Windows IT Pro is the authoritative and independent resource for windows nt, windows 2000, windows 2003, windows xp. Features a collection of resources and magazines for windows IT professionals.
  
  
  Advanced Search 


October 01, 2001

Enhancing Win2K Logon Security with Smart Cards


A Web Exclusive from Windows IT Pro
John Howie
Feature
InstantDoc #22366
Windows IT Pro
Email this Article
Printer Friendly
Reader Comments
Digg This
Del.icio.us
RSS
Subscribe to Windows IT Pro | See More Security Articles Here | Reprints | Or get the Monthly Online Pass—only $5.95 a month!
SideBar    What's a Certificate?
Smart cards are a smart way to improve network security

With the release of Windows 2000, Microsoft has expanded support for smart cards. Smart cards are credit card-sized devices that have a microchip with an OS and a small amount of embedded nonvolatile memory. Their potential uses are many. For example, you can use them in mobile phones or as credit cards, employee identification badges, or a means to log on to computers. Let's look at how Win2K uses smart cards for logons and how to set up a smart card system in your Win2K network.

Win2K and Smart Cards
Win2K uses smart cards to store certificates and their associated private keys; the certificates and their keys identify the smart card user. (For information about certificates, see the sidebar "What's a Certificate?" page 9.) When users walk up to a suitably configured Win2K workstation and insert their smart cards into an attached smart card reader, the system initiates a logon process that's similar to pressing Ctrl+Alt+Del. However, instead of entering a username and password, users enter their PIN, which unlocks the smart card. This process is an example of two-factor authentication: the first factor is something you have (i.e., the smart card), and the second factor is something you know (i.e., the PIN). In a domain environment, the workstation sends the certificate in the smart card to a Key Distribution Center (KDC) as part of the Kerberos authentication protocol. The KDC checks that the certificate is valid, creates a logon session key, encrypts the logon session key with the public key in the certificate, and sends the encrypted logon session key back to the workstation. The workstation passes the encrypted logon session key to the smart card for decryption. The smart card, not the workstation, performs all cryptographic functions that involve the certificate and its private key. (For more information about these functions, read the white paper "Windows 2000 Kerberos Authentication," http://www.microsoft.com/windows2000/techinfo/howitworks/security/kerberos.asp.) . . .

Reader Comments
Nice article that pulls together the information needed to configure a CA to issue smartcard certificates better than the on-line Microsoft help. Too bad it doesn't print neatly in Portrait mode.

Doug Brown May 03, 2004

Great artical has all the information i need to get started implementing a smart card system

Michael Lowe July 07, 2004

You must log on before posting a comment.

If you don't have a username & password, please register now.




Top Viewed ArticlesView all articles
Friday at PASS Europe 2006

Kevin talks about the closing day of the event and shares a funny Microsoft film. ...

Windows Mobile: What Went Wrong?

Paul discusses the evolution of Windows Mobile and why he thinks the platform is probably doomed. ...

Microsoft Makes Windows 7 Name Official

It's official: Microsoft's next Windows version, currently being developed under the codename Windows 7 will use that moniker as its official final name when it hits the market in early 2010. The news, delivered as is so often the case these days via a ...
Security Whitepapers Protecting (You and) Your Data with Exchange Server 2007

Extended Validation SSL Certificates

Unauthorized applications: Taking back control
Related Events Check out our list of Free Email Newsletters!
Security eBooks Spam Fighting and Email Security for the 21st Century

Understanding and Leveraging Code Signing Technologies

A Guide to Windows Certification and Public Keys
Related Security Resources Become a VIP member of the Windows IT Pro community!
Get it all with the VIP CD and VIP access. A $500+ value for only $279!

Subscribe to Windows IT Pro!
Solve your toughest technical problems with our experts and access 10,000 + articles online. 30% off

Monthly Online Pass - Only $5.95!
Get instant access to 10,000+ articles from Windows IT Pro Magazine!

TechNet Virtual Labs
Evaluate and test Microsoft's newest products.

Job Openings in IT

ADS BY GOOGLE SPONSORED LINKS FEATURED LINKS

Microsoft Exchange & Windows Connections event returns to Las Vegas Nov 10 - 13
Connections returns to Las Vegas for this exciting event where each attendee will receive SQL Server 2008 standard with 1 CAL. Co-located with Microsoft ASP.NET, SQL Server, and SharePoint Connections with over 250 in-depth sessions.

Free Online Event! Virtualization:Get the Facts!
Register now and attend this free, live in-depth online conference on November 13 and 20, 2008, produced by Windows IT Pro. All registrants are eligible to receive a complimentary one-year digital subscription to Windows IT Pro (a $49.95 value)!

Check Out Hyper-V Video on ITTV
Watch Karen Forster's interview on Hyper-V's performance on ITTV.net.

Ease Your Scripting Pains with the Flexibility of PowerShell!
Join MVP Paul Robichaux on December 11, 2008 at 11:00 AM EDT as he equips you with PowerShell basics in 3 introductory lessons, each followed by a live Q&A session—all on your own computer!

PASS Community Summit 2008 in Seattle on Nov 18-21
The don’t-miss event for Microsoft SQL Server Professionals. Register now and you’ll enjoy top-notch Microsoft and Community speakers and more.



Order Your SQL Fundamentals CD Today!
Learn how to use SQL Server, understand Office integration techniques and dive into the essentials of SQL Express and Visual Basic with this free SQL Fundamentals CD.

Email Recovery and eDiscovery for Microsoft Exchange!
Discover, Recover, and Export mailboxes, folders and individual items direct from offline EDB’s or online production Exchange Servers. Free 30 Day Demo.
Windows IT Pro Home Register FAQ for Windows WinInfo News
Europe Edition About Us Contact Us/Customer Service Media Kit Affiliates / Licensing  
SQL Server Magazine Office & SharePoint Pro Windows Dev Pro IT Job Hound ITTV
IT Library Technology Resource Directory Connected Home Windows Excavator Windows SuperSite 
 
 Windows IT Pro is a Division of Penton Media Inc.
 Copyright © 2008 Penton Media, Inc., All rights reserved. Terms and Use | Privacy Statement | Reprints and Licensing