Windows Security Health Validator

Applies To: Windows Server 2008

Windows Security Health Validator

The Windows Security Health Validator (WSHV) provides settings that you can configure based on the requirements of your deployment. When you enable requirements in the WSHV, client computers that do not meet all of these requirements are evaluated as noncompliant with the WSHV. Depending on settings in network policy and health policy, client computers that are noncompliant with the WSHV might have their network access restricted and be automatically remediated. Whether or not a client computer that is noncompliant with the WSHV is ultimately noncompliant with NAP health policy depends on the System Health Validators (SHVs) that are configured in health policy as required for compliance.

To use the WSHV, client computers must be running Windows XP with Service Pack 3 (SP3), Windows Vista®, or Windows® 7. Computers running Windows Server® 2008 or Windows Server® 2008 R2 can be NAP clients, but you must use a different SHV for these computers because the WSHV requires Windows Security Center be present on the client computer.

WSHV settings

If a client computer is noncompliant with one of the requirements of the WSHV, it is considered noncompliant with the WSHV as a whole. If a computer is determined to be noncompliant with the WSHV, the following actions might be taken:

  • Depending on the NAP enforcement settings in network policy, the network configuration, and the type of NAP enforcement method used, the client computer might have its network access restricted.

  • If you have enabled automatic remediation, the client computer will attempt to automatically update settings so that it is compliant. For more information about automatic remediation, see Health Enforcement and Remediation.

Important

Remediation might be unsuccessful if there is a conflict between WSHV requirements and client security settings, such as those enforced by Group Policy. For example, the WSHV might require that a firewall is enabled, but Group Policy settings might disable the firewall. A conflict in these settings can also cause the client computer to cycle between compliant and noncompliant states.

You can configure the following WSHV settings:

Firewall

If you select A firewall is enabled for all network connections, firewall settings on client computer are verified. To use this setting, the firewall software that is running on the client computer must be Windows Firewall or other firewall software that is compatible with Windows Security Center. Firewall software that is not compatible with Windows Security Center cannot be managed or detected by the Windows Security Health Agent (WSHA) on the client computer.

If you enable A firewall is enabled for all network connections and a Windows Security Center compatible firewall is not enabled on the client computer, it is evaluated as noncompliant with requirements of the WSHV.

If you do not select A firewall is enabled for all network connections, the WSHA on the client computer will ignore firewall settings on the client computer.

Virus protection

If you select An antivirus application is on, the WSHA on the client computer checks to see if antivirus software is running on the client computer. The antivirus application must be compatible with Windows Security Center. Antivirus software that is not compatible with Windows Security Center cannot be managed or detected by the WSHA on the client computer.

If you enable An antivirus application is on and Windows Security Center does not report the presence of a compatible antivirus application on the client computer, it is evaluated as noncompliant with requirements of the WSHV.

If you select Antivirus is up to date, the WSHA on the client computer checks with Windows Security Center to verify that the antivirus definitions for your antivirus applications are up-to-date. To verify that antivirus software is running and that antivirus definitions are the most recent updates available, you must select both An antivirus application is on and Antivirus is up to date.

Note

The antivirus application is responsible for acquiring and installing virus definitions. If the client computer is evaluated as noncompliant because virus definitions are out of date, Windows Security Center will not automatically download and install an update.

Spyware protection

If you select An antispyware application is on, the WSHA on the client computer checks to see if antispyware software is running on the client computer. The antispyware application must be one that is compatible with Windows Security Center, such as Windows Defender. Antispyware software that is not compatible with Windows Security Center cannot be managed or detected by the WSHA on the client computer.

If you select Antispyware is up to date, the WSHA on the client computer checks with Windows Security Center to verify that the definitions for your antispyware application are up-to-date. To verify that antispyware software is running and that antispyware definitions are the most recent updates available, you must select both An antispyware application is on and Antispyware is up to date.

Note

You can only choose An antispyware application is on if the client computer is running Windows Vista® or Windows® 7. The WSHA on NAP client computers running Windows XP SP3 does not monitor the status of antispyware applications.
The antispyware application is responsible for acquiring and installing spyware definitions. If the client computer is evaluated as noncompliant because spyware definitions are out of date, Windows Security Center will not automatically download and install an update.

Automatic updating

If you select Automatic Updating is on, and Windows Update is not enabled on the client computer, the client computer is evaluated as noncompliant with requirements of the WSHV. Windows Update is enabled when one of the following settings is selected on the client computer:

  • Install updates automatically (recommended)

  • Download updates, but let me choose whether to install them

  • Check for updates, but let me choose whether to download and install them

If automatic updating and automatic remediation are both enabled and the computer is noncompliant, the WSHA will attempt to change the Windows Update setting to Install updates automatically (recommended).

Security update protection

If you select Restrict access for clients that do not have all available security updates installed, the WSHA on the client computer checks to see if security updates have been installed. It will also check the source used for updates and the last time the source was contacted.

Enabling security update protection checks the client computer for the following:

  • The severity level of installed updates. This is the severity level assigned by the Microsoft Security Response Center (MSRC) for the update. If a client computer is missing one or more security updates of the specified severity level, or a higher level, it will be evaluated as noncompliant with the WSHV. Use the drop-down menu to choose a minimum required severity level for updates. A severity level of Low and above is chosen by default. You can require the following levels:

    1. Critical Only requires that critical updates are installed.

    2. Important and above requires that important and critical updates are installed.

    3. Moderate and above requires that moderate, important, and critical updates are installed.

    4. Low and above requires that all updates are installed.

    5. All is the same as Low and above.

  • The number of hours since the client synchronized with an update source. This is the number of hours since the last time the client synchronized with its update source. This is only assessed when joining the network. If the time since the last online scan exceeds the value specified, then the client computer is considered noncompliant with the WSHV. The default for this value is 22 hours, and it can be configured from 1 to 72 hours. If automatic remediation is selected in the NAP policy, the WSHV will instruct the WSHA to do an online scan to check for new security updates.

  • The type of source used to receive updates. There are three sources for getting updates: Windows Server Update Services (WSUS), Windows Update, and Microsoft Update. You can configure the WSHV to allow updates from some or all of these sources. When the client reports its status with respect to installed updates and provides the update source, the WSHV will accept this status only if the source is allowed. Microsoft Update contains all updates and is accepted by default. You can also configure the WSHV to accept updates only from WSUS.

Note

If you have configured client computers to automatically remediate noncompliant health states, the WSHA will automatically download and install any missing updates. The WSHA on the client computer will query the Windows Update Agent service for updates when the computer starts or when the computer joins a network, and every hour thereafter.