locked
Windows Server 2003 r2 and Server 2008 r2 RRS feed

  • Question

  • Very new to the Server Community and have what are probably a question that may or may not have an easy resolution:

    1. On Servers 2003 and 2008 both R2, is there a way that to set it up that users who log into my domain server must be as up to date on Windows Updates and our current Anti Virus definitions as the Domain server before it lets them log into it? 

    Monday, July 23, 2012 6:03 PM

Answers

  • Very new to the Server Community and have what are probably a question that may or may not have an easy resolution:

    1. On Servers 2003 and 2008 both R2, is there a way that to set it up that users who log into my domain server must be as up to date on Windows Updates and our current Anti Virus definitions as the Domain server before it lets them log into it? 

    You might be interested in Network Access Protection.

    Network Access Protection (NAP) is a feature in Windows Server 2008 that controls access to network resources based on a client computer’s identity and compliance with corporate governance policy. NAP allows network administrators to define granular levels of network access based on who a client is, the groups to which the client belongs, and the degree to which that client is compliant with corporate governance policy. If a client is not compliant, NAP provides a mechanism to automatically bring the client back into compliance and then dynamically increase its level of network access.

    Details: http://technet.microsoft.com/en-us/network/bb545879.aspx


    I do not represent the organisation I work for, all the opinions expressed here are my own.

    This posting is provided "AS IS" with no warranties or guarantees and confers no rights.

    - .... .- -. -.- ... --..-- ... .- -. - --- ... ....

    • Proposed as answer by Steve Kline Monday, July 23, 2012 8:20 PM
    • Marked as answer by Cicely Feng Friday, July 27, 2012 8:28 AM
    Monday, July 23, 2012 6:11 PM
    • Marked as answer by Cicely Feng Friday, July 27, 2012 8:29 AM
    Monday, July 23, 2012 6:12 PM
  • What is/Is there the equivalent option for Server 2003 r2? 

    NAP needs to be installed on a server running 2008/R2 however, as an NAP client 2003 is supported AFAIK. NAP can also be used if you have 2003 Domain Controllers.

    If you have SCCM infra in pace then NAP can be used along with that as an tightly integrated feature.

    If you have specific questions on NAP, I would suggest you to create new threads in NAP sub forum for definitive answers.

    Here is a link for NAP forum: http://social.technet.microsoft.com/Forums/en-US/winserverNAP/threads


    I do not represent the organisation I work for, all the opinions expressed here are my own.

    This posting is provided "AS IS" with no warranties or guarantees and confers no rights.

    - .... .- -. -.- ... --..-- ... .- -. - --- ... ....

    • Marked as answer by Cicely Feng Friday, July 27, 2012 8:29 AM
    Monday, July 23, 2012 6:37 PM
  • There is Network Access Quarantine Control in 2003 but it's not an equivalent option because it provides protection only for remote access connections.

    http://technet.microsoft.com/library/bb726973.aspx

    Regards,

    • Marked as answer by Cicely Feng Friday, July 27, 2012 8:29 AM
    Monday, July 23, 2012 6:39 PM

All replies

  • Hello Michael, 

    Could you please elaborate more and what are you trying to accomplish?


    Regards, Ravikumar P

    Monday, July 23, 2012 6:06 PM
  • Very new to the Server Community and have what are probably a question that may or may not have an easy resolution:

    1. On Servers 2003 and 2008 both R2, is there a way that to set it up that users who log into my domain server must be as up to date on Windows Updates and our current Anti Virus definitions as the Domain server before it lets them log into it? 

    You might be interested in Network Access Protection.

    Network Access Protection (NAP) is a feature in Windows Server 2008 that controls access to network resources based on a client computer’s identity and compliance with corporate governance policy. NAP allows network administrators to define granular levels of network access based on who a client is, the groups to which the client belongs, and the degree to which that client is compliant with corporate governance policy. If a client is not compliant, NAP provides a mechanism to automatically bring the client back into compliance and then dynamically increase its level of network access.

    Details: http://technet.microsoft.com/en-us/network/bb545879.aspx


    I do not represent the organisation I work for, all the opinions expressed here are my own.

    This posting is provided "AS IS" with no warranties or guarantees and confers no rights.

    - .... .- -. -.- ... --..-- ... .- -. - --- ... ....

    • Proposed as answer by Steve Kline Monday, July 23, 2012 8:20 PM
    • Marked as answer by Cicely Feng Friday, July 27, 2012 8:28 AM
    Monday, July 23, 2012 6:11 PM
    • Marked as answer by Cicely Feng Friday, July 27, 2012 8:29 AM
    Monday, July 23, 2012 6:12 PM
  • I have laptops/desktops that are used by a lot of the office staff to gain access to our Domain Server.

    These laptops/desktops are not always kept "up to speed" by the end user.(Windows Updates, Symantec End Point definitions Updates)

    What I am looking for is a way to Deny login if the laptop/desktop that the person is using is not as up to date on Microsoft/Windows Security definitions or Anti Virus definitions as the Domain Server itself is, until they have "updated" all that they need to to meet the minimum requirements set by a policy in the Server itself.

    Does that make sense?

    Monday, July 23, 2012 6:14 PM
  • What is/Is there the equivalent option for Server 2003 r2? 

    Monday, July 23, 2012 6:21 PM
  • Hi, 

    I suggest you use WSUS console and Anti-virus SW management console to check for the laptops/desktops are not up to date. Or else use SMS/SCCM tool's SW inventory option and pull out report of laptops/desktops which are not up to date. Based on the report push latest updates to those systems.

    Or else instructs the users and remind them to make sure their laptops/desktops are up-to-date.


    Regards, Ravikumar P

    Monday, July 23, 2012 6:25 PM
  • What is/Is there the equivalent option for Server 2003 r2? 

    NAP needs to be installed on a server running 2008/R2 however, as an NAP client 2003 is supported AFAIK. NAP can also be used if you have 2003 Domain Controllers.

    If you have SCCM infra in pace then NAP can be used along with that as an tightly integrated feature.

    If you have specific questions on NAP, I would suggest you to create new threads in NAP sub forum for definitive answers.

    Here is a link for NAP forum: http://social.technet.microsoft.com/Forums/en-US/winserverNAP/threads


    I do not represent the organisation I work for, all the opinions expressed here are my own.

    This posting is provided "AS IS" with no warranties or guarantees and confers no rights.

    - .... .- -. -.- ... --..-- ... .- -. - --- ... ....

    • Marked as answer by Cicely Feng Friday, July 27, 2012 8:29 AM
    Monday, July 23, 2012 6:37 PM
  • There is Network Access Quarantine Control in 2003 but it's not an equivalent option because it provides protection only for remote access connections.

    http://technet.microsoft.com/library/bb726973.aspx

    Regards,

    • Marked as answer by Cicely Feng Friday, July 27, 2012 8:29 AM
    Monday, July 23, 2012 6:39 PM
  • I have laptops/desktops that are used by a lot of the office staff to gain access to our Domain Server.

    These laptops/desktops are not always kept "up to speed" by the end user.(Windows Updates, Symantec End Point definitions Updates)

    What I am looking for is a way to Deny login if the laptop/desktop that the person is using is not as up to date on Microsoft/Windows Security definitions or Anti Virus definitions as the Domain Server itself is, until they have "updated" all that they need to to meet the minimum requirements set by a policy in the Server itself.

    Does that make sense?

    Yes, what you are asking is possible to achieve and NAP can be used for that.

    As mentioned in my previous post, for more info, you might want to post questions in NAP forum.


    I do not represent the organisation I work for, all the opinions expressed here are my own.

    This posting is provided "AS IS" with no warranties or guarantees and confers no rights.

    - .... .- -. -.- ... --..-- ... .- -. - --- ... ....

    Monday, July 23, 2012 6:46 PM
  • Very new to the Server Community and have what are probably a question that may or may not have an easy resolution:

    1. On Servers 2003 and 2008 both R2, is there a way that to set it up that users who log into my domain server must be as up to date on Windows Updates and our current Anti Virus definitions as the Domain server before it lets them log into it? 

    I was about to start a NAP statement and read down and Santosh answered...

    Your Server 2003 server really cannot work this way. This network remediation feature was improved greatly for Server 2008 and later.


    Steve Kline
    Microsoft Certified IT Professional: Server Administrator
    Microsoft Certified Technology Specialist: Active Directory, Network Infrastructure, Application Platform, Windows 7
    Microsoft Certified Product Specialist & Network Product Specialist
    Red Hat Certified System Administrator
    Microsoft® Community Contributor Award 2011
    This posting is "as is" without warranties and confers no rights.

    Monday, July 23, 2012 8:22 PM