Smart cards are a smart way to improve network security
With the release of Windows 2000, Microsoft has expanded support for smart cards. Smart cards are credit card-sized devices that have a microchip with an OS and a small amount of embedded nonvolatile memory. Their potential uses are many. For example, you can use them in mobile phones or as credit cards, employee identification badges, or a means to log on to computers. Let's look at how Win2K uses smart cards for logons and how to set up a smart card system in your Win2K network.
Win2K and Smart Cards
Win2K uses smart cards to store certificates and their associated private keys; the certificates and their keys identify the smart card user. (For information about certificates, see the sidebar "What's a Certificate?" page 9.) When users walk up to a suitably configured Win2K workstation and insert their smart cards into an attached smart card reader, the system initiates a logon process that's similar to pressing Ctrl+Alt+Del. However, instead of entering a username and password, users enter their PIN, which unlocks the smart card. This process is an example of two-factor authentication: the first factor is something you have (i.e., the smart card), and the second factor is something you know (i.e., the PIN). In a domain environment, the workstation sends the certificate in the smart card to a Key Distribution Center (KDC) as part of the Kerberos authentication protocol. The KDC checks that the certificate is valid, creates a logon session key, encrypts the logon session key with the public key in the certificate, and sends the encrypted logon session key back to the workstation. The workstation passes the encrypted logon session key to the smart card for decryption. The smart card, not the workstation, performs all cryptographic functions that involve the certificate and its private key. (For more information about these functions, read the white paper "Windows 2000 Kerberos Authentication," http://www.microsoft.com/windows2000/techinfo/howitworks/security/kerberos.asp.)
Setting Up the Environment
When you're deciding which smart card system to use, you need to keep one consideration in mind. You should standardize and purchase smart cards and smart card readers from only one vendor because smart cards from one vendor might not work in another vendor's reader. Using multiple vendors might limit users' ability to log on to any available workstation with one smart card, thereby potentially weakening security because users might have to carry several smart cards. This situation might also increase the number of calls to the Help desk.
To use smart cards for logons in a Win2K environment, you need to have an established public key infrastructure (PKI) to issue certificates to users with smart cards and to validate certificates. If you don't have a PKI in place, you can install Certificate Services, which comes with Win2K Server. Certificate Services lets you create an Enterprise Certificate Authority (CA) hierarchy, which integrates with Active Directory (AD), or a Standalone CA hierarchy, which doesn't integrate with AD. Many Win2K security mechanisms that can use certificates, including smart cards, require you to install an Enterprise CA hierarchy. For step-by-step instructions on how to install and configure Certificate Services, see "Securing Win2K with Certificate Services," September 2001.
Configuring a CA for Smart Cards
Before you can start issuing certificates for smart cards, you need to configure a CA to support the certificates. For security reasons, you should consider creating a CA hierarchy, dedicating a subordinate Enterprise CA solely for smart card enrollments, and setting permissions on it with the Microsoft Management Console (MMC) Certification Authority snap-in to prevent use by unauthorized users.
To issue certificates for smart cards, you need to add support for smart card certificate templates. Open the Certification Authority snap-in, select the appropriate CA, right-click Policy Settings, click New, then click New Certificate to Issue. Figure 1, page 7, shows the Select Certificate Template dialog box. Win2K supports two smart card certificate templates: Smartcard Logon, which lets you use smart cards for logons, and Smartcard User, which lets you use smart cards for logons and secure email. You also need to install the Enrollment Agent certificate template to use smart cards. After you select the Enrollment Agent certificate template and the appropriate smart card certificate template in the dialog box, click OK.
You must have a valid Enrollment Agent certificate to issue certificates to smart card users. By default, only members of the Enterprise Admins and Domain Admins groups can request Enrollment Agent certificates. You can modify the permissions on the Enrollment Agent certificate template to let other users and groups request certificates. To change permissions, open the MMC Active Directory Sites and Services snap-in. As Figure 2 shows, expand the Services node. If this node isn't visible, click Show Services Node on the View menu. Expand Public Key Services, then Certificate Templates. Right-click EnrollmentAgent, then select Properties. In the dialog box that appears, click the Security tab to modify the template's permissions.
You obtain an Enrollment Agent certificate by pointing your Web browser to the CertSrv virtual directory that's on the server on which the issuing CA resides. For example, if you've installed Certificate Services on a server called WebServer1, the URL would be http://webserver1/ certsrv. In the Welcome page that appears, select Request a certificate, then click Next. You now need to select the type of certificate you want to request. Select Advanced Request, then click Next. This page asks you how you want to request a certificate. Select Submit a certificate request to this CA using a form, then click Next.