The Smart Card Deployment Cookbook
Overview
Typically, a cookbook is a collection of recipes, or instructions, that explain how to do something and what you need to do it. This "cookbook" is a set of "recipes" for deploying smart cards in an enterprise that is deploying Microsoft Windows 2000 Active Directory. The white papers in this series will help you understand the principal smart card concepts and guide you through the planning tasks.
The cookbook is divided into three sections:
On This Page
 | About This Cookbook |
| Who Should Read This Series |
| Section 1: Smart Card Backgrounder |
| Section 2: Smart Card Deployment Planning Considerations |
| Section 3: Smart Card Deployment Scenario |
| Related Materials |
About This Cookbook
Section 1: Smart Card Backgrounder
The papers in this section are designed to provide you with a foundation for your understanding of smart cards. It covers such topics as how smart cards have been used in organizations, smart card architecture in Microsoft Windows 2000, smart card application development, and public key infrastructure (PKI) requirements for deploying smart cards, for example, for smart card logon. By the end of this section you will be able to build a case for deploying smart cards in your organization based on:
| • | An understanding of the ways in which the initial investment in deploying cards and readers can be leveraged to deploy a range of useful smart card applications. |
| • | An understanding of the smart card features shipped "in the box" with Windows 2000. |
| • | An understanding of the infrastructure components necessary to deploy smart cards for smart card logon. |
Section 2: Smart Card Deployment Planning Considerations.
The papers in this section provide you with the building blocks that allow you to start planning your smart card deployment, by setting out the kind of considerations to bear in mind. This includes factors such as:
| • | Your network infrastructure and administration model |
| • | The basic considerations for planning a PKI |
| • | The details of planning the actual deployment |
Section 3: Smart Card Deployment Scenarios.
The papers in this section describe a detailed deployment scenario that uses a fictitious company, Hay Buv Toys, as an example of an organization planning smart card deployment. The section begins with a description of Hay Buv's current environment and its smart card deployment goals, then sets out their desired deployment environment. This section takes you through processes such as:
| • | Deploying the PKI |
| • | Deploying smart cards |
| • | Deploying PKI-enabled applications for smart cards |
| • | Developing applications for Windows for Smart Cards |
Who Should Read This Series
This deployment cookbook addresses the concepts behind deploying smart cards, the steps that are necessary to plan a successful deployment, and some of the tools that deployment requires. Therefore, it will be of use to the following people:
| • | Network engineers |
| • | System architects |
| • | Consultants |
Section 1: Smart Card Backgrounder
Introduction to Windows for Smart Cards
This white paper covers the add-on value of using smart cards in the enterprise.
| • | Business opportunities |
| • | Higher level of security |
| • | Legal aspects and how smart cards will adopt digital signature laws |
This white paper covers basic smart card information, such as the following:
| • | What is a smart card? This covers the different form factors, etc. |
| • | What can you do with a smart card? This covers some examples of uses for smart cards, i.e., stored value, credential storage, etc. |
Windows Smart Card Subsystem:
| • | PC/SC v1.0: what it is and why it's relevant. |
| • | ISO 7816: what it is and why it's relevant. |
| • | Why do cards differ from each other, e.g., GemPlus, Schlumberger? |
| • | Descriptions of the components in the architecture, i.e., readers, drivers, resource manager. |
| • | Support in Windows platforms, i.e., the files shipped in the box or downloaded, driver and card coverage in all Windows platforms. |
Smart Cards and the Windows 2000 PKI
This white paper begins tying the concepts together.
| • | What are the requirements for using smart cards to log on, sign e-mail, etc.?This includes discussion of the need to deploy a CA infrastructure. |
| • | What is enrollment? This covers what is involved in enrollment from a software perspective, i.e., the necessary templates, the enrollment station, how it interacts with the CSP, etc. |
| • | What is smart card logon? This covers what is involved in logging on to the domain, how Winlogon and GINA interact, how Kerberos authentication fits in, UPNs, etc. |
| • | What is e-mail signing/encryption? This covers what is involved in signing/encrypting e-mail. |
Section 2: Smart Card Deployment Planning Considerations
Running a Windows 2000 PKI Project
This white paper covers the typical considerations involved in planning a PKI:
| • | Hierarchy |
| • | External root CA or self-signed |
| • | What's online and what's off-line |
| • | Enterprise CAs |
| • | Interoperability with non-Microsoft CAs |
| • | The kinds of tools you might use |
Logistics of Smart Card Deployment
This white paper covers the typical considerations involved in planning a smart card deployment.
| • | The kinds of card management tools you might need |
| • | Logistical processes, i.e., the kinds of steps you might want to have in place to verify identity for enrolment |
| • | The enrollment station vs. other approaches |
| • | Tracking cards throughout their lifecycle |
| • | Multi-application cards, i.e., logo n plus an application |
| • | Escrow issues |
| • | Smart card-related issues wrt interop, i.e., non-Microsoft CAs |
Section 3: Smart Card Deployment Scenario
This white paper outlines the existing Hay Buv Toys Windows NT infrastructure and describes some of the issues being faced by this fictitious company in this scenario.
This white paper describes the PKI that is planned, based on the factors described in thefirst white paper in this section, together with an outline of the procedures that will be adopted to deploy smart cards. This paper covers the stages of the project and what is involved at each stage:
| • | Pilot |
| • | Early adopter deployment |
| • | Phased mass deployment |
This white paper is a walkthrough that describs deploying the PKI step-by-step, describing the test requirements at each stage.
This white paper is a walkthrough that describes the steps and highlevel processes that are necessary for deploying smart cards, starting with a pilot, etc., and describing the test requirements at each stage.
Deploying PKI-Enabled Applications for Smart Cards
This white paper is a walkthrough that describes the steps for developing PKI applications such as S/MIME, VPN, SSL, or Windows Logon and how to enforce them with smart cards.
Developing Applications for Windows for Smart Cards
This white paper is a walkthrough that describes the steps for developing applications that are based on Windows for Smart Cards by using Visual Basic. Sample Visual Basic source code is provided for the Hay Buv Toys scenario.
Related Materials
The following document provides additional information about migration:
| • | Microsoft Windows 2000 Deployment Planning Guide (available at |