S 4.410 Use of network access protection under Windows

Initiation responsibility: Head of IT

Implementation responsibility: Administrator

Under the heading "Network Access Protection", several protection technologies are summarised for Microsoft operating systems. They control the access of individual IT systems to a network depending on the security level implemented on the respective IT system. In this manner, the sensitive systems that can be reached in the network are protected against threats arising from other systems with a lack of security precautions such as outdated virus signatures.

Under the name "Network Access Protection" (NAP), Microsoft has integrated in several products a mechanism to protect against unauthorised access to networks. Using NAP is optional; it requires at least Windows Server 2008 as well as clients with Windows Vista, Windows 7 or Windows XP with Service Pack 3. Here, components control the access on the Windows server using the clients. During the login procedure, they send information on their security level such as installed updates or on the currency of the virus signatures to the server. On the basis of stored security rules ("policies"), the server decides whether the clients may access the network or the access is denied or limited to just a few servers. In general, these servers contain services which the client needs to restore the required condition. This can be an update mechanism for virus signatures or Windows Updates.

The access to the network to be protected can be controlled on different levels:

• VPN access: In this scenario, the Windows server controls the access of computers connected via a VPN to the internal network.
• IPSec: When setting up encrypted communication channels via IPSec, a Windows server can also include the security status of the client in the examination.
• IEEE 802.1X: This is a standard which requires the authentication of IT systems in a network as basis for access control. Here, the authentication is carried out directly between the end device and a LAN Service Access Point, typically a network switch with the corresponding functionality. In connection with Windows Server 2008, IEEE 802.1X-capable switches can also request an examination of the security level of the client during the authentication process and check the conformity with the security requirements of the network.
• DHCP: In this approach, a DHCP configuration either allowing network access or restricting it accordingly is transferred to the client depending on the examination of its security status. This method, however, can be easily bypassed by an attacker and is not recommended.
• Terminal server access: When clients access a Windows Terminal Server via RDP, a security check via NAP can also be integrated on the terminal server gateway during the authentication process.

Depending on the scenario, the technical procedures and the component used are different. In each case, the clients need a locally running component called System Health Agent, (SHA) which determines the local parameters of the security configuration in System Health Validators (SHVs) and sends it to the receiver. In clients with Windows XP Service Pack 3, Windows Vista and Windows 7, a corresponding SHA has been integrated in the operating system; implementations are also available for clients with Mac OS X or Linux.

The client available in Windows can check the following conditions:

• On the client computer, a firewall software is installed and activated.
• On the client computer, an anti-virus software is installed and executed.
• On the client computer, current anti-virus updates are installed.
• On the client computer, an anti-spyware program is installed and executed.
• On the client computer, anti-spyware updates are installed.
• The Microsoft Update services are activated on the client computer.

Depending on the selected protection mechanism, the server components involved in the examination include a Health Registration Authority (HRA) to issue certificates for examined clients, a Network Policy Server (NPS) comparing the transferred configurations to the regulatory scheme as well as Enforcement Servers (ES) to implement the result of the NAP examination.

On the network level, Cisco offers its own implementation of a network access protection concept under the name "Network Admission Control". Both technologies can also be used in combination. For this purpose, the Cisco network components integrate a query into the examination of the clients for a Windows Network Policy Server.

NAP is a recommended tool to provide additional security for sensitive systems in a network. The gain of security, however, may not be overrated: Since the agents for determining the security level inevitably run on the clients themselves, an attacker can in principle manipulate the client with an administrative access so that they can gain access to the network using false information. NAP does not provide protection against targeted attacks, but is particularly suited to minimise damage for undirected attacks such as virus infections.

When planning the use of NAP, the following aspects must be considered:

• Definition of the protection objectives pursued using NAP: Which information values are to be protected using NAP and against which threats are they to be protected by means of NAP?
• Planning the NAP architecture: Based on which technical implementation method is NAP used? Which server components are used and on which servers are they operated?
• Planning the NAP regulatory schemes: Which systems and networks are to be protected by NAP? What are the requirements for IT systems that want to access protected areas? Which services must be achievable for a rejected system to restore the required condition?
• Planning the NAP administration: Who has administrative access to the NAP systems and regulatory schemes? Who is responsible for the currency and maintenance of the regulatory schemes?

Review questions:

• Were the pursued protection objectives, the NAP architecture and the NAP administration considered when planning the use of NAP?
• Are the results of the NAP planning process including the regulatory schemes documented?