Security Solutions
3-64
Designing Access Controls
Choose Endpoint Integrity Testing Methods
Requirements for Agentless Testing
To undergo agentless testing, the endpoint must make its RPC service avail-
able to the NAC 800. The endpoint must meet these requirements:
■ RPC service (native on all testable Windows OSs) is supported and
activated.
■ File and print sharing is enabled.
■ Ports 137, 138, 139, and 445 are open on the endpoint’s firewall.
For the user to view all end-user screens, the endpoint’s browser security
settings must allow Java scripting from the NAC 800.
In addition, as discussed above, the NAC 800 requires administrator creden-
tials for the endpoint (typically, those of a domain administrator).
Advantages and Disadvantages of Agentless Testing
Agentless testing does not require any installation on the endpoint, so it is easy
to deploy and maintain and involves little administrative overhead. In addition,
the testing can occur—from beginning to end—without user interaction.
However, you must ensure that the endpoints meet the requirements listed
above, and you must know the correct agentless credentials. For these rea-
sons, agentless testing works best on managed endpoints that are members
of your domain.
Deciding Which Testing Methods to Enable
Choosing an endpoint integrity testing method is a little different from choos-
ing a deployment or access control method. You do not have to select one
method for all endpoints or even all endpoints in a zone. The NAC 800 will try
several methods, first attempting to test the endpoint transparently,
then—should that fail—prompting the user, through end-user access screens,
to change settings on his or her endpoint so that testing can succeed.