with the school nurse at the nurse's office to get vaccinated immediately. Or stay outside. Your choice.

Why is introducing new creatures into the environment so harsh? Because we want to maintain a healthy environment for the betterment of everyone in the building. Now, it is perfectly true that just because every kid in the school has been vaccinated doesn't actually guarantee there won't be an outbreak. It just means that certain criteria have been met which meet the baseline of healthy.

Got the idea?

Well, that's Network Access Protection, or NAP. NAP's goal for your client machines is similar to the example with the unvaccinated kids above.

So, to make use of NAP, your XP clients (specifically, XP/SP3) and Vista clients (any flavor) have a little "agent" piece running upon them. Then, when they try to connect to the network, they need to "prove" how healthy they are (you can define the criteria.) Once proven healthy, they're allowed on the regular network. If they're NOT healthy enough, they must see the Nurse, er, the Remediation Servers to get updated.

What kinds of things might you want to check for? How about if the Firewall is turned on? Are they running Antivirus software? How about the latest version of the definitions? Do they have a registry key set to a specific value? Is software XYZ currently installed and the service running?

All sorts of stuff. Now, the bad news is that the NAP client that ships with XP/SP3 and Vista can't do ALL of these things with the bits in the box. For some of these things you'll need to do some NAP add-ons, so be prepared for that as your starting your exploration.

A quick note if you're going to try to get smarter on this NAP thing on your own. The user interface for some of the Windows Server 2008 components will just say "Windows XP" when what they really should be saying is "Windows XP/SP3." Again, that's because the NAP agent isn't available for anything LESS than XP/SP3. So, do keep that in mind as you're reading and checking it all out.

Soooo.. how do I get smarter in this NAP thing?

If you like the idea of NAP, it's a bit of a mountain to climb to get started.

One of my favorite places to get NAP-tastic is the Microsoft NAP blog here. Updated with NAP-o-rific information.

Also, if you have my new BLUE book, we have a whole chap for NAP. There's a full end-to-end working example for you to try to get a feel for how it works.

This is a weekly spot brought to you by Jeremy M of