When the International Technology Exposition and Conference (ITEC) fair came to Seattle recently, many attendees were surprised to learn that they had to register via smart cards. With these plastic cards, we gained entry to the fair, signed up for drawings, and registered our contact information with vendors. Obviously, this made sense and was beneficial since it was fast, efficient, and accurate.
However, I was already aware of the potential that smart card technology had to offer because my organization had recently implemented smart cards with Windows 2000. I was impressed with the simplicity and power of smart cards in Win2K, and I think you will be too. Let’s take a look.
Search for the right product
Several months ago, we began researching the possibility of using smart card authentication with our Windows 2000 network. We weren’t sure what we were looking for, so we came up with thousands of hits when we did a broad Internet search. We were surprised to learn that reader/writers were much cheaper (from $30 to $100) than we thought they would be. Then, we figured out why: The smart cards themselves must be programmed to accept information. There is a small microchip on each card that holds from 8K to 16K of memory. The key is that the chip needs to be programmed. Most companies we found required some form of programming knowledge that we didn’t have.
Thus, we went to Microsoft’s documentation to see what Windows 2000 specifically offered in the way of support for smart card authentication. We discovered that Windows 2000 supports two smart cards by default: cards produced by GemSAFE and Schlumberger.
We ordered a kit from Schlumberger (Cryptoflex is the name of the product) because it appeared that it came with better documentation. (“Read the manual” is my middle name.) Figure A shows a Cryptoflex card. The reader/writer was $49, and the set of five smart cards was $80. Of course, the cards are so expensive because each one holds 8K of memory, and Schlumberger has just released a more advanced card that holds 16K of memory.
|A Cryptoflex smart card|
Implementing smart cards
Within 24 hours of receiving our kit, we were using smart card authentication for our Internet Information Services (IIS) implementation and for logons on my Windows 2000 domain controller. One reader is used forone machine. We chose to secure one of our more critical servers. This is a good idea for servers that are not in locked rooms or cabinets. With the reader installed on the server, I can now require smart card authentication for local logon and other actions, as discussed below.
The configuration of smart cards is completely dependent upon Windows 2000 Certificate Services. You must configure a Certificate Authority (CA) and then configure Certificate Services, which is a completely different management console from the CA. The CA is implemented on a server, as is the “authority” responsible for issuing and revoking certificates. The Certificates console is for requesting certificates and enrolling certificate users.
Therefore, your CA and your Certificate Enroller don’t have to be the same server. I set up a CA independent of the machine that was going to enroll certificate users. From a security standpoint, it seems prudent that in a large organization at least two administrators would be responsible for implementing certificate services. Depending on the size of your organization, targeting two machines for certificate authentication may be a minimum objective.
Once smart cards are implemented in your organization, you must have the staff power to keep track of:
- The disbursement of the smart cards themselves.
- The enrolling stations and administrators of those stations.
- Policies governing the use of smart cards and how to replace them when lost or stolen.
- Maintenance of reader/writer hardware.
- Troubleshooting of authentication failures.
Because GemSAFE and Schlumberger have detailed documentation on their particular solutions and how to set them up, I will refer you to their respective Web sites for the step-by-step implementation of smart card authentication with their products. My goal here is to provide a laundry list of the component services related to Windows 2000 that must be in place in order to make a smart card implementation as pain-free as possible. You must consider the following factors:
- The CA must run on a Windows 2000 domain controller with DNS configured properly because DNS is critical to the communication between enrolling stations and the CA.
- You should be prepared to decide whether you want your CA to be:
—An Enterprise Root CA—if you will only be authenticating users and computers within your organization.
—An Enterprise Subordinate CA—if you already have an Enterprise Root CA and are setting up a new one.
—A Standalone Root CA—you will only be issuing certificates outside of your network.
—A Standalone Subordinate CA—if you already have a Standalone Root CA and need another one.
Enterprise Administrators should install an Enterprise Root CA if it will be issuing certificates to users and computers in child domains.
Using outside Root CAs may cause compatibility problems with the Windows 2000 implementation of smart card authentication. Check the latest Microsoft documentation to make sure that configuration of an outside Root CA is done properly.
- The installation of Certificate Services requires the IIS be stopped and restarted once installation is complete because IIS is the vehicle used to request services remotely.
- The Enrollment Station is where the smart card reader/writer is installed. On that station, there must be a new MMC for “Certificates.” (Go to Start | Run and type mmc, and then go to Add/Remove Snap-ins | Certificates.) Save this Certificates console, since this is where the enrolling takes place and you’ll be using it frequently as you add users.
- When requesting certificates for the smart card, it is important to choose the Advanced Options button in the Certificate Request Wizard to select the type of cryptography needed. For example, we chose Schlumberger CSP.
- Group Policies will have to be edited to implement smart card authentication, depending on whether users will be required to use the smart card every time they log on.
Why use smart cards—aren’t passwords enough?
Smart cards do not replace passwords as a means of security. Smart cards add an additional layer of security. In the Account tab of a user’s property page, you can configure a user so that he or she is required to log on to the network with a smart card. Figure B shows the Smart Card Is Required For Interactive Logon check box that enables this restriction. The user must have a password that works with his or her smart card, thus verifying the authenticity of the cardholder.
|Selecting the Smart Card Is Required For Interactive Logon check box requires users to log on with a card.|
Schlumberger’s cryptography is based on Data Encryption Standard (DES) and 3DES (triple DES), which are ANSI industry standards. The microprocessor chip on each card is tamper-resistant. Even if users need 512-, 768-, 1024-, or 2048-bit keys and several certificates for a variety of applications, they can all be stored on a single smart card.
Each smart card with the microprocessor chip can be reprogrammed with a new password and/or certificate. The Certificate Enroller just requests a new certificate, password, or PIN.
The biggest advantage of the smart card in a small enterprise is the heightened level of security. With the addition of some scripting, the smart card can also hold information such as time card data, usage of computers and/or copy machines, etc. This information can periodically be dumped into a database and tracked, making the smart card an objective source of information about the productivity of its holder.
How can smart cards benefit your organization?
We look forward to getting your input and hearing about your experiences regarding this topic. Join the discussion below or send the editor an e-mail.