Design a Staging Strategy
Applies To: Windows 7, Windows 8, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, Windows Vista
You can use step-by-step guides and small-scale pilot deployments to become familiar with NAP processes, update infrastructure, and refine your criteria for compliance. For more information, including links to step-by-step guides for each enforcement method, see Additional NAP Resources.
In addition to lab testing, pilot deployments are essential for understanding how your NAP design will work in a production environment. The following phases are used in a deployment in a corporate environment:
Reporting mode. Noncompliant computers do not receive NAP notifications and no network access restriction occurs. The health status of client computers is logged. To implement reporting mode, use a NAP enforcement setting of Allow full network access in noncompliant network policy.
Deferred enforcement mode. Noncompliant computers receive NAP notifications, but no network access restriction occurs until the date that you specify. The health status of client computers is logged. To implement deferred enforcement mode, use a setting of Allow full network access for a limited time in noncompliant network policy.
Full enforcement mode. Noncompliant computers receive NAP notifications and network access is restricted. The health status of client computers is logged. To implement full enforcement mode, use a setting of Allow limited access in noncompliant network policy.
These modes are implemented through NAP enforcement settings in noncompliant client network policy, as shown in the following figure.
NAP network policy enforcement settings
During each phase, the risks and benefits of deployed system health agents are evaluated, and adjustments to NAP settings are made to obtain the most benefit.
The following table lists typical stages of a NAP deployment.
Stage | Description | Outcome |
---|---|---|
Architecture, design, and threat modeling |
Identify threats; decide on enforcement types; identify pilot sites. |
Prioritized threats identified; governance policy defined. |
Reporting mode pilot |
Deploy NAP to report compliance levels. Start with a contained site or subnet and expand. |
Ongoing state of compliance reported; automatic remediation initiated. |
Deferred enforcement pilot |
Notify users of noncompliance. Identify and address the reasons for noncompliance. Stay in this mode until more than 90 percent of the computers in the pilot are compliant. |
Help desk impact understood; users apply updates themselves; update infrastructure improved. |
Enforcement mode pilot |
Restrict noncompliant users based on group membership. |
Noncompliant computers are isolated until they are compliant. |
Add system health agents |
Add more system health agents. Configure NAP to first report and then later enforce when compliance levels are high enough to meet your goals. |
Additional criteria for compliance added. |
Add sites and scale out |
Scale beyond initial pilot into global deployment. |
NAP benefits realized throughout the corporate network. |
Repeat process for new enforcement types. |
Add new enforcement types, as required by the architecture and design. |
Additional threats mitigated. |
For more information, see Stages of a NAP Deployment.