Using Smartcards in Windows Server 2003/XP
- Your Equipment Shopping List
- Installing the Enterprise CA
- Forcing Smartcard Logons
In the movie War Games, the main character cracks the password of his high school's computer system. And he doesn't use a password-cracking program to do it. He simply looks for a piece of paper that contains a password listand finds it taped to the bottom of a desk drawer in the school's office.
How can you keep people from writing passwords on a piece of paper taped to their workstations? Instead of using passwords for authentication, consider implementing smartcards. A smartcard is a device the size of a credit card, with a security chip that can be used for logon authentication, remote access, entry-control systems, and more (see Figure 1).
Figure 1 For something the size of a credit card, a smartcard packs a wallop of security.
When you use a smartcard, you get a two-factor authentication system:
Users must have the smartcard to log onto the computer.
Smartcards typically require a personal identification number (PIN).
The typical analogy for smartcard usage is the automated teller machine (ATM) card. You insert the card into the reader and enter a PIN to gain access to your account. As long as you don't write your PIN on the card, you need both itemsthe PIN and the cardto access the account. That's a valuable level of security.
NOTE
Smartcards are just the beginning. Some manufacturers add biometric authentication to smartcard authentication, creating three-factor authentication. For example, a thumbprint scanner, smartcard, and PIN might be required to access a system.
Your Equipment Shopping List
Let's assume that you're fed up with passwords and you're ready to buy into smartcards and PINs for your Windows Server 2003 or Windows XP system. What stands between you and smartcard authentication bliss?
The obvious first step is to acquire smartcards and smartcard readers. The Microsoft Web site has a list of smartcard readers that are compatible with Windows Server 2003 and Windows XP.
A wide variety of smartcard readers are available these days, using USB, RS-232, and PC-Card standards. I've found smartcard readers that support Windows Server 2003/XP at retail prices of $20 to $40 each. Each smartcard typically costs $516. Of course, discounts are available if you look hard enough, buy in bulk, and negotiate well. Several computer and motherboard manufacturers are even building smartcard readers into their products; you might investigate this option when buying new equipment.
Selecting a single smartcard type and manufacturer for your systems makes administration and implementation easier. You'll see why later in this article.