[MS-GPNAP]:
Group Policy: Network Access Protection (NAP) Extension
Intellectual Property Rights Notice for Open Specifications Documentation
Technical Documentation. Microsoft publishes Open Specifications documentation (“this documentation”) for protocols, file formats, data portability, computer languages, and standards support. Additionally, overview documents cover inter-protocol relationships and interactions.
Copyrights. This documentation is covered by Microsoft copyrights. Regardless of any other terms that are contained in the terms of use for the Microsoft website that hosts this documentation, you can make copies of it in order to develop implementations of the technologies that are described in this documentation and can distribute portions of it in your implementations that use these technologies or in your documentation as necessary to properly document the implementation. You can also distribute in your implementation, with or without modification, any schemas, IDLs, or code samples that are included in the documentation. This permission also applies to any documents that are referenced in the Open Specifications documentation.
No Trade Secrets. Microsoft does not claim any trade secret rights in this documentation.
Patents. Microsoft has patents that might cover your implementations of the technologies described in the Open Specifications documentation. Neither this notice nor Microsoft's delivery of this documentation grants any licenses under those patents or any other Microsoft patents. However, a given Open Specifications document might be covered by the Microsoft Open Specifications Promise or the Microsoft Community Promise. If you would prefer a written license, or if the technologies described in this documentation are not covered by the Open Specifications Promise or Community Promise, as applicable, patent licenses are available by contacting .
License Programs. To see all of the protocols in scope under a specific license program and the associated patents, visit the Patent Map.
Trademarks. The names of companies and products contained in this documentation might be covered by trademarks or similar intellectual property rights. This notice does not grant any licenses under those rights. For a list of Microsoft trademarks, visit
Fictitious Names. The example companies, organizations, products, domain names, email addresses, logos, people, places, and events that are depicted in this documentation are fictitious. No association with any real company, organization, product, domain name, email address, logo, person, place, or event is intended or should be inferred.
Reservation of Rights. All other rights are reserved, and this notice does not grant any rights other than as specifically described above, whether by implication, estoppel, or otherwise.
Tools. The Open Specifications documentation does not require the use of Microsoft programming tools or programming environments in order for you to develop an implementation. If you have access to Microsoft programming tools and environments, you are free to take advantage of them. Certain Open Specifications documents are intended for use in conjunction with publicly available standards specifications and network programming art and, as such, assume that the reader either is familiar with the aforementioned material or has immediate access to it.
Support. For questions and support, please contact .
Revision Summary
Date / Revision History / Revision Class / Comments4/23/2010 / 0.1 / Major / First Release.
6/4/2010 / 1.0 / Major / Updated and revised the technical content.
7/16/2010 / 1.1 / Minor / Clarified the meaning of the technical content.
8/27/2010 / 1.1 / None / No changes to the meaning, language, or formatting of the technical content.
10/8/2010 / 1.1 / None / No changes to the meaning, language, or formatting of the technical content.
11/19/2010 / 1.1 / None / No changes to the meaning, language, or formatting of the technical content.
1/7/2011 / 1.1 / None / No changes to the meaning, language, or formatting of the technical content.
2/11/2011 / 1.1 / None / No changes to the meaning, language, or formatting of the technical content.
3/25/2011 / 2.0 / Major / Updated and revised the technical content.
5/6/2011 / 3.0 / Major / Updated and revised the technical content.
6/17/2011 / 3.1 / Minor / Clarified the meaning of the technical content.
9/23/2011 / 3.1 / None / No changes to the meaning, language, or formatting of the technical content.
12/16/2011 / 4.0 / Major / Updated and revised the technical content.
3/30/2012 / 5.0 / Major / Updated and revised the technical content.
7/12/2012 / 5.0 / None / No changes to the meaning, language, or formatting of the technical content.
10/25/2012 / 5.0 / None / No changes to the meaning, language, or formatting of the technical content.
1/31/2013 / 6.0 / Major / Updated and revised the technical content.
8/8/2013 / 7.0 / Major / Updated and revised the technical content.
11/14/2013 / 7.0 / None / No changes to the meaning, language, or formatting of the technical content.
2/13/2014 / 7.0 / None / No changes to the meaning, language, or formatting of the technical content.
5/15/2014 / 7.0 / None / No changes to the meaning, language, or formatting of the technical content.
6/30/2015 / 7.0 / None / No changes to the meaning, language, or formatting of the technical content.
10/16/2015 / 7.0 / None / No changes to the meaning, language, or formatting of the technical content.
7/14/2016 / 7.0 / None / No changes to the meaning, language, or formatting of the technical content.
6/1/2017 / 7.0 / None / No changes to the meaning, language, or formatting of the technical content.
Table of Contents
1Introduction
1.1Glossary
1.2References
1.2.1Normative References
1.2.2Informative References
1.3Overview
1.3.1Background
1.3.2Group Policy Extension Overview
1.4Relationship to Protocols and Other Structures
1.5Applicability Statement
1.6Versioning and Localization
1.7Vendor-Extensible Fields
2Structures
2.1Trace Settings
2.1.1Enable Tracing
2.1.2Tracing Level
2.2User Interface Settings
2.2.1SmallText
2.2.2LargeText
2.2.3ImageFile
2.2.4ImageFileName
2.3Enforcement Client Settings
2.3.1DHCP Enforcement
2.3.2Remote Access Enforcement
2.3.3IPsec Enforcement
2.3.4RDG Enforcement
2.3.5EAP Enforcement
2.4Health Registration Authority (HRA) Settings
2.4.1PKCS#10 Certificate Settings
2.4.1.1Cryptographic Service Provider (CSP)
2.4.1.2Cryptographic Provider Type
2.4.1.3Public Key OID
2.4.1.4Public Key Length
2.4.1.5Public Key Spec
2.4.1.6Hash Algorithm OID
2.4.2HRA Auto-Discovery
2.4.3Use SSL
2.4.4HRA URLs
2.4.4.1Server
2.4.4.2Order
2.4.5Reconnect Attempts
2.5SoH Settings
2.5.1Task Timer
2.5.2Backward Compatible
3Structure Examples
4Security
4.1Security Considerations for Implementers
4.2Index of Security Fields
5Appendix A: Product Behavior
6Change Tracking
7Index
1Introduction
The Group Policy: Network Access Protection (NAP) Extension protocol specifies functionality to control client computer access to network resources. Access can be granted or restricted per client computer based on its identity and its degree of compliance with corporate governance policy. For non-compliant client computers, NAP specifies automatic methods to reinstate compliance and to dynamically upgrade access to network resources.
Sections 1.7 and 2 of this specification are normative. All other sections and examples in this specification are informative.
1.1Glossary
This document uses the following terms:
Active Directory domain: A domain hosted on Active Directory. For more information, see [MS-ADTS].
certification authority (CA): A third party that issues public key certificates. Certificates serve to bind public keys to a user identity. Each user and certification authority (CA) can decide whether to trust another user or CA for a specific purpose, and whether this trust should be transitive. For more information, see [RFC3280].
client-side extension GUID (CSE GUID): A GUID that enables a specific client-side extension on the Group Policy client to be associated with policy data that is stored in the logical and physical components of a Group Policy Object (GPO) on the Group Policy server, for that particular extension.
cryptographic service provider (CSP): A software module that implements cryptographic functions for calling applications that generates digital signatures. Multiple CSPs may be installed. A CSP is identified by a name represented by a NULL-terminated Unicode string.
domain: A set of users and computers sharing a common namespace and management infrastructure. At least one computer member of the set must act as a domain controller (DC) and host a member list that identifies all members of the domain, as well as optionally hosting the Active Directory service. The domain controller provides authentication of members, creating a unit of trust for its members. Each domain has an identifier that is shared among its members. For more information, see [MS-AUTHSOD] section 1.1.1.5 and [MS-ADTS].
domain controller (DC): The service, running on a server, that implements Active Directory, or the server hosting this service. The service hosts the data store for objects and interoperates with other DCs to ensure that a local change to an object replicates correctly across all DCs. When Active Directory is operating as Active Directory Domain Services (AD DS), the DC contains full NC replicas of the configuration naming context (config NC), schema naming context (schema NC), and one of the domain NCs in its forest. If the AD DS DC is a global catalog server (GC server), it contains partial NC replicas of the remaining domain NCs in its forest. For more information, see [MS-AUTHSOD] section 1.1.1.5.2 and [MS-ADTS]. When Active Directory is operating as Active Directory Lightweight Directory Services (AD LDS), several AD LDS DCs can run on one server. When Active Directory is operating as AD DS, only one AD DS DC can run on one server. However, several AD LDS DCs can coexist with one AD DS DC on one server. The AD LDS DC contains full NC replicas of the config NC and the schema NC in its forest. The domain controller is the server side of Authentication Protocol Domain Support [MS-APDS].
Dynamic Host Configuration Protocol (DHCP): A protocol that provides a framework for passing configuration information to hosts on a TCP/IP network, as described in [RFC2131].
enforcement client: An enforcement client uses the health state of a computer to request a certain level of access to a network. For more information about enforcement clients, see [MSDN-NAP].
globally unique identifier (GUID): A term used interchangeably with universally unique identifier (UUID) in Microsoft protocol technical documents (TDs). Interchanging the usage of these terms does not imply or require a specific algorithm or mechanism to generate the value. Specifically, the use of this term does not imply or require that the algorithms described in [RFC4122] or [C706] must be used for generating the GUID. See also universally unique identifier (UUID).
Group Policy: A mechanism that allows the implementer to specify managed configurations for users and computers in an Active Directory service environment.
Group Policy Object (GPO): A collection of administrator-defined specifications of the policy settings that can be applied to groups of computers in a domain. Each GPO includes two elements: an object that resides in the Active Directory for the domain, and a corresponding file system subdirectory that resides on the sysvol DFS share of the Group Policy server for the domain.
Group Policy server: A server holding a database of Group Policy Objects (GPOs) that can be retrieved by other machines. The Group Policy server must be a domain controller (DC).
health certificate enrollment agent (HCEA): The client-side component in the Health Certificate Enrollment Protocol. The HCEA is responsible for receiving health certificates from a health registration authority (HRA). This term can also be used to refer to the client machine in the Health Certificate Enrollment Protocol.
health registration authority (HRA): The server-side component in the Health Certificate Enrollment Protocol. The HRA is a registration authority (RA) that requests a health certificate from a certification authority (CA) upon validation of health.
language code identifier (LCID): A 32-bit number that identifies the user interface human language dialect or variation that is supported by an application or a client computer.
Lightweight Directory Access Protocol (LDAP): The primary access protocol for Active Directory. Lightweight Directory Access Protocol (LDAP) is an industry-standard protocol, established by the Internet Engineering Task Force (IETF), which allows users to query and update information in a directory service (DS), as described in [MS-ADTS]. The Lightweight Directory Access Protocol can be either version 2 [RFC1777] or version 3 [RFC3377].
Network Access Protection (NAP): A feature of an operating system that provides a platform for system health-validated access to private networks. NAP provides a way of detecting the health state of a network client that is attempting to connect to or communicate on a network, and limiting the access of the network client until the health policy requirements have been met. NAP is implemented through quarantines and health checks, as specified in [TNC-IF-TNCCSPBSoH].
object identifier (OID): In the context of a directory service, a number identifying an object class or attribute. Object identifiers are issued by the ITU and form a hierarchy. An OID is represented as a dotted decimal string (for example, "1.2.3.4"). For more information on OIDs, see [X660] and [RFC3280] Appendix A. OIDs are used to uniquely identify certificate templates available to the certification authority (CA). Within a certificate, OIDs are used to identify standard extensions, as described in [RFC3280] section 4.2.1.x, as well as non-standard extensions.
public key: One of a pair of keys used in public-key cryptography. The public key is distributed freely and published as part of a digital certificate. For an introduction to this concept, see [CRYPTO] section 1.8 and [IEEE1363] section 3.1.
Public Key Cryptography Standards (PKCS): A group of Public Key Cryptography Standards published by RSA Laboratories.
registry: A local system-defined database in which applications and system components store and retrieve configuration data. It is a hierarchical data store with lightly typed elements that are logically stored in tree format. Applications use the registry API to retrieve, modify, or delete registry data. The data stored in the registry varies according to the version of the operating system.
statement of health (SoH): A collection of data generated by a system health entity, as specified in [TNC-IF-TNCCSPBSoH], which defines the health state of a machine. The data is interpreted by a Health Policy Server, which determines whether the machine is healthy or unhealthy according to the policies defined by an administrator.
statement of health response (SoHR): A collection of data that represents the evaluation of the statement of health (SoH) according to network policies, as specified in [TNC-IF-TNCCSPBSoH].
system health agent (SHA): The client components that make declarations on a specific aspect of the client health state and generate a statement of health ReportEntry (SoH ReportEntry).
tool extension GUID or administrative plug-in GUID: A GUID defined separately for each of the user policy settings and computer policy settings that associates a specific administrative tool plug-in with a set of policy settings that can be stored in a Group Policy Object (GPO).
Unicode: A character encoding standard developed by the Unicode Consortium that represents almost all of the written languages of the world. The Unicode standard [UNICODE5.0.0/2007] provides three forms (UTF-8, UTF-16, and UTF-32) and seven schemes (UTF-8, UTF-16, UTF-16 BE, UTF-16 LE, UTF-32, UTF-32 LE, and UTF-32 BE).
MAY, SHOULD, MUST, SHOULD NOT, MUST NOT: These terms (in all caps) are used as defined in [RFC2119]. All statements of optional behavior use either MAY, SHOULD, or SHOULD NOT.
1.2References
Links to a document in the Microsoft Open Specifications library point to the correct section in the most recently published version of the referenced document. However, because individual documents in the library are not updated at the same time, the section numbers in the documents may not match. You can confirm the correct section numbering by checking the Errata.
1.2.1Normative References
We conduct frequent surveys of the normative references to assure their continued availability. If you have any issue with finding a normative reference, please contact . We will assist you in finding the relevant information.
[MS-DHCPN] Microsoft Corporation, "Dynamic Host Configuration Protocol (DHCP) Extensions for Network Access Protection (NAP)".
[MS-DTYP] Microsoft Corporation, "Windows Data Types".
[MS-GPOL] Microsoft Corporation, "Group Policy: Core Protocol".
[MS-GPREG] Microsoft Corporation, "Group Policy: Registry Extension Encoding".
[MS-HCEP] Microsoft Corporation, "Health Certificate Enrollment Protocol".
[MS-LCID] Microsoft Corporation, "Windows Language Code Identifier (LCID) Reference".
[MS-PEAP] Microsoft Corporation, "Protected Extensible Authentication Protocol (PEAP)".
[MS-TSGU] Microsoft Corporation, "Terminal Services Gateway Server Protocol".
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997,
[RFC2616] Fielding, R., Gettys, J., Mogul, J., et al., "Hypertext Transfer Protocol -- HTTP/1.1", RFC 2616, June 1999,
[RFC2782] Gulbrandsen, A., Vixie, P., and Esibov, L., "A DNS RR for specifying the location of services (DNS SRV)", RFC 2782, February 2000,
[RFC2818] Rescorla, E., "HTTP Over TLS", RFC 2818, May 2000,
[RFC2986] Nystrom, M. and Kaliski, B., "PKCS#10: Certificate Request Syntax Specification", RFC 2986, November 2000,
[RFC3174] Eastlake III, D., and Jones, P., "US Secure Hash Algorithm 1 (SHA1)", RFC 3174, September 2001,
[RFC3447] Jonsson, J. and Kaliski, B., "Public-Key Cryptography Standards (PKCS) #1: RSA Cryptography Specifications Version 2.1", RFC 3447, February 2003,
[TNC-IF-TNCCSPBSoH] TCG, "TNC IF-TNCCS: Protocol Bindings for SoH", version 1.0, May 2007,
1.2.2Informative References
[MS-NAPOD] Microsoft Corporation, "Network Access Protection Protocols Overview".
[MSDN-ALG] Microsoft Corporation, "CNG Algorithm Identifiers",
[MSDN-CSP] Microsoft Corporation, "Cryptographic Provider Names",
[MSDN-DHCP] Microsoft Corporation, "Dynamic Host Configuration Protocol",
[MSDN-NAP] Microsoft Corporation, "Network Access Protection",
[MSDN-RAS] Microsoft Corporation, "RASENTRY structure",
[MSDN-SC] Microsoft Corporation, "Smart Card Minidriver Specification",
[MSFT-IPSEC] Microsoft Corporation, "IPsec",
[MSFT-NAPIPSEC] Microsoft Corporation, "IPsec Enforcement Configuration",
[MSFT-RDG] Microsoft Corporation, "Configuring the TS Gateway NAP Scenario",
1.3Overview
Network Access Protection (NAP) is a platform that controls access to network resources, based on a client computer's identity and compliance with corporate governance policy. NAP allows network administrators to define granular levels of network access, based on who a client is, the groups to which the client belongs, and the degree to which that client is compliant with corporate governance policy. Based on the degree of compliance, NAP can implement different enforcement methods that can restrict or limit client access to the network. If a client is not compliant, NAP provides a mechanism to automatically bring the client back into compliance and then to dynamically increase its level of network access. The NAP architecture is specified in [MS-NAPOD].
The behavior of NAP can be controlled through Group Policy by updating the client registry, as specified in [MS-GPOL] and in [MS-GPREG]. This mechanism can be used by an administrator to enable or disable NAP enforcement, to set Health Registration Authorities (HRAs) to be used by the client, and to control client user interface and tracing. All NAP group policies are machine-specific, meaning that the same policy is applied to all users on a given machine.