In Longhorn Server, Microsoft Corp. has crafted a technology that allows computers to be examined against a baseline set by an administrator, and if a machine doesn't stack up in any way against that baseline, the system can be prevented from accessing the network -- quarantined, as it were, from the healthy systems until the user fixes his broken machine. This functionality is called Network Access Protection (NAP).

You might know of NAP's predecessor, Network Access Quarantine Control (NAQC). It debuted in Windows Server 2003 as a more limited form of quarantine protection. NAQC is limited to protecting your corporate network against remote users: It prevents unhindered access to a network for a remote user until after his computer has been verified as meeting a certain set of baselines that a network administrator sets.

Under NAQC, when a client establishes a connection to a remote network's endpoint, the client will receive an IP address, but Internet Authentication Service establishes a quarantine mode that is lifted only after health verification is complete. While NAQC is useful, it requires programming a baseline script to set up; its management facilities are next to none; and most critically, it offers no safeguards against infected machines inside the corporate campus.

How it works

NAP addresses these weaknesses and builds on the solid premise of NAQC -- that stopping spyware and viruses dead, before they can ever reach the network, is the best line of defense. NAP in Longhorn Server (which may be called Windows Server 2007) can be considered in three different parts: