I'm learning about Windows Server 2008 R2's NAP features. I understand what network access control (NAC) is and what role NAP plays in that, but I would like to know what limitations and problems it has, that people wish they knew before they rolled it out.
Secondly, I'd like to know if anyone has had success rolling it out in a mid-size (multi-city corporate network with around 15 servers, 200 desktops) environment with most (99%) Windows XP SP3 and newer Windows clients (Vista, and Win7). Did it work with your anti-virus? (I'm guessing NAP works well with the big name anti-virus products, but we're using Trend micro.). Let's assume that the servers are all Windows Server 2008 R2. Our VPNs are cisco stuff, and have their own NAC features.
Has NAP actually benefitted your organization, and was it wise to roll it out, or is it yet another in the long list of things that Windows Server 2008 R2 does, but that if you do move your servers up to it, you're probably not going to want to use.
In what particular ways might the built-in NAP solution be the best one, and in what particular ways might no solution at all (the status quo pre-NAP) or a third-party endpoint security or NAC solution be considered a better fit?
I found an article where a panel of security experts in 2007 say NAC is maybe "not worth it". Are things better now in 2010 with Win Server 2008 R2?
In complete honesty, I don't think the trouble is worth it right now, because of a few major stipulations.
First off, DirectAccess is one of the showstopping features of NAP. DirectAccess, however, will only work on an IPSec secured internal network, using IPv6, and with 2008 R2 and Windows 7 clients only.
So, older OS's are out, which is unfortunately, as most businesses have not yet adopted Windows 7 in full force.
The second reason, this one is more personal, is that this is really Microsoft's kinda first-round (maybe second) at technology like this, and Microsoft doesn't usually nail down the usability and installability factors until their 3rd iteration.
My advice? Stay away from it right now. Give it some time to develop as a product and technology.
Defiantly play with it, as this feature (along with DirectAccess) will only get more robust and reliable over time.
When you think about NAP don't think all or nothing. Ask yourself "what scenerio do you want to protect". Wifi, VPN, or all network connections. The end-all-be-all is 802.1x on all swtich ports so your computers are quarantined at startup across the network but that's usually a huge undertaking with all sorts of pitfals (switch compatibility, OS deployments, etc.).
So lets say you had a rock solid patching/WSUS system and your AV supported NAP, you could try testing it for VPN users... that "higher risk" scnerio of your trusted computers coming into your network from who knows where. Maybe you just want to worry about them at first, and quarantine them on initial connection if they aren't updated. If your VPN solution was pure Microsoft it wouldn't be a huge amount of work to test and deploy this just for VPN since you would have 95% of the solution in place already (IAS, RRAS, WSUS, etc.).
We proof-of-concept'ed it 2-3 years back right when Server 2008 came out for deployment to a few thousand laptops, but the budget wasn't there to support the testing and training that was needed to get it into production. Worked in the lab though.