One of the features of Windows 2008 that you are going to hear a lot about is Network Access Protection. NAP is a policy enforcement solution that allows you to isolate or disconnect computers that do not meet certain compliance requirements. What do I mean? You can force clients to check their firewall, patch status, etc and if they don’t meet certain criteria then they won’t have access to your network.
There’s loads of ways to use this … you can integrate it into DHCP, tie it in with IPsec AH and an enterprise PKI, RAS/VPN, etc. You can totally prevent a client from connecting to your network or force a client onto a limited access network so that they can resolve their issues (download updates). Some 70 odd partners are working with MS on this including AV developers and Cisco. AV vendors will plug in so that their products will ensure that they will ensure that the product is up to date and running correctly. NAP will integrate with Cisco NAC. NAP will enforce policy and NAC will ensure that only authorized machines can connect to a network port. And System Center Configuration Manager will also tie into it so that you can (a) ensure that updates are present before allowing a machine to connect to your network and (b) resolve any software update issues on non-compliance computers.
This is a pretty complex solution. You can find an introduction to it on the MS site. There is documentation on the architecture. And there is documentation on policies.
There’s one thing to get clear. NAP is not a security solution. It cannot prevent an unauthorised machine from getting on your network. You need Cisco NAC or similar for that. However, NAP is a policy enforcement solution. Only machines that comply with your policies will be allowed full access to your network. This will drastically reduce the risk of infected machines from targeting your network. Check it out and see what you think.