Protect Roaming Laptop Computers
Applies To: Windows 7, Windows 8, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, Windows Vista
Today’s networking environment is increasingly mobile and supports a variety of access scenarios. Traveling employees often need to connect to many different networks, such as wireless networks in airports and coffee shops, hotel local area networks (LANs), and guest networks at other businesses. These networks can pose a security risk due to the presence of viruses and other malicious software (also called malware) designed to capture passwords and other sensitive data from unprotected computers. Mobile users must be protected from these threats.
Protection provided by NAP
NAP protection for mobile computers can be divided into two categories:
Defense-in-depth: By ensuring that organization computers are compliant with network and security policies (for example, by ensuring that recent antivirus and other updates and signatures have been installed), NAP helps to make client computers less vulnerable to attack.
IPsec policies: When you deploy NAP with IPsec enforcement, domain computers are protected from unwanted traffic and communications can be protected from network sniffers and other hacking tools by encrypting sensitive information before it is transmitted.
The following figure shows a computer that is compliant with network health policies. Because IPsec enforcement is performed at the computer, the computer is protected as it roams to different networks. So a user who leaves the corporate network and connects to a public network can still have his or her computer protected from risks associated with a less secure environment. Upon returning to the corporate network, the health of the client computer is evaluated, and if necessary, updated. If the computer is compliant with health policy, it is granted full access to the network.
NAP can help protect the client computer when it accesses a public network
Defense-in-depth
All NAP enforcement methods can provide protection for mobile computers by ensuring the computer has the latest software updates and antivirus signatures prior to leaving the corporate network. The health policies that administrators define for their organization determine how much protection NAP can provide to a mobile user. Windows Security Health Validator (WSHV) is included by default with the NAP health policy server and provides health evaluation for system services monitored by Windows Security Center. The following policies can be enforced with WSHV to enhance defense-in-depth when a mobile computer leaves the organization network:
Antivirus software: Is antivirus software installed and up-to-date?
Anti-malware software: Is anti-malware software installed and up-to-date?
Automatic updating: Is Windows Update configured to install updates automatically?
Windows security updates: Does the computer have the most recent operating system updates from Windows Update or Windows Server Update Services (WSUS)?
Firewall: Is the firewall active when the computer leaves the network?
NAP can also be extended to use other SHVs provided by Microsoft or by other vendors.
IPsec policies
NAP with IPsec enforcement provides the best method for protecting mobile computers while traveling. Because IPsec enforcement is performed at the computer, it is protected as it roams to different networks. You can establish IPsec policies that allow incoming connections to the laptop only from computers that are compliant with network health policies. Thus, when the laptop is traveling, it is protected from computers that are noncompliant. With IPsec, you can allow the client computer to communicate freely with other computers when it initiates the connection and also protect the computer from unsolicited inbound communications. IPsec is also ideal for protecting data from existing applications that were not designed with security in mind. Using Windows Firewall with Advanced Security, you can specify the types of network traffic that are protected.
Summary
The following table shows the protection offered by the NAP enforcement methods to roaming laptop computers. All of the following enforcement methods can also be extended to provide additional protection through the use of Microsoft and non-Microsoft NAP-integrated products.
Protection provided | IPsec enforcement design | 802.1X enforcement design | VPN enforcement design | DHCP enforcement design |
---|---|---|---|---|
Encrypted communications |
Yes |
Yes (wireless) |
Yes |
No |
Authenticated communications |
Yes |
Yes |
Yes |
No |
Software updates |
Yes |
Yes |
Yes |
Yes |
Operating system updates |
Yes |
Yes |
Yes |
Yes |
Antivirus software installed |
Yes |
Yes |
Yes |
Yes |
Antivirus signature up-to-date |
Yes |
Yes |
Yes |
Yes |
Anti-malware software installed |
Yes |
Yes |
Yes |
Yes |
Anti-malware signature up-to-date |
Yes |
Yes |
Yes |
Yes |
Firewall active |
Yes |
Yes |
Yes |
Yes |