How to Set Up Network Access Protection (NAP) on Windows Server 2012 R2

How to Set Up Network Access Protection (NAP) on Windows Server 2012 R2

Network Access Protection (NAP) is a policy enforcement platform included in Windows Server 2012 R2 that evaluates the health state of client computers before granting them full network access. NAP can check whether clients have current OS patches, antivirus definitions, Windows Firewall enabled, and other configurable health requirements. Non-compliant clients can be quarantined to a restricted network segment where remediation resources are available, and automatically brought into compliance before regaining full access. While NAP was deprecated after Windows Server 2012 R2, it remains a functional feature for organizations that have not yet migrated to modern NAC solutions.

Prerequisites

• Windows Server 2012 R2 for the NAP health policy server (NPS with NAP enabled)
• Windows Server 2012 R2 DHCP server (for DHCP enforcement), or 802.1X-capable switches/wireless APs (for 802.1X enforcement)
• Domain-joined Windows client computers (Vista/7/8/2008R2/2012R2) running the NAP Agent
• PKI infrastructure for certificate-based scenarios
• Two VLANs: Full-access network and Restricted (remediation) network

Step 1: Install NPS with NAP

# Install NPS (includes NAP policy engine)
Install-WindowsFeature NPAS -IncludeManagementTools -Restart

# After restart, verify NPS feature is installed
Get-WindowsFeature NPAS

Step 2: Enable the NAP Agent on Client Computers

The NAP Agent service must run on client computers to report health state to the NPS server. Enable via Group Policy for domain-joined clients:

Navigate to Computer Configuration → Windows Settings → Security Settings → System Services → Network Access Protection Agent — set to Automatic.

# Manually start and configure NAP Agent on a client for testing
Start-Service napagent
Set-Service napagent -StartupType Automatic
Get-Service napagent

Also enable the NAP Agent through the GUI: Control Panel → System and Security → NAP Client Configuration → Enable.

Step 3: Configure the System Health Validator

The Windows Security Health Validator (WSHV) is built into Windows and checks client health including Windows Firewall status, antivirus status, automatic update settings, and antispyware. Configure it on the NPS server:

Open NPS console (nps.msc) → Network Access Protection → System Health Validators → Windows Security Health Validator → Properties:

• Check A firewall is enabled for all network connections
• Check Virus protection is up to date
• Check Automatic updating is enabled
• Configure the Automatic Updating setting for your patch schedule

Step 4: Create Health Policies

Health Policies define what “compliant” and “non-compliant” means by mapping System Health Validator results to policy outcomes.

In NPS console: Network Access Protection → Health Policies → New:

Create two policies:

1. NAP-Compliant-Full-Access:
   • Client SHV checks: Client passes all SHV checks
   • SHVs used in this health policy: Windows Security Health Validator
2. NAP-NonCompliant-Restricted:
   • Client SHV checks: Client fails one or more SHV checks
   • SHVs used: Windows Security Health Validator

Step 5: Configure DHCP-Based NAP Enforcement

DHCP enforcement is the simplest NAP enforcement method. The DHCP server assigns different IP configurations to compliant versus non-compliant clients.

Install DHCP role if not present:

Install-WindowsFeature DHCP -IncludeManagementTools

Configure NAP enforcement on the DHCP scope:

# Enable NAP on a DHCP scope
# Open DHCP console (dhcpmgmt.msc) → right-click scope → Properties → Network Access Protection tab
# Select "Use Network Access Protection for this scope"

# Or via PowerShell:
Set-DhcpServerv4Scope -ScopeId 10.0.1.0 -NapEnable $true -NapProfile "Full Access"

# Configure restricted scope for non-compliant clients (separate scope)
Add-DhcpServerv4Scope -Name "NAP Restricted" -StartRange 10.0.99.1 -EndRange 10.0.99.254 -SubnetMask 255.255.255.0

# Set DNS servers for restricted scope (point to remediation DNS)
Set-DhcpServerv4OptionValue -ScopeId 10.0.99.0 -DnsServer 10.0.99.254

Step 6: Create Network Policies for NAP

In NPS console, create network policies that map health policy outcomes to access levels:

Policy 1: Compliant Clients – Full Access

Policies → Network Policies → New:

• Conditions: Health Policy = NAP-Compliant-Full-Access
• Access: Grant access
• Settings → NAP Enforcement: Allow full network access

Policy 2: Non-Compliant Clients – Restricted Access

• Conditions: Health Policy = NAP-NonCompliant-Restricted
• Access: Grant access (restricted)
• Settings → NAP Enforcement: Allow limited access; Auto-remediation: Enabled
• Settings → IP Filters: Route to restricted subnet only

Step 7: Configure Remediation Server Group

Non-compliant clients in the restricted network must be able to reach remediation servers (WSUS, antivirus update servers) to fix their health issues:

In NPS console: Network Access Protection → Remediation Server Groups → New

# Configure remediation servers:
# WSUS server: 10.0.99.10 (Windows Update Services)
# Antivirus update server: 10.0.99.11
# DNS server: 10.0.99.254

# Apply this group to the non-compliant network policy
# Policies → Network Policies → NAP Non-Compliant Policy → Settings → NAP Enforcement
# → Remediation server group: (select the group)

Step 8: Configure Client NAP Enforcement

On client computers, configure the DHCP enforcement client:

# Enable DHCP enforcement on NAP agent
netsh nap client set enforcement ID=79617 ADMIN=enable

# Set trusted server groups (which NPS servers are trusted for health evaluation)
netsh nap client add trustedservergroup name="Corp-NAP-Servers"
netsh nap client add server group="Corp-NAP-Servers" address=10.0.0.10

# Show NAP client configuration
netsh nap client show configuration

Step 9: Test NAP Enforcement

Test the NAP policy by temporarily disabling Windows Firewall on a test client and observing whether it is quarantined:

# On test client: disable firewall to trigger non-compliant state
Set-NetFirewallProfile -Profile Domain,Private,Public -Enabled False

# Release and renew IP address to trigger NAP re-evaluation
ipconfig /release
ipconfig /renew

# Check assigned IP - should be from restricted scope (10.0.99.x)
ipconfig /all

# Re-enable firewall to restore compliant state
Set-NetFirewallProfile -Profile Domain,Private,Public -Enabled True
ipconfig /release
ipconfig /renew
# Should receive full-access IP address (10.0.1.x)

Summary

Network Access Protection on Windows Server 2012 R2 provides automated health policy enforcement that prevents non-compliant clients from accessing the full corporate network. By configuring NPS as the health policy server, defining compliant and non-compliant health policies using the Windows Security Health Validator, implementing DHCP enforcement to redirect non-compliant clients to a restricted subnet, and setting up remediation servers to help clients achieve compliance, you have built an automated network hygiene enforcement system. While NAP was deprecated after WS2012R2, understanding its architecture informs the design of modern NAC solutions.