Enforcement Methods to Windows Server 2008

The following options are available for enforcing network restrictions on noncompliant hosts:

■ IPsec: This is the preferred method because every managed host protects itself from hosts that do not meet your organization’s system health requirements. Regardless of how and where the potentially dangerous computer is connected, all managed computers will ignore communications until that computer proves that it meets policy.

■ IEEE 802.1x: This technique controls access by using restrictions that are enforced by network switches and wireless access points. Until the host has proven its health status it can be restricted by a virtual LAN identifier or a set of IP packet filters.

■ VPN: VPN is a good way to enforce policy on remote clients. After the user has proven his identity, his access is limited until the computer he is using has demonstrated its compliance with your health policies. If you are familiar with the Network Access Quarantine feature in Windows Server 2003, NAP may sound similar, but it is built with completely new technology.

■ Terminal Server Gateway: Terminal Server Gateway (TS Gateway) restricts access for remote terminal services clients when they access internal resources via Remote Desktop Protocol (RDP) over HTTPS.

■ DHCP: DHCP enforcement may seem like the easiest solution to deploy, but it is also the weakest. With this approach, access is controlled via the host’s IPv4 address configuration and routing tables. An ingenious user with administrative privileges can easily bypass it by manually configuring her TCP/IP settings. If you support hosts that do not understand NAP, or claim not to, on the same network, anyone can get on by simply claiming to not speak NAP.