NAC is supposed to do a lot of things, and once it's installed customers are finding that often NAC does even more than they bargained for.

One of these things is that NAC can act as a backstop to other applications such as patch management that are supposed to maintain the proper corporate desktop image. Many customers say that when their NAC gear tests the health of endpoints, it often discovers that machines that should have been patched have not been or that updates that should have been installed haven’t.

One customer actually had statistics on the improvements. With patch-management software alone, 70% of endpoints were actually patched within 30 days of when the distribution started. With NAC in place checking for unpatched machines as part if its tests, that compliance jumped to 99% within 7 days.

Similarly, the same customer found that vulnerabilities on its endpoints dropped significantly after NAC was installed. On its 50,000-endpoint network, the average number of vulnerabilities was 4.3 per machine. After NAC was in place and testing for some of the items that accounted for vulnerabilities, that number dropped to 1.3 per machine.

While some may debate whether NAC is an effective security platform – and some well informed security experts say it is not – it is undeniably a risk-mitigation tool. Having patched operating systems, updated antivirus and personal firewalls that are properly configured and turned on all contribute to lower risk. As these numbers from an actual user demonstrate, the benefits can be dramatic.

Tim Greene is senior editor at Network World.