The Secure Access Using Smart Cards Planning Guide

This guide is designed to help organizations use smart cards to increase security on administrator and remote access accounts. It highlights the issues faced and approaches to designing both smart card solutions and examines the issues when deploying smart cards to users.
  • Note:There are multiple files available for this download.Once you click on the "Download" button, you will be prompted to select the files you need.


    File Name:

    Secure Access Using Smart Cards Planning Guide v1.1.doc


    Date Published:


    File Size:

    726 KB

    3 KB

      Administrators are increasingly aware of the dangers that result if they rely only on user names and passwords to provide authentication to network resources. Attackers can guess user names, or use such publicly available information as an e-mail address on a business card to identify a user name. When an attacker knows a user name, the only security mechanism that remains is a user’s password.

      Single secrets such as passwords can be effective security controls. A long password of more than 10 characters that consists of random letters, numbers, and special characters can be very difficult to crack. Unfortunately, users cannot always remember these sorts of passwords, partly due to fundamental human limitations.

      Research by George A. Miller, published in The Psychological Review in 1956, concluded that the human brain has a short-term memory limit of between five and nine random characters, with an average of seven. However, most security guidance recommends at least an eight-character random password. Because most users cannot commit an eight‑character random password to memory, many opt to write it down on a piece of paper.

      Users rarely show great discretion when they write down passwords, and so provide opportunities for attackers to compromise their credentials. Where there are no restrictions on password complexity, users tend to choose easy to remember passwords such as "password" or other easily guessed words.

      Pass phrases are longer passwords that users can remember more easily. Microsoft® Windows® 2000, and later versions of the Windows operating system, supports passwords of up to 127 characters in length. A strong pass phrase such as "I like 5-a-side football!" significantly increases the difficulty for tools that use brute force methods to crack a password and is easier for a user to remember than a random mix of letters and numbers.

      Two-factor authentication systems overcome the issues of single secret authentication by the requirement of a second secret. Two-factor authentication uses a combination of the following items:
      • Something that the user has, such as a hardware token or a smart card.

      • Something the user knows, such as a personal identification number (PIN).

      Smart cards and their associated PINs are an increasingly popular, reliable, and cost-effective form of two-factor authentication. With the right controls in place, the user must have the smart card and know the PIN to gain access to network resources. The two-factor requirement significantly reduces the likelihood of unauthorized access to an organization’s network.

      Smart cards provide particularly effective security control in two scenarios: to secure administrator accounts and to secure remote access. This guide concentrates on these two scenarios as the priority areas in which to implement smart cards.

      Because administrator-level accounts have a wide range of user rights, compromise of one of these accounts can give an intruder access to all network resources. It is essential to safeguard administrator-level access because the theft of domain administrator-level account credentials jeopardizes the integrity of the domain, and possibly the entire forest, together with any other trusting forests. Two-factor authentication is essential for administrator authentication.

      Organizations can provide an important additional layer of security if they implement smart cards for users who require remote connectivity to network resources. Two-factor authentication is particularly important with remote users, because it is not possible to provide any form of physical access control for remote connections. Two-factor authentication with smart cards can increase security on the authentication process for remote users who connect through virtual private network (VPN) links.

      Send questions or feedback to us directly at

      05-10-2007 Known issues have been updated in the Release Notes. For more information, download the Release Notes.txt file.
  • Supported Operating System

    Windows Server 2003, Windows Vista, Windows XP

      1. Click the Download button at the top of the page to start the download.

      2. Do one of the following:

        • To open the document immediately, click Open.

        • To save the download to your preferred location on your computer, click Save or Save to disk.

    • Solution Accelerators are free, scenario-based guides and automations designed to help IT Professionals who are proactively planning, deploying, and operating IT systems using Microsoft products and technologies. Solution Accelerator scenarios focus on security and compliance, management and infrastructure, and communication and collaboration.

      Get the Solution Accelerator Notifications Newsletter

      Subscribe to the Solution Accelerator Notifications newsletter so that you can stay informed about new Solution Accelerator releases and updates. The newsletter covers such areas of interest as

      • Communication & Collaboration
      • Security, Data Protection, & Recovery
      • Deployment
      • Operations & Management

      You may also receive invitations to participate in accelerator development via beta programs and customer surveys. Solution Accelerator Notifications is currently available in English only.

      If you’ve used a Solution Accelerator within your organization, please share your experience with us by completing this short survey (less than ten minutes long).
Site feedback

What category would you like to give web site feedback on?

Rate your level of satisfaction with this web page today: