Want to keep client systems "in line" with company policies and enforce anti-virus compliance?
Even though the title is a little long winded, check out the
Microsoft Forefront Integration Kit for Network Access Protection.
This free add-on kit consists of two pieces, the System Health Agent (SHV), which is installed as a 'snap-in' piece for the NAP client that comes with Vista SP1 and Windows XP SP3.
The other piece is the System Health Validator (SHV), which resides on the Windows Server 2008 server that runs the Network Policy Server role, and 'snaps-in' with the NPS components reside there.
A common policy that can be enforced is a combination of:
1. Forefront Client Security (FCS) must be installed.
2. FCS must be running.
3. FCS signatures must be up to date.
Depending on how you configure the compliance settings, you can send systems into the remediation zone, or simply pop up a warning balloon. Other configurable options are available too.
I was fortunate enough to see the kit at the Forefront Airlift. Soon after, I was able to participate in the alpha test for this kit, which consisted of building up a few new virtual machines that were paired with the MS provided
System Center and Forefront demonstration VHD kit. Make sure to check out my
system name cheat sheet for the demo kit.
Thankfully everything went very smoothly and the updated package makes for a great demo - these were the steps I used:
#1: Imported all Virtual PC VHDs into Hyper-V.
#2: Uninstalled the Virtual Machine Additions on all VHDs.
#3. Upgraded all Server 2003 VHDs to Windows 2003 SP2.
#4: Installed the Hyper-V Integration Services on all Server 2003 VHDs
#5: Upgraded WSUS from 2.0 to 3.0 SP1, with WSUS using the existing SQL 2005 instance.
#6: Upgraded FCS from the expired beta code to RTM.
#7: Brought all VHDs up to current with Windows Update, including the SQL backend to SP2.
#8: Built up a Windows 2008 x86 VM to run the AD DS, DNS, NPS and DHCP roles and installed the FCS SHV.
#9: Upgraded the XP clients to XP SP3 and installed the FCS SHA.
#10: Tested XP clients in realtime for compliance by turning off AV and other "fun" activities.
Overall, it “just works”, and I like that. I didn't have to fight with any problematic programs or issues.
The Microsoft Forefront Integration Kit for Network Access Protection is now in beta, so you can join the Connect program for it
here. You will need to be signed in with a Connect account to access the code.
