Kevin explained NAP's use of IPsec. "IPsec lets you protect network resources from client machines that don't have a particular credential set to prove they've met requirements. So by combining IPsec with NAP, you can have compliance checking within your network."
Arlene added, "What Kevin is talking about specifically is NAP's IPsec enforcement. You can use it for domain and server isolation."
Mike concluded, "What the survey data points out is that we need to clarify in our communication the various uses for IPsec and then specifically what we're talking about with respect to NAP."
Ease of Use
Many respondents asked, "How complex is NAP deployment?" Calvin answered, "Ease of use and the GUI were big requests in the survey. You can use a wizard-based configuration page and answer some simple questions to configure NAP. In the survey, some people said the command line was a shortcoming of existing products. We can configure, deploy, and monitor using just the UI."
For users who prefer a command line interface, Calvin noted, "When we designed the product, we had both IT generalists and specialists in mind. IT generalists want to use and configure everything through the GUI. IT specialists want to go to the command line. We're providing both GUI and command-line interfaces."
Why is ease of use such a concern? Calvin pointed out, "When it comes to narrow access authorization, there are so many moving parts: NAP needs to integrate with user authentication and machine authorization. There's the multidomain model and so many different kinds of clients. It's good that you can validate the system health, but how do you provide automatic updates to keep systems compliant? Because there are so many moving parts, Microsoft needs to provide ease of use and a well-integrated product end to end."
Most Requested Features
The survey asked readers what elements of the client they want NAP to inspect and verify. Calvin said, "I was pleased to see that the top functionalities that customers want align with what we've done. Nearly 93 percent of readers wanted NAP to verify an antivirus signature, 86.9 percent said patch level, followed by OS configuration [62.8 percent] and host firewall configuration [57.6 percent]. When we designed the product, these elements were our top goals, and these are health-status checks NAP performs."
In addition, many readers want NAP to go beyond identifying and isolating noncompliant machines by providing remediation.As one reader put it, isolating machines and "giving a user a message or a Web link doesn't provide remediation. It generates Help desk calls." Calvin agreed: "There are four pillars of NAP: client validation, isolation, remediation, and ongoing compliance. Automatic remediation is built into the product with the System Health Agent (SHA). If your machine is out of compliance, you'll be notified of the consequence—for example, limited network connectivity. But while you're getting the notification, SHA will do its best to automatically remediate. If a machine is out of compliance, it will follow SHA's instructions, such as turning on the firewall, to get out of quarantine."
Turning on a firewall is a quick solution, Calvin admitted, but some compliance actions, "such as downloading a service pack, can take hours. You can configure such actions on the server side." For example, you can specify deferred enforcement, which Calvin explained: "I won't quarantine you immediately, but you have 30 days to comply with the corporate policy of downloading a service pack. Then NAP will download automatically." Calvin emphasized, "We don't expect users to go to a Web site and download patches or turn on the firewall. That should happen automatically."
It's All in the Policy
What were the key takeaways for the NAP team? Kevin said, "This survey really drove home the importance of ease of use. Also, we noted some confusion about using IPsec, so we need to do clarity and focus on IPsec in our guidance."
Kevin continued, "Another point was that 70 percent said they have a written security policy. Developing security policies is the most important step. Any enforcement technology is only truly effective if the proper level of thinking has gone into developing appropriate access policies. So we need to educate people about why they need a policy and what that policy is. Just installing NAP does nothing for you if you don't have anything to marry that to."
Mike added, "Maybe it's a catch-22. Why create a policy if you have nothing to enforce it? Maybe NAP is the catalyst for the other 30 percent to develop a security policy."
Register
