The Secure Access Using Smart Cards Planning Guide

Networked data storage is an essential business requirement for nearly all organizations. Organizations often have to connect networks that contain sensitive and proprietary data to the Internet for communication and to generate revenue. The constant drive for greater connectivity exposes a significant security risk, because the majority of organizations use user names and passwords for authentication and to authorize access to network resources.

Chapter 1, "Introduction," highlighted the main security issue with user name and password combinations. Because user names are not secret, only the password provides any effective security against an attacker who tries to impersonate a valid user. The realization of the vulnerability of user name and password credentials has resulted in increased interest in two-factor authentication systems.

On This Page

	Two-Factor Authentication
	Implementation Prerequisites
	The Woodgrove National Bank Scenario
	Summary

Two-Factor Authentication

Two-factor authentication goes beyond the simple user name and password combination and requires a user to submit some form of unique token together with a PIN. A number of ways exist to implement two-factor authentication, and doubtless more will appear in the future.

Hardware Tokens

Hardware tokens are a two-factor authentication method whereby users have a physical item such as a key fob or a credit-card authenticator. This hardware provides a simple one-time authentication code, which typically changes every 60 seconds. Users must match the one-time code along with a secret PIN to identify themselves uniquely and gain access.

Hardware tokens provide many of the benefits of smart cards, but can involve a more complex plan and deployment process. Microsoft® Windows Server™ 2003 and Windows® XP do not provide built-in support for hardware tokens.

Smart Cards

Smart cards are credit card – sized plastic items that contain a microcomputer and a small amount of memory, which provide secure, tamper-proof storage for private keys and X.509 security certificates. Smart cards typically have 32 or 64 KB of Electrically Erasable Programmable Read Only Memory (EEPROM) and Read Only Memory (ROM), with just 1 KB of RAM. The ROM contains the smart card operating system, with the EEPROM that contains the file and directory structures, PIN management applet, and authentication certificate. The RAM provides working memory for card operations, such as encryption and decryption.

To authenticate to a computer or over a remote access connection, the user inserts the smart card into a suitable reader and enters the PIN. The user cannot gain access with just the PIN, or with just the smart card. Brute force attacks on smart card PINs are not possible, because the smart card locks out after several unsuccessful attempts to enter the PIN. Because PINs are usually eight characters or less, they are easier to remember than long random character passwords. Smart cards are the two-factor authentication mechanism that Microsoft prefers.

Note: Smart card PINs do not have to be numeric. Smart card vendor development kits enable you to specify how many alphabetic, numeric, upper case, lower case, or non-alphanumeric characters you require.

Microsoft deploys smart cards for domain administrators and for remote access to network resources, and is keen to promote this practice as part of the defense-in-depth initiative. Microsoft Consulting Services, Premier Support, Customer Support Services, Microsoft partners, and other solution providers encourage organizations to use smart cards to secure network access.

The following list outlines the steps required to implement a smart card solution for network administrators:

The following list outlines the process required to integrate a smart card solution for remote access.

Top of page

Implementation Prerequisites

Smart card deployment requires a planned approach to ensure that organizations consider all the issues before the start of the implementation phase. This section covers the most common prerequisites, although there might be additional requirements in your environment.

Identification of Accounts

The identification of the users and the groups that require smart card access is an important part of a smart card deployment.

Note: Organizations that have the budget and security requirements to implement smart card access for all users can skip this step.

Groups and users that require smart cards might include:

An organization might also require smart card access for users and groups not in the previous list, such as board-level personnel. The identification of these accounts early in the process helps define the scope of the project and control costs.

To identify critical accounts, you must define when to use smart cards. For example, good security practice recommends that administrators have two user accounts: a standard account for daily tasks such as e-mail, and an administrator-level account for server maintenance and other administrative tasks. Usually, the administrator would log on with the user-level account, and use the Secondary Logon service to perform administrative tasks. Alternatively, the administrator can use the Remote Desktop for Administration component of Windows Server 2003, which supports smart card logon. For more information about administrator accounts, see the Identification of Administrator Accounts and Groups section in Chapter 3, "Using Smart Cards to Help Secure Administrator Accounts."

Smart Card Infrastructure Support

Smart cards require a suitable infrastructure with support from the operating system and network elements. Microsoft provides support for smart card implementations that use the following components:

Additional components include enrollment stations and enrollment agents.

Public Key Infrastructure

Smart cards require a PKI to provide certificates with public key/private key pairs that enable account mapping in Active Directory. You can implement this PKI in one of two ways: provision the internal certificate infrastructure to an external organization or use Certificate Services in Windows Server 2003. Organizations can outsource all or part of the certificate management process for smart cards.

Financial organizations can benefit if they link their PKI to an external trusted root for e-mail verification and for secure transactions with partner organizations. An alternate approach is to use Certificate Services in Windows Server 2003 to provide the PKI.

For more information about Certificate Services in Windows Server 2003, see the Public Key Infrastructure for Windows Server 2003 Web site at www.microsoft.com/windowsserver2003/technologies/pki/default.mspx

The PKI must have a mechanism that deals with certificate revocation. Certificate revocation is necessary when a certificate expires or when an attacker could have compromised a certificate. Each certificate includes the location of its certificate revocation list (CRL). For more information about how to manage certificate revocation, see the Manage Certificate Revocation topic at www.microsoft.com/resources/documentation/WindowsServ/2003/standard/proddocs/en-us/sag_CS_procs_revocation.asp

Certificate Templates

Windows Server 2003 provides specific certificate templates to issue digital certificates for use in smart cards. You can copy and customize these certificates to fit your organization's requirements. The three certificate templates for smart card use are:

Windows Server 2003, Enterprise Edition, provides version 2 (v2) templates that you can modify and extend to provide multiple capabilities such as logon, signed e-mail messages, and file encryption. You can also extend certificate templates to provide additional information that your organization requires, such as medical details or pension entitlements. Windows Server 2003, Enterprise Edition supports autoenrollment, which makes management of smart cards easier in a large organization. The certificate renewal request can use the current certificate to sign the request.

Note: Microsoft strongly recommends that you upgrade a current Windows Server 2003 PKI to a Windows Server 2003 with Service Pack 1 (SP1) PKI to take advantage of enhanced security features.

For more information about certificate templates, see the Certificate Templates topic at www.microsoft.com/resources/documentation/WindowsServ/2003/standard/proddocs/en-us/sag_ct_topnode.asp.

Windows Server 2003

Microsoft Windows 2000 Server supports smart cards for remote access and administrator authentication for console logon only. To implement smart cards for administrators requires that the managed servers run Windows Server 2003, which supports secondary actions such as smart card logon over remote desktop protocol (RDP) connections. This operating system requirement includes the domain controllers. For more information about this requirement, see Chapter 3, "Using Smart Cards to Help Secure Administrator Accounts."

Active Directory

Active Directory is a key component for the implementation of smart card deployments. Active Directory in Windows Server 2003 contains built-in support to enforce smart card interactive logon and the ability to map accounts to certificates. This capability to map user accounts to certificates ties the private key on the smart card to the certificate held in Active Directory. The presentation of smart card credentials at logon requires Active Directory to match that specific card to a unique user account. For more information about certificate mapping, see the Map Certificates to User Accounts topic at technet2.microsoft.com/windowsserver/en/library/0539dcf5-82c5-48e6-be8a-57bca16c7e171033.mspx?mfr=true

Active Directory also supports security groups and Group Policy to facilitate management of the smart card logon process and smart card issuance.

Security Groups

The smart card deployment and management process is significantly easier if you use security groups within Active Directory to organize users. For example, a typical smart card deployment might require you to create the following security groups:

For more information about how to create groups, see the Checklist: Creating a Group topic at www.microsoft.com/resources/documentation/WindowsServ/2003/standard/proddocs/en-us/sag_adgroups_checklist_create_group.asp.

Group Policy

Group Policy enables you to apply configuration settings to multiple computers. You can set up the requirement to use smart cards for interactive logon in a Group Policy object (GPO) and then apply that GPO to organizational units or sites in Active Directory. For more information about how to use Group Policy, see Chapter 3, "Using Smart Cards to Help Secure Administrator Accounts."

Enrollment Stations and Enrollment Agents

An organization can use a Web-based interface to issue or enroll users for smart cards, whereby users enter their credentials and obtain their smart card. However, this arrangement effectively downgrades the security for the smart card to the same level as the credentials presented to the Web interface. The preferred solution is to create enrollment stations and designate one or more administrators as enrollment agents.

Note: Organizations can use a Microsoft Management Console (MMC) interface or develop their own activation applications.

A typical enrollment station is a computer that has two smart card readers attached. One reader lets the enrollment agent log on and the other reader issues new smart cards to users. Enrollment stations require an enrollment certificate and must have permission to access the certificate templates. The enrollment station has a Group Policy setting that forces logoff as soon as the enrollment agent removes his smart card.

A designated administrator takes on the role of the enrollment agent and uses his smart card to log on to the enrollment station. He then opens the Web page for certificate services, verifies the identity of the user, enrolls the user, and issues the enrolled smart card.

Organizations should carefully consider the required number of enrollment stations, and the location of these stations. The organization might co-locate an enrollment station within its security department offices alongside the facilities that issue facility or site access and other security passes. To expedite the initial deployment in a large organization, teams of enrollment agents can use laptops as mobile enrollment stations in branch offices.

Note: To reduce administrative complexity and to control smart card enrollment, it is highly recommended that you restrict the numbers of enrollment agents and enrollments station to the minimal number required for the deployment.

Activation Web Server

An activation Web server is custom component that enables users to activate their new smart cards by PIN reset. Some vendor software development kits (SDKs) provide tools to assist in the construction of an activation Web server. Microsoft does not provide the activation server component.

To reset the PIN, the user runs a cryptographic service provider (CSP) utility that generates a hexadecimal challenge string from the smart card. The user enters this challenge string into a field on the Web page and the activation Web server generates a response. The user types the response into the response field in the utility, which then allows the user to set the smart card PIN.

The activation Web server can also be part of the management process. Help desk operators can use this process to unblock cards where the user has entered the incorrect PIN too many times. In this case, the user reads the challenge to the help desk operator, who replies with the response.

EAP-TLS

Certificate-based security environments use EAP-Transport Level Security (EAP-TLS) to provide the strongest authentication and key determination method. EAP-TLS provides mutual authentication, negotiation of the encryption method, and encrypted key determination between the client and the authenticator. RFC 2284 provides a detailed description of EAP.

Evaluating Smart Cards

The primary factor during the evaluation of smart cards is to ensure that the model you choose can support your planned key length. Windows Server 2003 supports certificate key lengths from 384 bits (low security) to 16,384 bits (maximum security).

Certificates that have longer key lengths provide greater security than shorter key lengths, but longer key lengths significantly increase the time to log on with a smart card. Memory limitations in the smart card also restrict the maximum key length you can use.

Certificate key lengths of 1,024 bits are suitable to secure administrator accounts or to secure remote access. A certificate with a 1,024-bit key takes approximately 2.5 KB of memory space in the smart card. Other memory requirements include the operating system (16 KB), smart card vendor applications such as the CSP (8 KB), and the smart card file and directory structure (4 KB). Hence, smart cards that have less than 32 KB of memory are unlikely to be suitable for the storage of logon certificates and provide the required functionality to extend a smart card solution.

The second factor to consider is whether the card has built-in support for Windows Server 2003 and Windows XP. Before you purchase smart cards, discuss your requirements with the vendor.

Note: You should obtain smart cards directly from their respective vendors. Smart cards are not available from Microsoft.

Although Windows XP and the Windows Server 2003 family include built-in support for some smart cards, additional RSA-based cryptographic smart cards also function well with those operating systems. For those cards whose support is not included natively within Windows, the card vendor must implement a CSP for the card that uses the CryptoAPI.

For more information about the evaluation of smart cards, see the Evaluating Smart Cards and Readers topic at http://technet2.microsoft.com/windowsserver/en/library/0eae38ec-d6e5-4ca7-96a3-42f2fd6c6e741033.mspx.

PIN Management

A user can change the PIN for a smart card at any time by the use of a utility that enables the CSP to display the private key PIN dialog box. The user then enters the old PIN and the new PIN twice. Because users find it easier to remember PINs that they select, tools should be available to allow them to change their PIN.

Note: Users might need to be reminded not to set easily guessed PINs, such as their date of birth, car license plate, or telephone numbers.

The user is responsible for PIN management through the facilities that the CSP provides. Windows XP and the Windows Server 2003 family of operating systems do not manage PINs. For PIN management tools and instructions, contact your smart card vendor.

Most smart card vendors offer smart cards that integrate directly with Windows 2000 or later with no additional customization or development. Manufacturers supply these smart cards with a preset PIN and you can place restrictions on the card such as the card requires a PIN reset on enrollment. However, many enterprises do not find this arrangement acceptable.

To create a more complex and secure PIN, use the PIN management tools to require that users choose a PIN of between five and eight characters in length. Make sure the smart card manufacturer you select supports PINs of up to eight characters.

Smart Card Software Development Kits

Microsoft does not provide an off-the-shelf solution for smart card deployment. You might have to provide additional customization if your environment requires it.

Smart card vendors offer SDKs and personalization tools that enable organizations to customize their smart card deployments. For example, developers can use an SDK to issue smart cards in a pending state. When the enrollment agent issues the card, the user activates the card and changes the PIN. If you want to take advantage of the greater security this method provides, you must budget for additional customization and development.

Evaluating Smart Card Readers

The principal factor when you select a suitable smart card reader is to choose one that is best suited to its purpose. For example, a modern workstation that sits underneath an administrator's desk has two or more USB connections, so a USB smart card reader is probably the most appropriate choice. The user can attach the smart card reader to the side of his monitor or place the reader in another convenient location. Users that make remote access connections from laptops usually prefer a smart card reader in the PC card format.

Keyboards can include smart card readers that also work through a USB interface. These keyboards are suitable for use with a single computer, and might work with multiple computers in server racks through USB-equipped Keyboard Video Mouse (KVM) switches. Check with your chosen KVM switch manufacturer to see whether their KVM switches support smart card authentication to multiple servers.

Windows XP and the Windows Server 2003 family support the smart card readers listed in the following table. Windows installs the correct drivers upon detection of the Plug and Play smart card reader hardware.

Note: Microsoft strongly recommends that you use smart card readers that have obtained the Windows-compatible logo.

Table 2.1: Smart Card Readers Supported in Windows Server 2003

Note: Smart card readers that use a serial interface require a computer restart after installation. This requirement might not be acceptable for server implementations.

Microsoft neither supports nor recommends the use of smart card readers that are not Plug and Play. If you use such a reader, you must obtain installation instructions (this includes associated device driver software) directly from the manufacturer of the smart card reader.

Top of page

The Woodgrove National Bank Scenario

The chapters that remain of this guide use the Woodgrove National Bank scenario. Woodgrove National Bank is a fictional global investment bank that serves institutional, corporate, government, and individual clients in its role as a financial intermediary. Its business includes securities, sales and trading, financial advisory services, investment research, venture capital, and brokerage services for financial institutions.

Woodgrove National Bank employs more than 15,000 people in more than 60 offices worldwide. They have corporate headquarters (hub locations) that have large numbers of employees in New York (5,000 employees), London (5,200 employees), and Tokyo (500 employees). Each hub location supports several offices.

Although Woodgrove National Bank has a mixed server environment with Windows Server and UNIX, their infrastructure runs on a Windows Server backbone. They have 1,712 Windows servers, most of which run Windows Server 2003. About 100 of these servers are Internet-facing. There are also 18,000 workstations within the organization, and 2,000 laptops. The organization is in the process of setting a baseline that standardizes on Windows XP Professional with SP2 and a server standard of Windows Server 2003 with SP1.

The majority of servers are located in three corporate headquarters locations. The organization has distributed the workstations and laptops throughout all locations. The laptops often move between countries or regions. Woodgrove National Bank uses Microsoft Systems Management Server 2003 to manage desktop and laptop computers and Microsoft Operations Manager (MOM) 2005 to manage servers.

Woodgrove National Bank must operate within the requirements of the relevant financial regulatory frameworks for each country/region in which it operates. It must also comply with all applicable data protection legislation and demonstrate effective operational security.

The remainder of this document describes the design choices available to Woodgrove National Bank as they planned their smart card deployment.

Top of page

Summary

This chapter described common considerations needed to plan smart card authentication solutions. This includes the prerequisites, such as a PKI and Active Directory. It outlined the need to evaluate smart cards and smart card readers, covered the issues of smart card memory, key length, and PIN management. The chapters that follow concentrate on the unique aspects of using smart cards to help secure administrator accounts and to help secure remote access to networks.

Top of page

3 of 7