NAP Validator

Overview

Microsoft Network Access Protection (NAP) is a policy enforcement platform built into Windows OS that allows you to better protect network assets by enforcing compliance with system health requirements.

With NAP, you can create customized health requirement policies to validate computer health in the following cases:

before allowing access or communication,

automatically update compliant computers to ensure ongoing compliance,

optionally confine noncompliant computers to a restricted network until they become compliant.

Detailed description of NAP technology is given on Microsoft company web site.

NAP in Dr.Web Enterprise Security Suite

Dr.Web Enterprise Security Suite allows you to use the NAP technology to check health of Dr.Web anti-virus software on protected workstations.

This functionality is provided by use of Dr.Web NAP Validator.Means of Health Validation

A NAP health policy server which is installed and configured in the network.

Dr.Web NAP Validator which is an implementation of NAP System Help Validator (SHV) with use of Dr.Web custom policies extensions. This component is installed on the computer where the NAP server resides.

System Health Agents (SHAs) which are installed automatically on the workstations during installation of Dr.Web Agents.

Dr.Web Server which serves as the NAP remediation server and ensures health of anti-virus software on workstations.

scheme-nap

scheme-icon-server

Dr.Web Server

scheme-icon-nap

NAP Server + Dr.Web NAP Validator

scheme-icon-station-protected

Protected computer, compliant

scheme-icon-www

LAN, internet

scheme-icon-station-unprotected

Protected computer, noncompliant

 

 

Diagram of the anti-virus network when NAP is used

Workstation Validation Procedure

1.Validation is activated when you configure the corresponding settings of the Agent.

2.The SHA connect to Dr.Web NAP Validator installed on the NAP server.

3.Dr.Web NAP Validator determines compliance of workstations against the health requirement policies as described below. To determine health compliance, NAP Validator checks workstation anti-virus state against the corresponding health requirement policies, and then classifies the workstation in one of the following ways:

Workstations which meet the health policy requirements are classified as compliant and allowed unlimited access and communication on the network.

Workstations which do not meet at least one requirement of the health policy are classified as noncompliant and have their access limited to Dr.Web Server only. The Server allows noncompliant workstations to update the system with the necessary anti-virus settings. After update, the workstations are validated again.

Health Policy Requirements

1.Dr.Web Agent must be started and running (Agent health).

2.Dr.Web virus databases must be up-to-date, i.e. databases on the workstation must be similar to those on the Server.

Configuring NAP Validator

After installation of Dr.Web NAP Validator (see Installation Manual, p. Installing NAP Validator) on a computer where a NAP server resides, you need to perform the following actions:

1.To open NAP server configuration component, run the nps.msc command.

2.In the Policies section, select Health Policies.

3.In the opened window, open properties of the following elements:

NAP DHCP Compliant. In the settings windows, set the Dr.Web System Health Validator flag which prescribes to use Dr.Web NAP Validator component policies. To classify workstations as compliant only when all health policy requirements are met, select Client passed all SHV checks in the drop-down list.

NAP DHCP Noncompliant. n the settings windows, set the Dr.Web System Health Validator flag which prescribes to use Dr.Web NAP Validator component policies. To classify workstations as noncompliant if any of the health policy requirements are not met, select Client failed one or more SHV checks in the drop-down list.