What’s happening with Network Access Protection?

The TechNet article tells the stark truth, NAP in Windows Server 2012 R2 is “deprecated”. http://technet.microsoft.com/en-us/library/dn303411.aspx. The technology designed to ensure that only healthy clients connected to protected internal network is now not going to be the focus of new features or development. Deprecated is a weird term. It might mean that it’s not available in the next iteration of Windows Server, or that it might be available in versions years from now. A bit like how WINS was meant to go away, but still seems to be present when I run the Add Roles and Features wizard even though we were meant to have given up on NetBIOS name resolution somewhere around the release of Windows 2000.

NAP was a great technology that very few people seemed to actually use. The premise was simple: Before allowing a computer to connect to the network, ensure that the computer was up-to-date with software updates and anti-virus. If it wasn’t, the computer was remediated or blocked from network access until it was brought up-to-date.

The drawback with NAP was the unacknowledged fact that at most organizations, a substantial number of clients aren’t within yelling distance of being up-to-date. People didn’t implement it because getting their clients up to scratch was going to be a bigger task than they were willing to budget for in time, money, and effort (which, if there was an epitaph written about the attitude of many IT pros to client security, would probably be something involving a lack of time, money, will, and effort).

There are certainly other solutions that allow you to monitor whether a client’s configuration falls within an acceptable set of parameters related to software updates, firewalls, and anti-malware definitions. There’s a good argument to be made that any client that can be taken out of the building should be kept on a separate network from production servers in any case, because even when anti-virus definitions and software updates are up-to-date, computers can still be compromised by malware that simply isn’t detected (though this is less likely than if the computer wasn’t up-to-date).

If you’ve already rolled out NAP – the feature is still there and still works. Being marked as deprecated means that at some point in the future it will be gone. Still, it’s probably going to be years until the oldest server operating system in your environment is running Server 2012 R2. If Windows Server 2003 is anything to go by, it won’t be until the mid-2020’s until Server 2012 R2 is no longer supported.

If you were thinking about rolling out NAP, then you should probably reconsider your plans. It’s one thing to find out that a bridge is going to be removed after you’ve driven over it, it’s quite another to find out that it might disappear before you get there.

Discuss this Blog Entry 2

on Jan 18, 2015

I just discovered that the NAP client has been removed from Windows 10 Technology Preview release. Looks like current users of NAP-based network isolation will need a replacement before migrating to Windows 10. Personally, I'm pretty disappointed :-(

on Feb 19, 2015

This is a feature that is automatically installed with the Remote Desktop Gateway role, I wonder what they are going to do to let Windows 10 clients use the RD Gateway?

Please or Register to post comments.

What's Hyperbole, Embellishment, and Systems Administration Blog?

IT pro Orin Thomas provides true tales, snafus, news, and urban legends for Microsoft Windows system administrators.


Orin Thomas

Orin Thomas is a contributing editor for Windows IT Pro and a Windows Security MVP. He has authored or coauthored more than thirty books for Microsoft Press, founded the Melbourne System Center,...
Blog Archive

Sponsored Introduction Continue on to (or wait seconds) ×