One of Microsoft’s primary goals in developing Windows 2000 was to provide increased security and to give administrators more options regarding security methods and features. Consequently, Windows 2000 includes provisions for security measures that were either not supported or required third-party software with earlier Microsoft operating systems.
The first step in securing a computer or network is authentication, the process by which the user’s logon credentials are validated. Traditionally, authentication consists of providing a user account name and password, which are checked against a list of authorized account/password pairs. As long as the password is complex enough so that it cannot be easily guessed and it is kept secret by the user, this method works well.
However, there are ways to increase the security of the authentication process; most of these involve having the user provide some physical means of identification. This can be biometric input, such as a fingerprint or retinal pattern, or it can be a device such as a smart card (in fact, some smart card technologies can actually store a fingerprint or voice print on the card).
In this Daily Drill Down, I will discuss what smart cards are, how they work, and how to use them for authentication with Windows 2000.
Overview of smart card concepts
A cryptographic smart card resembles a credit card and is used to store public and private keys and other credential information. Windows 2000 supports the use of smart cards for authentication and logon and e-mail security as part of its integrated public key infrastructure (PKI).
Using smart cards for logon authentication offers several advantages:
- Multi-layered security: An unauthorized user cannot log on with someone else’s credentials merely by finding out or guessing the authorized user’s password; he or she must present the physical card to log on (this is called proof of possession). He or she will also need to know the Personal Identification Number (PIN) assigned to the smart card. The card automatically locks after a specified number of incorrect attempts to enter the PIN.
- You can make a PIN easy to remember without compromising security. Unlike a simple password, PINs do not pose a high risk because an intruder would have to gain physical control of the card to misuse it.
- PINs can’t be intercepted over the network by a packet sniffer because they are never transmitted across the network.
- Smart cards are designed to be resistant to tampering.
- The card is portable and easy for the user to carry and can be used to transport credentials from one computer to another (such as a desktop system at the office and a laptop computer at the user’s home).
- Smart cards can also be configured for remote access connections (dial-up or VPN) using the Extensible Authentication Protocol (EAP).
Although simple in concept (insert a card in a card reader and enter a PIN to log on), the smart card infrastructure is actually complex, using Windows 2000 certificate services and public key cryptography.
How smart cards work
While credit and debit cards use a magnetic strip to store data, the smart cards supported by Windows 2000 use an integrated circuit (and thus are called Integrated Circuit Cards, or ICCs). The circuit functions as a tiny computer that handles operations such as key exchange and digital signing.
Microsoft has developed an operating system platform called Windows for Smart Cards that can be programmed to store authentication information and perform PC and network logons. Other vendors make smart card operating systems, as well. There is even a smart card that can be programmed in BASIC.
There are many vendors of smart cards and many different types of smart cards; most use proprietary interfaces and APIs (for example, some smart cards use a Java Card API that can run Java applets that are loaded onto the card). Windows 2000 authentication uses RSA-based cryptographic smart cards.
Local and domain logon
Smart cards can be used to log on to a local computer or a Windows 2000 domain. In the latter case, authentication works using the Windows 2000 directory services. There are three ways to use a smart card for logon authentication to a Windows 2000 domain:
- Interactive logon: uses Active Directory, Kerberos v5, and public key certificates
- Client authentication: uses a public key certificate matching an Active Directory user account
- Remote logon: uses public key certificates with EAP and Transport Layer Security (TLS) to authenticate the user to an Active Directory account
A user can log on to the local computer using a smart card even when the computer is not connected to the network or the domain controller cannot be contacted for Active Directory authentication. This is called offline logon.
When logging on remotely for the first time, a user should log on to the domain interactively using a dial-up connection from the logon dialog, rather than logging on to the local computer first and then dialing the RAS server to connect to the network. If done the latter way, the authentication will fail because the client computer does not have the domain policy and can’t authenticate the RAS server (unless the client computer was preconfigured to be a member of the domain).
Deploying smart card logon
All logon methods require the use of public key certificates. The following is an overview of what must be done to deploy smart cards for network logon. Note that this Daily Drill Down focuses on the use of smart cards from the client side, so I have not provided the details of setting up Certificate Authorities (CAs) and other server-side tasks. However, you should know that these steps must be taken before you can use smart cards with your Windows 2000 clients.
- Set up a CA and certification hierarchy on your network.
- Set security permissions and delegate control of certificate templates for each domain, using the Certification Authority MMC.
- Set up the CA(s) to issue smart card certificates in the policy settings in the Certification Authority MMC.
- Set up a CA to issue enrollment agent certificates. (The enrollment agent certificates do not have to be issued from the same CA that issues the smart card certificates.)
- Install a smart card reader on the computer you will use to set up smart cards. This is the enrollment station.
- The smart card administrator must obtain an enrollment agent certificate in order to generate smart card certificate requests on behalf of users.
- The holder of the enrollment agent certificate sets up a smart card for each user by requesting a certificate from the CA that issues smart card logon certificates.
- A smart card reader must be installed on each user’s computer.
These are the basic steps for deploying smart cards. Detailed instructions for completing each step are available in the Windows 2000 Server Help files.
There normally must be an enrollment station somewhere on the network and an enrollment agent to operate it in order to issue smart card certificates to users because domain users cannot themselves enroll for smart card certificates by default. It is possible to modify the permissions to allow users to enroll, but it is a security risk and is not recommended.
Smart card equipment
Deployment of smart card logon for your network users may go more or less smoothly, depending on the equipment you select. In this section, I will discuss smart card readers and the cards themselves.
Smart card types supported by Windows 2000
Windows 2000 has built-in support for the following smart cards:
Deployment of the GemSAFE and Cryptoflex cards does not require any special configuration on client or server. You can use other smart card brands that use RSA-based cryptography for which the vendor has developed cryptographic service provider (CSP) code using the CryptoAPI. Microsoft provides a Smart Card Software Developer’s Kit for this purpose.
Smart card readers
There are a number of smart card readers that have been tested by Microsoft and approved as compatible with Windows 2000. It is highly recommended that you select a reader that supports Plug and Play standards.
It is possible to use non-Plug and Play readers with Windows 2000, but Microsoft does not support their use. You will need to get the device drivers and installation instructions for such readers from the reader vendor.
Microsoft-approved readers are made by Gemplus, Litronic, Rainbow Technologies, and others. See the Windows 2000 Hardware Compatibility List (HCL) on the Microsoft Web site for a complete list of vendors and model numbers.
Using smart cards for authentication
Once smart card support has been deployed on the network, it is relatively easy to use smart cards for logon authentication from the client side. Steps include:
- Installing a smart card reader on the client machine.
- Enrolling the user for a smart card certificate.
- Setting up a smart card for user logon.
- Logging on with the smart card.
- Instituting smart card policies.
Installing a smart card reader
Smart card readers are available in many different form factors. Most connect to the computer via a PCMCIA (PC Card), RS-232, or USB interface. To install the reader, simply attach the device to the appropriate port or PCMCIA slot.
Note that when you start the computer, you should log on with an administrative account. If the driver is supported by Windows 2000 and the driver software is in the Driver.cab file (which is installed on the computer’s hard disk when you install Windows 2000), the driver will be installed automatically. If the driver software is not in the Driver.cab file, you will need to install it using the Add/Remove Hardware wizard.
If the reader is a Plug and Play device, the Add/Remove Hardware wizard should start automatically. If it is not, you must consult the vendor’s instructions to install and configure the reader.
When the device has been installed successfully, an icon should appear in the toolbar (Unplug Or Eject Hardware). The smart card reader will appear in the list of devices in the Unplug Or Eject Hardware dialog box.
Enrolling for a smart card certificate
In most situations, a smart card administrator who has an enrollment agent certificate will request smart card certificates on behalf of users. The administrator logs on as an enrollment agent and uses the Internet Explorer Web browser to access the CA that issues smart card certificates (using the syntax http://<nameofCAserver>/Certsrv). The administrator will request a certificate and use the Advanced Request option to request a smart card certificate on behalf of another user, using the smart card enrollment station.
On the Smart Card Enrollment Station Web page, using the Certificate Template option, the administrator will select one of the following:
- Smart card logon: for logging on to Windows only
- Smart card user: for securing e-mail with the smart card in addition to logging on to Windows
The administrator selects the CA to issue the smart card and designates the CSP of the smart card vendor. Then the administrator specifies the enrollment agent certificate that will sign the enrollment request, enters the user name, and submits the certificate request.
Setting up a smart card for user logon
After the administrator submits a certificate request for a user, he or she inserts a smart card into the reader and enters the PIN for the card. The certificate will be installed on the smart card. If the card you inserted already has a certificate installed on it, you will be asked whether you want to replace the existing credentials; you must select Yes to install the new certificate.
Logging on with a smart card
To log on to a computer with a smart card, insert the card into the reader attached to the computer when the Windows logon screen appears. You will be prompted to enter the PIN associated with the card. If you type in the correct PIN, you will be logged on to the computer and the Windows 2000 domain. The permissions that have been assigned to that user account by the domain administrator will be applied.
If you enter an incorrect PIN, access will be denied. The number of attempts that are allowed before the card is locked out depends on the vendor of the smart card.
Smart card policies
Using Windows 2000 account policies, you can specify that a smart card be required for interactive logon. This prevents users from logging on with a password. (This does not apply to remote access logons.) This setting can be made on a per-user basis. It should not be applied to administrators or other users who need to perform tasks that do not support use of public key certificates for authentication (such as configuring a network connection for remote access or joining a computer to a domain).
Administrators should develop written policies regarding the issuance of smart cards, management of PINs, contingencies for lost or temporarily available cards, and removal of the card when a user leaves the workstation. See Microsoft’s Web site for an excellent paper on using and administering smart cards, including development and deployment of related policies.
In today’s security-conscious networking environment, with many companies storing highly sensitive data on their network computers, it is more important than ever that strong measures be taken to prevent unauthorized access. One way to increase the security of logon authentication is to issue smart cards to users. In this Daily Drill Down, I have provided an overview of what smart cards are, how they work, where to get them, and how to use them in conjunction with Windows 2000.