4-page Case Study - Posted 11/9/2007
Views: 2293
Rate This Evidence:
Microsoft Improves Security Policy Compliance with Network Access Protection
With 71,000 highly mobile users worldwide, Microsoft wanted a new way to measure and improve its 300,000+ client computers’ compliance with corporate security policies. The company deployed Network Access Protection (NAP), a feature of the Windows Server® 2008 operating system, to improve the security policy compliance of its desktop computers, roaming portable computers, visiting portable computers, and unmanaged home computers. Now Microsoft is increasing compliance with security policies and adding efficiency to its security management process. The company also benefits from the scalability of NAP and the flexibility to deploy it for a variety of access scenarios—including virtual private network connections, Internet Protocol security access, and Dynamic Host Configuration Protocol address configurations—with varying levels of implementation.
Situation
Microsoft develops some of the world’s most-used software, and it is committed to helping people and organizations around the globe realize their potential. At the same time, the company must safeguard its information and employees to minimize disruptions and keep its network healthy.
 |
Now we can take proactive steps, gathering valuable data and using it to help us set new policies to enhance the protection of our client computers and, therefore, our network. |
 |
|
Brent Scallan
Solutions Engineer
Microsoft |
|
|
Doing so isn’t easy. The sheer complexity of the Microsoft environment presents a major challenge in terms of security policies and their compliance. “We’re not your typical enterprise when it comes to policy compliance,” says Tom Baker, Solutions Engineer for Microsoft. “We have 26 different domains in 9 forests across the organization. More than 300,000 client computers are part of our corporate network, and we run 100 or more pre-release versions of software products at any one time.” And Microsoft employees are highly mobile, round-the-clock users of a range of technologies, which exposes them to security risks and complicates IT management and rollouts.
To help safeguard its environment, Microsoft maintains more than 100 different security policies. However, the company had no assurance that the computers on its network were complying with those policies. “We lacked the ability to assess and validate the health of the computers that were joining our network,” says Baker. “We wanted an accurate account of every computer’s status regarding security policies, which could include everything from having the latest updates to running the right antivirus software to having firewalls turned on.”
The company needed an efficient, cost-effective way to monitor the policy-compliance status of desktop computers, roaming portable computers, visiting portable computers, and unmanaged home computers and to encourage or require compliance as appropriate.
Solution
Presented with the objective of better managing the health of the company’s environment, the Microsoft IT department responded by installing Network Access Protection (NAP). Part of the Windows Server® 2008 operating system, NAP provides components and an application programming interface that help administrators assess, monitor, and enforce compliance with health-requirement policies for network access and communication. “The idea was to use NAP to be able to see exactly what our organization looks like. Then we would be able to establish a far healthier network environment by requiring compliance with our policies where necessary,” explains Brent Scallan, Solutions Engineer for Microsoft.
Levels of Network Access Protection
The IT group had the option of deploying NAP in any of three modes: reporting, deferred-enforcement, and full-enforcement. NAP in reporting mode automatically checks each client’s policy compliance and delivers the data to a central repository. It does not restrict users’ access to the network if they have non-compliant computers.
If the group chose to deploy NAP in deferred-enforcement mode, users still would not be restricted from logging on to the network, but IT would be notified of a computer’s non-compliance. “Deferred-enforcement mode is the first time that users see NAP pop-up notifications, which educate them about how to participate in the remediation process,” says Baker. “Users are encouraged to take steps to get their computers compliant, such as visiting a Web site to download and install the most recent security update.” If the auto-remediation feature is turned on, NAP will automatically fix the client computer to bring it into compliance if at all possible.
If the IT group chose full-enforcement mode, NAP would not permit a user with an “unhealthy” client to log on to the network at all. Rather, it would direct users to an isolated environment in which they could remediate their computers. Once their computers were compliant, users would be permitted to log on to the network.
|
Especially considering the scope of this project, deploying NAP has been straightforward, with little to no impact on users and their productivity. |
|
|
Brent Scallan
Solutions Engineer
Microsoft |
|
|
The IT group also could choose a gradual implementation, in which it would initially deploy NAP in reporting or deferred-enforcement mode, or it could opt for an expedited NAP deployment in full-enforcement mode.
A Phased Deployment
Microsoft IT determined that it would use NAP for three types of network access and communication: Internet Protocol security–protected traffic, Dynamic Host Configuration Protocol (DHCP) address configurations, and virtual private network (VPN) connections. “NAP for Internet Protocol security is very easy to deploy in reporting mode, which gave us a very broad reach quickly with minimal infrastructure requirements,” says Scallan. The company elected not to use the 802.1X enforcement scenario as part of the initial deployment.
Before the IT team could deploy NAP for any scenario, it needed to determine which system health agents (SHAs) it would use. SHAs check each client computer’s upgrade state, virus signature, system configuration, and so on for compliance with network access and communication security policies. The team designated three SHAs: a Windows® SHA, a SHA from an antivirus vendor, and the Microsoft® System Center Configuration Manager SHA. Next, the team made sure that those SHAs were installed and enabled on the client computers that it selected to be part of the initial NAP rollout.
Microsoft IT chose the Internet Protocol security (IPsec) scenario as the first for NAP deployment. The company already used an IPsec domain isolation environment, so the team had to identify the dependencies in the NAP pre-release code and put together a policy design in which NAP could interoperate with the existing environment. In June 2006, Microsoft IT rolled out NAP for IPsec to approximately 130,000 client computers worldwide, based on domain membership. The team began with NAP in reporting mode so that it could have its first comprehensive view of the company’s policy compliance. “We really wanted to get a sense of where things stood with regard to system health before we got serious about preventing people from logging on to the network,” says Baker.
In December 2006, Microsoft IT began a small-scale deployment of NAP in the DHCP scenario in two buildings, which house more than 5,000 client computers. As with the IPsec scenario, the DHCP rollout started with NAP in reporting mode. The team is using the data returned from NAP in reporting mode to track its progress in the DHCP and IPsec scenarios for additional component rollout phases and the remediation process. To analyze the collected information from NAP, Microsoft IT built a Web-based reporting mechanism based on Microsoft SQL Server™ 2005 database software.
For VPN connections, the IT group made an exception to the practice of starting with NAP in reporting mode. In October 2007, Microsoft IT launched a small pilot program for NAP in the VPN scenario, with approximately 100 initial users. As of November 2007, NAP is being used with approximately 1,000 VPN users, and that number will increase over time. In order to maintain parity with its existing VPN security requirements, which mandated full-enforcement mode, the company limited the number of users on the VPN pilot. “We couldn’t take a phased approach, as with other NAP scenarios,” says Baker, “so we started out small and took extra care about the tools that we provided for users in case of non-compliance.”
|
We’ve been impressed. There are times when we’ve had a single server handling more than 70,000 clients without a problem. |
|
|
Brent Scallan
Solutions Engineer
Microsoft |
|
|
For the most part, the deployment has been a good one for Microsoft IT. Says Baker, “Especially considering the scope of this project, deploying NAP has been straightforward, with little to no impact on users and their productivity. In fact, a lot of people have asked when we’re going to turn on NAP and are shocked to learn that it’s been on for almost a year.”
Future Steps
In November 2007, Microsoft IT begins the process of rolling out NAP to all 300,000+ client computers. It hasn’t enforced compliance yet in the IPsec and DHCP scenarios, having switched over NAP for IPsec to deferred-enforcement mode. Before making the move to full-enforcement mode and blocking users from logging on to the network, the Microsoft IT team plans to have its new policies in place and get the company’s compliance numbers to higher than 95 percent. Microsoft IT will use its North America domain, which includes more than 16,000 client computers, for the first trial of full-enforcement mode for the IPsec scenario in December 2007.
Benefits
Through its use of NAP, Microsoft is encouraging an enhanced security environment for its employees. With this scalable, flexible, and comprehensive solution, it is easy for Microsoft IT to gradually help users remediate non-compliant computers without detracting from employee productivity or adding significant management time. “NAP helps contribute to network security because it ensures that all our client computers are meeting our designated security standards,” says Baker.
Enhanced Security
Microsoft already is seeing an improvement in its network health as a result of deploying NAP. For example, data from NAP initially revealed that a minority of the North America domain–joined computers were compliant with the company’s security policies. However, configuring the system for auto-remediation helped increase compliance to approximately 85 percent, and, within one month of switching to deferred-enforcement mode, that number jumped over 90 percent compliance.
Excellent Scalability to Support Users Worldwide
Microsoft is supporting its 120,000 NAP IPsec and DHCP client computers with just four servers: two at Microsoft headquarters in Redmond, Washington; one in Dublin, Ireland; and one in Singapore. The VPN scenario is supported by two servers. All six servers are running Windows Server 2008 and a few services, including Network Policy Server (NPS) and, in the case of NAP for IPsec, a health registration authority. The client computers run on the Windows Vista® or Windows XP Service Pack 3 operating systems.
|
Now we can ensure that people are all complying with the same security policies, whether they’re using wireless, wired, or remote access. |
|
|
Tom Baker
Solutions Engineer
Microsoft |
|
|
“We’ve been impressed,” says Scallan. “There are times when we’ve had a single server handling more than 70,000 clients without a problem. We won’t deploy in full-enforcement mode with that client/server ratio because we’ll want to have greater availability, but we have no concerns about the scalability of our NAP solution.”
Flexibility for Expanded Management Choices
Microsoft IT opted to deploy NAP for IPsec, DHCP, and VPN to support its complex environment because it felt that using NAP in a combination of scenarios would be most beneficial to the company. “With NAP, companies have the freedom to enhance protection any number of ways, depending on their existing security components, employees’ methods of network access and communication, identified potential vulnerabilities, and so on,” says Baker. “A company can write a new SHA to check a client computer’s compliance with whatever it chooses.”
Additionally, Microsoft IT did not have to wait for full-enforcement mode to benefit from its NAP deployment. “The beauty is that NAP contributes substantial value in all three modes,” says Baker. “For instance, the initial reporting stage provides us with comprehensive, trustworthy information regarding the state of compliance of our network. Analyzing that data shows us the potential impact of making changes to existing IT processes to improve compliance.”
Increased Value Through Comprehensiveness and Integration
Having a comprehensive solution that can work within multiple aspects of network access has made a difference for Microsoft. “Now we can ensure that people are all complying with the same security policies, whether they’re using wireless, wired, or remote access,” says Baker. “Plus, NAP gives us the framework to take the separate network protection pieces that we’ve had for years—update management, antivirus protection, a domain isolation environment, and so on—and tie them together in a single solution that provides a centralized means of understanding our policy definitions, compliance, and remediation. That understanding makes it easier for us to fix any problems that occur within the environment.”
Microsoft IT benefited from the solution’s broad view of the environment and its ability to interoperate. Says Scallan, “Because NAP is an open architecture, we can take advantage of the components that already exist inside our environment, working as necessary with third-party product vendors to integrate their components with our NAP solution.” For instance, implementing the NAP solution didn’t cause the Microsoft IT department to have to change the way it handled update management or antivirus and malware protection inside the company. The team was able to easily integrate the existing products into a strong access control solution—without having to rip everything out and start over.
Improved IT Efficiency
Microsoft IT anticipates significant cost savings when it has NAP completely deployed. Because users receive information about what is wrong with their computers along with the resources to fix problems themselves, the IT team expects reduced help-desk calls and a corresponding reduction in costs. “We anticipate that our use of NAP will result in a 70-percent reduction in help-desk calls about security-related client issues,” says Amith Krishnan, Senior Product Manager for Microsoft.
The company’s IT staff members already enjoy the end-to-end monitoring that provides accurate metrics to support their management of the environment. “We’re able to be a lot more efficient because we have a clear, complete picture of our environment’s health,” says Scallan. “It used to be that our security team had to scan the network to determine compliance with particular individual policies—a passive, time-consuming method. Now we can take proactive steps, gathering valuable data and using it to help us set new policies to enhance the protection of our client computers and, therefore, our network.”
Microsoft IT also is better poised to react to the data that it receives. “We never know where the next threat is going to come from, but NAP puts us in a much better position to respond to a possible problem,” says Scallan.
Windows Server 2008
Windows Server 2008, with built-in Web and virtualization technologies, enables you to increase the reliability and flexibility of your server infrastructure. New virtualization tools, Web resources, and security enhancements help you save time, reduce costs, and provide a platform for a dynamic and optimized datacenter. Powerful new tools like IIS 7.0, Server Manager, and Windows PowerShell™, allow you to have more control over your servers and streamline Web, configuration, and management tasks. Advanced security and reliability enhancements like Network Access Protection and the Read-Only Domain Controller option for Active Directory® Domain Services harden the operating system and protect your server environment to ensure you have a solid foundation on which to build your business.
For more information about Windows Server 2008, please visit:
www.microsoft.com/windowsserver2008
For More Information
For more information about Microsoft products and services, call the Microsoft Sales Information Center at (800) 426-9400. In Canada, call the Microsoft Canada Information Centre at (877) 568-2495. Customers who are deaf or hard-of-hearing can reach Microsoft text telephone (TTY/TDD) services at (800) 892-5234 in the United States or (905) 568-9641 in Canada. Outside the 50 United States and Canada, please contact your local Microsoft subsidiary. To access information using the World Wide Web, go to:
www.microsoft.com
