Network Access Protection provides for client patching and antivirus compliance. NAP is not meant to replace a firewall, and it's not a software distribution tool, but it is positioned as a pervasive enforcement point for clients attempting to connect to a network.
To ensure that non-domain-joined and remote clients are scanned for compliance, Microsoft is focusing on enforcing security policies at the DHCP, VPN, 802.1X, IPsec, and TS Gateway levels. DHCP will likely be the enforcement point of choice, given that most clients will need to consult a DHCP server before accessing network resources. Clients that fail a defined policy check for the presence of certain Windows updates, for example, or up-to-date antivirus client software, can be automatically placed into a quarantine area where patches and updates may be downloaded and installed. The NAP policy server can then revalidate.
We recommend a phased implementation, where a reporting-only period is followed by a delayed enforcement phase, where clients are given time to update before being quarantined. Or you can go for immediate enforcement, even for clients not under direct control. There is one rather large caveat: You must be using a client that can be natively checked by a NAP Server, and as of now that list has only Vista, Win2k8, XP with the upcoming release of SP3, and certain Windows Mobile devices. Windows 2000 will reach end of support soon, so don't count on it to ever get native NAP support.
Microsoft is working on integration with Cisco Systems' Network Access Control. But can NAP compete with a more mature offering like Cisco's NAC from the get-go? We'll put that to the test. Microsoft has said it will release a set of APIs that will allow patch management, antivirus, security, and terminal services vendors to develop software using NAP as a base.
NAP is a role of Windows Server 2008 and doesn't require an additional license, but we'll have to depend on third parties for NAP components to provide enforcement for Linux and the Mac OS.
Finally, Microsoft appears to have made solid advancements in clustering and high availability. Windows Server 2003 provided high availability in two ways: through server failover clustering and network load balancing. The quorum model has been improved in failover clustering to eliminate the single point of failure that was present in the past when the quorum disk was lost. Using a voting methodology in what Microsoft calls the "majority quorum model," clustered servers and shared storage each get a vote in determining the availability of the clustered resource. As a result, a two-node cluster with shared storage can now survive the loss of a quorum because the shared storage now also gets a vote. Cluster configuration is easier thanks to an improved management UI with wizard-based setup options.
IT can also now disperse clustered resources geographically because Microsoft has eliminated the single subnet requirement for cluster setup. Configurable heartbeats account for network latency when configuring clusters over a WAN. Network load-balancing enhancements include improved DoS protection, additional health monitoring, and the ability to use a Server Core build as part of a network load-balancing cluster.
LET THE TESTING BEGIN
Even Microsoft detractors have to agree that Windows Server 2008 represents a significant advancement of the platform when compared with the Windows 2000 to Windows 2003 upgrade path. In addition, the shared code base of Vista and Windows Server 2008 should provide tangible benefits to those running Vista Pro in the enterprise in the way of NAP, faster IP networking, event log forwarding, and better client management.
But will Windows Server 2008's security, client management, virtualization, terminal services, and high-availability advances top best-of-breed third-party systems? Should small and midsize enterprises become early adopters to gain the wide range of role-based services that Windows Server 2008 provides? While we wait for the final version of Windows Server 2008, we'll prep our labs to put these new features to the test.