Protecting Enterprise Networks
Use technologies like Microsoft Network Access Protection (NAP) to prevent comproÂmised or poorly configured computers from connecting to your network.
How Microsoft IT Protects Its Networks
Microsoft IT uses Network Access Protection to ensure the health of computers in two scenariosâ€”within the enterprise and for remote access. The Microsoft intranet includes a community of managed computers that uses Microsoft Domain Isolation IP Security (IPsec) technology and NAP. Machines accessing the intranet remotely use NAP for both Virtual Private Network (VPN) and Microsoft DirectAccess, which establishes bidirectional connectivity with the intranet every time a remote userâ€™s DirectAccessâ€“enabled computer connects to the Internet. In January 2010, 359,771 computers were evaluated and silently auto-remediated when necessary by the NAP Windows System Health Agent (SHA), a client component that maintains and reports one or more aspects of system health. Of that total, there were 36,147 remote machines in NAP Full Enforcement mode, in which computers that are not in compliance are isolated from the network. The agent checks to see that antimalware and antispyware programs are installed, signatures are up to date, and real-time monitoring is enabled; that the computer is configured to receive security updates; and that the Windows Update Agent service is enabled. If the Windows Firewall is disabled, the agent enables it and forces it to remain enabled while the computer is connected to the network. In addition, because approximately one-third of the enterÂpriseâ€™s domain-joined laptops are regularly taken out of the intranet environment and connected to the public Internet, auto-remediation ensures that important and critical updates are installed. For more information, see Â Managing Network Access Protection at Microsoft.