Security and identity (Network Access Protection, Parental Controls) Paulius Švagždys

Contents Network Access Protection Examples of system health requirements NAP API Requirements Limitations Parental Controls Restrictions Using Parental Controls APIs Example

Network Access Protection Network Access Protection (NAP) is a set of operating system components that provide a platform for protected access to private networks. The NAP platform provides an integrated way of evaluating the system health state of a network client and restricting the access until health policy requirements have been met. The Network Access Protection platform is not available starting with Windows 10.

Examples of system health requirements Whether the computer has the most recent operating system updates installed. Whether the computer has the latest version of the anti- virus software signature. Whether the computer has a host-based firewall installed and enabled. Computers with a NAP client will have their health status evaluated upon establishing a network connection. NAP can restrict or deny network access to the computers that are not in compliance with the defined health requirements.

NAP API NAP is an extensible platform that provides an infrastructure and an API set for adding components that store, report, validate, and correct a computer's system health state.

Requirements For the NAP enforcement methods, programmers should be familiar with networking protocols and technologies such as Remote Authentication Dial-in User Service (RADIUS), Dynamic Host Configuration Protocol (DHCP), virtual private networks (VPNs), the IEEE 802.1X standard for wired and wireless access, and Internet Protocol security (IPsec). The NAP platform requires NAP infrastructure servers running Windows Server 2008 or later and NAP clients running Windows XP with Service Pack 3 (SP3), Windows Vista, or later operating systems.

Limitations NAP is not designed to secure a network from malicious users. If a computer has all the software and configurations that the network access policy requires, the computer is considered healthy or compliant, and it will be granted the appropriate access to the network. NAP does not prevent an authorized user with a compliant computer from uploading a malicious program to the network or engaging in other inappropriate behavior.

Parental Controls Parental Controls functionality is used to monitor and limit exposure of selected computer users to online dangers and inappropriate content. The Parental Controls technology in Windows is intended to assist diligent parents or guardians in ensuring access to appropriate materials by age or maturity level for those under their guardianship.

Restrictions (1) Every account with administrator rights has privileges to perform the parent or guardian role of viewing log data and setting policies. Parental controls may only be set on standard-rights users (formerly called Least-privileged User Accounts, or LUAs), as only they cannot alter logs and settings with Access Control Lists (ACLs) configured only for administrators to write.

Restrictions (2) With the exception of items such as ratings system definitions, settings available for manipulation by the Parental Controls User Interface may also be modified by exposed APIs. As a consumer technology, Parental Controls is not deployed in business SKUs.

Using Parental Controls APIs (1) Development involves use of up to three APIs: Basic settings access The Parental Controls minimum compliance COM API (Compliance API) for simple access to a key subset of Parental Controls state Full settings write/read access If you need to modify settings Logging Event Tracing and Reporting system API (also referred to as ETW) for publishing activity events into the Parental Controls logs

Using Parental Controls APIs (2) Developing for Parental Controls requires access to three header files: Wpc.h, WpcApi.h, and WpcEvent.h. Wpc.h is a collector that includes the settings public compliance API and event headers, so it is sufficient to include Wpc.h in application code.

Example Parameters: pcszSID - the SID string of the user. If this parameter is NULL, retrieve settings for the current user. ppSettings - a pointer to an IWPCSettings interface pointer. Result: S_OK - the method completed successfully. E_INVALIDARG - a pointer argument is NULL. E_FILE_NOT_FOUND - the user settings were not found. E_OUT_OF_MEMORY - there is insufficient memory to complete the operation. E_FAIL - the method failed.

Bibliography https://docs.microsoft.com/en-us/windows/desktop/NAP/network-access- protection-start-page https://docs.microsoft.com/en-us/windows/desktop/parcon/parental- controls-portal https://www.wikiwand.com/en/Network_Access_Protection