Protecting Your Organization

Protecting Enterprise Networks

Use technologies like Microsoft Network Access Protection (NAP) to prevent compro­mised or poorly configured computers from connecting to your network.

How Microsoft IT Protects Its Networks

Microsoft IT uses Network Access Protection to ensure the health of computers in two scenarios—within the enterprise and for remote access. The Microsoft intranet includes a community of managed computers that uses Microsoft Domain Isolation IP Security (IPsec) technology and NAP. Machines accessing the intranet remotely use NAP for both Virtual Private Network (VPN) and Microsoft DirectAccess, which establishes bidirectional connectivity with the intranet every time a remote user’s DirectAccess–enabled computer connects to the Internet. In January 2010, 359,771 computers were evaluated and silently auto-remediated when necessary by the NAP Windows System Health Agent (SHA), a client component that maintains and reports one or more aspects of system health. Of that total, there were 36,147 remote machines in NAP Full Enforcement mode, in which computers that are not in compliance are isolated from the network. The agent checks to see that antimalware and antispyware programs are installed, signatures are up to date, and real-time monitoring is enabled; that the computer is configured to receive security updates; and that the Windows Update Agent service is enabled. If the Windows Firewall is disabled, the agent enables it and forces it to remain enabled while the computer is connected to the network. In addition, because approximately one-third of the enter­prise’s domain-joined laptops are regularly taken out of the intranet environment and connected to the public Internet, auto-remediation ensures that important and critical updates are installed. For more information, see  Managing Network Access Protection at Microsoft.

Managing Risk


United States Change All Microsoft Sites



Was the information in this article helpful?