Be careful when you enter PINs. If you enter the wrong User PIN several times in a row, the smart card becomes locked. The only way you can unlock the card is to enter a valid Administrator PIN. If you enter the wrong Administrator PIN several times in a row, the smart card becomes permanently locked, which means you can't recover the smart card. Keep the Administrator PIN secret. You might consider using a range of Administrator PINs across batches of smart cards to improve security.
After a smart card has a certificate, the user can log on to any workstation that has an attached smart card reader. These workstations have a slightly different Welcome to Windows dialog box. The dialog box has a smart card reader icon and text that asks the user to insert the smart card into the reader or press Ctrl+ Alt+Del. If a user inserts a valid smart card into the reader, the Log on to Windows dialog box appears and asks the user to enter a PIN to unlock the card. After the card unlocks, the OS logs the user on to the system, assuming that the certificate in the smart card is valid.
Enhancing Security
You can configure your system two ways to further enhance logon security. First, you can force smart card users to use their smart cards to log on to a workstation. As Figure 4, page 9, shows, you use the MMC Active Directory Users and Computers snap-in to enable the Smart card is required for interactive logon option for each smart card user. If the user attempts to log on by pressing Ctrl+Alt+Del, the user receives a message that states the account has been disabled.
You can also enhance logon security by using Group Policy Editor (GPE) to set the Smart card removal behavior policy on each workstation. You can configure a workstation to either lock the console or log off the user when a user removes the smart card from the reader. As Figure 5 shows, you select Lock Workstation as the policy setting. This security enhancement is especially useful when you combine smart cards with building passes.
Managing Smart Cards
After you have the smart card readers working, you need to deal with the logistics of managing the smart cards. Certificates in smart cards have expiration dates, so you'll need to implement a process to manage their renewal. You'll also need to implement a process to revoke and replace certificates for lost smart cards. These processes aren't specific to certificates in smart cards, so you might already have such processes in place if you use certificates elsewhere in your organization (e.g., on Web servers). If you don't, the Distributed Systems Guide in the Microsoft Windows 2000 Server Resource Kit contains information about how to develop and implement these processes.
You should consider creating a special account for the IT personnel who'll be responsible for certificate management. These personnel don't need to be members of the Domain Admins or Enterprise Admins group if you modify the permissions on the Enrollment Agent certificate template. However, don't issue smart cards for them—if a problem occurs with the PKI or smart cards, they might find themselves unable to log on to correct the problem.
For similar reasons, you shouldn't require administrators to use smart cards to log on to domain controllers (DCs) or member servers in your domain. If you do issue smart cards to administrators, make sure that at least one administrator has the Smart card is required for interactive logon option disabled.
Because smart card users will no longer use the Windows Security dialog box to change their password, you'll need to educate them about how to change their PINs. Smart card reader vendors supply a utility that lets users change their PINs.
A Smart Choice
Smart cards are a smart way to improve logon security in your Win2K network. And as you've just seen, the installation and use of smart cards and smart card readers is straightforward.