SHA—security health agent

There might be several SHAs installed in a computer.

Why many SHAs?

XP with SP3, Vista, Windows 7, and Windows 2008 include a MSSHA.DLL, the Microsoft System Health Agent. This agent monitors Windows Security Center, which includes Windows Firewall, Spyware protection, Antivirus Protection, and Automatic Updating.

Microsoft also provides the following agents:

• Forefront Client Security SHA (FCS SHA)
• System Center Configuration Manager SHA (SCCM SHA)

Computer Associates company provides "CA Threat Manager r8.1, which includes an eTrust SHA and SHV".

Kaspersky Lab company provides "Kaspersky Administration Kit 7.0", which includes a Kaspersky Lab SHA and SHV.

NAP Enforcement Client

A NAP EC requests some level of access to a network, passes the computer's health status to a NAP enforcement point that is providing the network access, and indicates the limited or unlimited network access status of the NAP client to other components of the NAP client architecture.

Run command: netsh nap client show configuration. You see the NAP Enforement clients for XP with SP3, Vista, 2008 and Windows 7.

Enforcement clients:
----------------------------------------------------
Name = DHCP Quarantine Enforcement Client
ID = 79617
Admin = Disabled

Name = Remote Access Quarantine Enforcement Client
ID = 79618
Admin = Disabled

Name = IPSec Relying Party
ID = 79619
Admin = Disabled

Name = TS Gateway Quarantine Enforcement Client
ID = 79621
Admin = Disabled

Name = EAP Quarantine Enforcement Client
ID = 79623
Admin = Enabled

•An IPsec NAP EC for IPsec-protected communications
•An EAPHost NAP EC for 802.1X-authenticated connections
•A VPN NAP EC for remote access VPN connections
•A DHCP NAP EC for DHCP-based IPv4 address configuration
•A TS Gateway NAP EC for TS Gateway connections

SHV—Security Health Validator
Windows Server 2008 includes a SHV.

A System Health Agent has a corresponding System Health Validator as shown below:

NAP Enforcement Server (NAP ES)

A NAP ES allows some level of network access or communication, can pass a NAP client's health status to a NAP health policy server for evaluation, and, based on the response, can provide the enforcement of limited network access.

Statement of Health (SoH)

System Statement of Health (SSoH)

NAP Agent Service collects the SoHs from different SHAs and creates a SSoH. The SSoH indicates the overall health of NAP client system.

The corresponding SHV creates a statement of health response (SoHR).

System Statement of Health Response (SSoHR)

The NPS service collects the SoHRs from different SHVs and creates a System Statement of Health Response (SSoHR). The SSoHR indicates whether the NAP client is compliant or noncompliant and is sent back to NAP client.

System Health Validators: e.g. a client computer must have Windows Firewall enabled.

Health Policies: based on results of System Health Validator check, a client computer is classified as compliant health status or noncompliant health status.

Network Policies.

Compliant client computers will be allowed unrestricted network access. Noncompliant client will have their access restricted through DHCP to specify a restricted subnet. Noncompliant clients will also be optionally updated to a compliant state and subsequently granted unrestricted network access.

Connection Request Policies:

• Requires HRA (Health Registration Authentication) as the network access server for client authentication
• Requires DHCP as the network access server for client authentication
• Requires the client computer to perform protected EAP (PEAP) authentication before being granted access to the network

Remediation Server Groups

Remediation server groups allow you to specify servers that are made available to noncompliant NAP clients so that they can remediate their health state and become compliant with health requirements. Both DHCP enforcement and VPN enforcement can use remediation server groups. The remediation server groups don’t work for IPsec enforcement and 802.1X enforcement.