The no enforcement design for NAP

The following has been published on MS NAP Team blog. Please read it, it is very interesting, and if you are to implement secure wires, you might as well think about NAP.

http://blogs.technet.com/nap/

Copyright Joe Davies of the MS NAP Team:

The no enforcement design for NAP

Although NAP can be used to enforce restricted access for noncompliant NAP clients and non-NAP-capable clients, NAP can also be used to provide you with information about the overall level of health compliance on your network and correct system health problems automatically without notifying the user or restricting their access. This latter configuration of a NAP deployment is known as the no enforcement design and consists of deploying NAP in reporting mode with autoremediation enabled.

The value of the no enforcement design was echoed to me by attendees at a recent McAfee regional security event, where I helped present an overview of NAP and McAfee Network Access Control 3.0 integration to IT staff and security architects (this is the same presentation that I gave at McAfee’s FOCUS 08 event). Some attendees said that they were very interested in the no enforcement design of NAP because they did not want their users notified of noncompliance (via the NAP notification message) and definitely did not want their users’ access to be restricted. They would rather determine and fix any system health issues in the background without disturbing their users. One of the benefits of the no enforcement design is that you do not have to set up a restricted network with remediation servers.

To configure a no enforcement design, use the Configure NAP wizard in the Network Policy Server snap-in for the appropriate NAP enforcement method. On the Define NAP Health Policy page, select the Enable Auto-Remediation of Client Computers check box and specify that NAP ineligible computers are allowed full access. After the Configure NAP wizard is complete, modify the network policy for noncompliant NAP clients by selecting Allow Full Network Access for the NAP Enforcement settings.

Note
For the 802.1X enforcement method, specify the same VLAN or ACL settings for both full access and restricted access on the Configure Virtual LANs (VLANs) page of the Configure NAP wizard.

For more information, see the No Enforcement Design topic in Greg Lindsay’s excellent NAP Design Guide.

Windows 2008 hiberfil.sys - hmmm...

As you might have seen. There is a file on the %systemdrive% called hiberfil.sys and it has the same size as your physical memory, which can be VERY annoying.

It seems that W2K8 Server enables hibernation by default.

This is funny, since I'm not sure how many people actually hibernate a server. Nevertheless, it's something we need to deal with. Particularly for those who do most of their work in VMs.

In a VM where hibernation is normally replaced with the VM software's suspend feature, that can be quite a sizeable chunk of wasted space. In a production environment I would normally want to disable hibernation.

Trouble is, you can't disable hibernation anywhere in the GUI. It must be disabled from the command line using the command:

powercfg.exe /hibernate off

Please read these MS KB articles, for more details:

http://support.microsoft.com/kb/920730
http://support.microsoft.com/kb/929658
How to Disable Hibernation on Windows Vista