It’s NAP time

No, not that kind of NAP: in this case, Network Access Protection (NAP) Is Microsoft’s name for the network quarantine feature they’re shipping in Windows Server 2003 R2. The NAP white paper makes for an interesting read, but the NAP FAQ might be a better place to start. In brief, NAP works by allowing administrators to set policies (like “system must have version X of antivirus product Y”) or (“system must have patches A, B, and C from Windows Update”).

Clients that meet these policies (as assessed by an agent running on the client) are allowed to connect to the network; systems that do not meet the policies cannot. The NAP architecture description has lots more detail, including details on what kind of network isolation is available (DHCP and VPN are both supported) and how you can set up quarantine resources on an isolated subnet. This last is a particular interest of mine; being able to quarantine “unhealthy” systems is good, but it’s better if they then can get immediate access to a set of resources (like AV software or signatures or your local SUS server) to get whatever updates they need to be compliant.