TechNet Home > TechNet Security > Library > Network Security

The Secure Access Using Smart Cards Planning Guide

Chapter 4 - Using Smart Cards to Help Secure Remote Access Accounts

Updated: June 30, 2005

Most organizations must provide remote access to network resources over dial-up or virtual private network (VPN) connections. Ongoing changes to business practices, such as the provision of support for remote users or field sales staff, will only accelerate this trend. Although remote access provides numerous advantages to an organization, any external access significantly exposes the organization's network to potential security threats. Two-factor authentication is an increased requirement for networks that support remote access.

On This Page
Securing Remote Access with Smart CardsSecuring Remote Access with Smart Cards
Issues and RequirementsIssues and Requirements
Designing the SolutionDesigning the Solution
SummarySummary

Securing Remote Access with Smart Cards

Remote access should enable all authorized employees to access an organization's intranet resources. To facilitate remote access through VPN, you must open up ports on your external firewalls. This increase in accessibility creates a route through which attackers can possibly penetrate the network.

Chapter 1, "Introduction," of this guide points out that the authentication of accounts that rely on user names and passwords concentrates all the access control security on the password. Passwords are vulnerable to compromise, and the credentials for a compromised account that has remote access to a corporate network could be of interest to criminal organizations.

Although you can configure a domain password lockout policy for user accounts, the account lockout policy provides an opportunity for denial of service (DoS) attacks by constantly locking out the remote user account. Although this attack does not compromise any information on the network, it is a source of frustration for the locked out user.

Strong user authentication that uses digital certificates embedded in a smart card provides a robust and flexible approach to secure remote access connections.

Client Requirements

The use of smart cards to control remote access depends on the components that run on the remote client. You must have a good level of knowledge of these components, and in particular, Connection Manager and the Connection Manager Administration Kit (CMAK). Connection Manager centralizes and automates the establishment and management of network connections. Connection Manager supports the following key areas for the configuration of smart card access:

Extensible Authentication Protocol – Transport Layer Security (EAP-TLS) for VPN and remote access connections

Application-level security checks to manage client computer configurations automatically

Computer security checks and validations that are part of the logon process

For more information about Connection Manager and CMAK, see Connection Manager Administration Kit at http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/ServerHelp/be5c1c37-109e-49bc-943e-6595832d5761.mspx.

Connection Manager for the Client

To implement a manageable remote access solution, you must create and deploy Connection Manager settings to multiple clients. To deploy Connection Manager to multiple clients, you create Connection Manager profiles.

Connection Manager profiles are customized Connection Manager client dialer packages that you create with CMAK and deploy to client computers in a self-extractable executable file. You can use any software distribution mechanisms to distribute profiles, such as Group Policy, Microsoft® Systems Management Server 2003, CDs, or USB keys.

When you run the executable, it installs the profile onto the local computer, together with the appropriate telephone numbers or host addresses to connect to the remote access servers. When a user initiates a connection through their Connection Manager profile, Connection Manager automatically checks for the presence of a smart card and prompts the user for the PIN. If the user supplies the correct PIN, Connection Manager establishes the appropriate dial-up and VPN connections and authenticates the user's credentials.

Connection Manager also simplifies the connection process for the user. It limits the number of configuration options that a user can change, and helps to ensure that the user can always connect successfully. Organizations can customize Connection Manager to define:

Available phone numbers. A list of phone numbers available to the user based on their physical location.

Customized content. The dialer can include customized graphics, icons, messages, and Help content.

Pre-tunnel connections. A dial-up connection to the Internet that automatically occurs before the VPN connection attempt.

Pre-connection and post-connection actions. Examples include the ability to reset the dialer profile or the configuration of the Windows Firewall to ignore exceptions to packet filter rules.

Operating System Requirements

The smart cards for remote access solution only works with Microsoft Windows® XP Professional. Microsoft recommends Windows XP Professional with SP2 or later. Client computers should have all current security updates installed.

Server Requirements

Server requirements for smart card access are relatively straightforward. The remote access servers must run Windows 2000 Server or later and must support EAP-TLS.

Note: Unlike the smart cards for the administrators scenario, the smart cards for the remote access scenario do not require Microsoft Windows Server™ 2003, although it is highly recommended that you upgrade your PKI to Windows Server 2003 with Service Pack 1 (SP1) or later.

Dial-up and VPN Considerations

The solution uses smart cards to secure remote access supports dial-up access through Integrated Services Digital Network (ISDN) or Public Switched Telephone Network (PSTN) connections, but users might experience extended logon times.

Remote connections that use VPN connections place an additional processor load on the remote access server. Smart card secured logon does not add noticeably to that load but can increase logon times. VPN remote access servers that service a high volume of inbound connections require fast processors, preferably in a multiprocessor configuration. Organizations that use IPsec – secured VPNs can implement network cards that offload the IPsec encryption process onto a separate processor on the network card.

Support for Extensible Authentication Protocol

EAP-TLS is a mutual authentication mechanism developed for use with authentication methods in conjunction with security devices, such as smart cards and hardware tokens. EAP-TLS supports Point-to-Point Protocol (PPP) and VPN connections, and enables exchange of shared secret keys for Microsoft Point-to-Point Encryption (MPPE).

The main benefits of EAP-TLS are its resistance to brute force attacks and its support for mutual authentication. With mutual authentication, both client and server must prove their identities to the other. If either client or server does not send a certificate to validate its identity, the connection terminates.

Windows Server 2003 supports EAP-TLS for dial-up and VPN connections, which enables the use of smart cards for remote users. For more information about EAP-TLS, see the Extensible Authentication Protocol topic at http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/auth_eap.mspx

For more information about EAP certificate requirements, see Certificate Requirements when you use EAP-TLS and PEAP with EAP-TLS at http://support.microsoft.com/default.aspx?scid=kb;en-us;814394

Identify Authentication Server Requirements

To log on, remote users must present their credentials to an authentication service. Windows provides two authentication services for remote users:

Internet Authentication Service (IAS) servers

The Active Directory® directory service

If your organization decides to use the Remote Authentication Dial-In User Service (RADIUS) authentication provider, you must include IAS servers in your configuration. IAS is the Microsoft implementation of RADIUS, and runs as a service on Windows 2000 Server or later.

Organizations can gain benefits from the implementation of IAS for RADIUS authentication with smart cards, which include:

Centralized user authorization and authentication

Separate management and accounting mechanisms

Wide range of authorization and authentication options

The IAS server manages the authentication process. IAS delivers the user’s authentication request and logon certificate information to Active Directory, which compares the logon certificate to the stored certificate information for that remote user. If the certificate information matches, Active Directory authenticates the user.

For more information about a design solution that uses IAS, see the "Designing the Solution" section later in this chapter.

Distribution and the Enrollment of the Smart Cards for Remote Access

The distribution and enrollment of smart cards for remote access follows a process similar to that for the administrator account solution as described in Chapter 3, "Using Smart Cards to Help Secure Administrator Accounts." The main differences are the higher number of users and that the process might take place in multiple countries/regions.

The verification of the remote user's identity is still an important part of the process. However, because remote users do not have the same rights as administrators, the use of photo identification such as a passport or driver's license should be adequate for identification purposes. A manager must provide justification before the administrator grants the user remote access.

Enrollment stations should still be in suitable locations, such as the personnel department or security department, and users can report there to collect their smart cards. If a user cannot travel to an enrollment station, you can use remote tools to unblock and to enroll the user and activate the smart card.

The enrollment procedure requires an enrollment agent to generate the certificate request on behalf of the user and install the resultant certificate on the smart card. The enrollment agent sends the blocked smart card to the user by a secure delivery method. The user then contacts the help desk, establishes his identity, and unblocks the smart card, as described in the section on Activation Web Server in Chapter 2, "Smart Card Technologies."

Further Considerations

The introduction of secure remote access within an organization often results in an increase in the number of users who want to use the service. Organizations must review their current network infrastructure and, where necessary, provide additional resources. Areas to consider are:

Certificate revocation lists

High availability and bandwidth

Software update distribution

Certificate Revocation Lists

The implementation of certificates for remote users involves changes to how clients can locate a certificate revocation list (CRL) to check that a certificate is still valid. The default Uniform Resource Locator (URL) CRL for Windows Server 2003 points to an intranet location, for example URL=http://Certification_Root_Server_DNS_Name/CertEnroll/
Certification_Authority_Name.crl.

For remote users, this URL must point to a location that is accessible from the Internet. This requirement involves all issued certificates and includes both the intranet and the extranet URLs for the CRL. For more information about the customization of CRLs, see the Specify certificate revocation list distribution points in issued certificates topic at http://www.microsoft.com/resources/documentation/WindowsServ/2003/standard/proddocs/en-us/sag_CSprocs_CDP.asp.

Note: Remote computers might experience time-out problems if they download the CRL through a slow connection.

Software Update Distribution

The implementation of a mechanism for the distribution of software updates is an important step in the provision of smart cards for user access. Software updates include updated Connection Manager profiles and new releases of smart card tools.

You can distribute software updates by:

Externally accessible Web servers that contain the updates.

CDs or USB keys.

Software management solutions such as Systems Management Server (SMS) 2003.

E-mail messages that contain code-signed updates.

If you implement VPN quarantine, you can distribute Connection Manager profile updates by the use of the same method that you use to provide security updates and antivirus software. For more information about VPN quarantine, see Implementing Quarantine Services with Microsoft Virtual Private Network Planning Guide at http://go.microsoft.com/fwlink/?LinkId=41307.

The provision of Connection Manager and smart card updates through externally accessible Web servers enables users to download the updates before connection to an organization's network. The downside to this solution is that it might not be possible to use the smart card to authenticate to the external Web server. In this case, users must rely on user name and password combinations to log on and download updates. Although this appears to defeat the purpose of two-factor authentication, because this Web server only provides update resources, you might consider this risk acceptable.

The use of CDs to distribute updates is a useful method for large initial rollouts, because the cost for each CD drops when produced in high volumes. USB keys are more appropriate for the distribution of updates on an individual basis.

The use of software management systems such as Systems Management Server 2003 to distribute software updates requires the computers to connect to the network. This mechanism can be suitable for mobile and remote users who connect to the LAN on a regular basis, and who use computers that are members of the organization's domain. However, software update mechanisms such as Systems Management Server are not appropriate for remote users who use their own computers from home.

You can e-mail updates in certain situations. To implement this method of software distribution, you must provide code-signed updates and train the users to check the veracity of the code-signing certificate.

This section covered the components that can provide smart card authentication for remote access accounts. The next section on Issues and Requirements looks at the issues that Woodgrove National Bank faces during the implementation of smart cards.

Issues and Requirements

During the plan and design phase of the smart card remote access solution, Woodgrove IT found several business, technical, and security issues. The section that follows identifies those issues.

Woodgrove National Bank Scenario Background

Woodgrove National Bank provides remote access to its corporate network for sales staff, IT support workers, and executives. The current remote access solution employs dial-up networking through private circuits to dedicated remote access servers equipped with modems or Integrated Services Digital Network (ISDN) adapters. These connections are slow and expensive when compared to broadband, particularly for remote users who travel across the globe.

The increased availability of broadband Internet access allows organizations to use VPN for remote access. This approach reduces costs by the elimination of dial-up access and provides a better user experience, although it also increases the bank's vulnerability to malicious attack.

Complying with Legal Requirements

As a financial institution, Woodgrove National Bank must comply with strict legal requirements in various countries/regions. The bank must maintain customer confidence by the protection of corporate and customer assets. Woodgrove National Bank implemented a secure computer initiative and set strict security polices on all computers that access the company network, whether these computers connect to the local area network (LAN) or remotely.

Verifying Users

Woodgrove National Bank's current remote access solution does not adequately cope with impersonation attacks (in which an attacker tries to guess the user name and password combination). Impersonation attacks cause remote access accounts to lock out, which prevents the legitimate user from being able to connect. This vulnerability increases the risk to the corporate network and has forced Woodgrove National Bank to limit the connectivity options it provides to its employees.

Business Issues

Many executives use remote access. Although security is paramount during the deployment of a smart card solution, maintenance of remote worker productivity is also important. The deployed solution must properly balance these needs.

Maintaining Productivity

Employees often lose confidence in security-based solutions that affect productivity. Users are frequently frustrated if they are unable to access network resources during and directly after a solution deployment. Woodgrove IT must provide alternative access methods to help overcome these frustrations. The following list of tools provides alternative methods of network access:

Outlook Web Access. Provides the user with secure access to e-mail through a Web browser.

Remote Desktop and Terminal Services. Employees can use Remote Desktop and Terminal Services to access line-of-business applications and desktop files.

Help Desk Support

User acceptance and the integrity of a remote access solution often depend on the level of support available. Executives become frustrated if they spend time in support queues. Organizations must budget for training both the end user and support personnel.

Technical Issues

Woodgrove National Bank has identified several key technical issues that require attention prior to the smart card for remote access deployment. These issues include distribution of smart cards and smart card readers, the integration of the solution into the current network with minimal disruption, and integration into the current IT management infrastructure.

Supported smart card readers. Remote users might work from home on a range of computers that have various operating systems. The Woodgrove IT department decided that the only supported configuration would be Windows XP Professional with SP2 or later. Remote users who run Windows 2000 Professional had no assurances that the smart card readers would work with their computers.

Network latency. The time that packets take to travel from client to remote access server and back can cause VPN-secured connections to fail. This is particularly problematic on satellite broadband connections. Woodgrove National Bank decided not to support remote connections that exhibit average latency times of more than 300 milliseconds.

Smart cards distribution. Because Woodgrove National Bank operates in several countries/regions around the world, distribution of smart cards is both a technical issue and a security issue. The enrollment agents must be able to contact the activation Web server regardless of which country/region they are in. Alternatively, users might have to unblock smart cards through a challenge/response system. The challenge/response system might require development effort to create with the smart card vendor's software development kit (SDK).

Security Issues

The following issues affect the security strategy for the Woodgrove National Bank implementation of secure remote access using smart cards:

Remote access user identification. The Woodgrove National Bank IT department must validate the identity of remote access users during the smart card distribution and activation process.

Connection exceptions for the Woodgrove solution. Because smart cards can become lost, stolen, or simply forgotten, the Woodgrove IT department must ensure that its smart card deployment solution includes a fast method to securely distribute replacement smart cards and a method to handle exceptions while replacement cards are in transit.

Solution Requirements

The solution requirement for using smart cards to secure remote access accounts includes the following components:

Internet Authentication Service (IAS). The current IAS servers require upgrades to Windows Server 2003 with Service Pack 1 or later to facilitate the improved IP filters and acceptance of vendor-specific attributes. In addition, Woodgrove IT must enable support for EAP-TLS on the remote access servers.

Smart card user templates. Woodgrove National Bank must carry out customization of certificate templates and set the correct permissions on the templates. The certificate enrollment agent and smart card logon templates require suitable permissions.

Note: You can restrict remote access to smart card certificates by setting remote access policy to accept only a certificate with a specific object identifier. For more information about certificate templates and object identifiers, see the Implementing and Administering Certificate Templates in Windows Server 2003 white paper at http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/ws03crtm.mspx.

PIN management tools. Users need a software utility to manage their own PINs. Most smart card vendors provide basic PIN management tools. Woodgrove IT decided to provide additional customization to integrate the PIN management tool with a remote PIN unblocking utility.

Group Policy objects (GPOs). Woodgrove IT must create the appropriate GPO for their organizational unit structure. These GPOs must include settings to support exceptions, such as a user who loses or forgets his or her smart card or PIN.

Connection Manager profiles. Woodgrove IT must create specially configured Connection Manager profiles that contain the appropriate dial-up or VPN server connection settings for the Woodgrove remote access servers. Woodgrove IT also needs to customize the text in the Connection Manager profile user interface to help users understand the connection process, and to tell the user what to do if problems arise. Woodgrove IT created different Connection Manager profiles for different users, such as executives, regular users, and one for administrative staff. Each profile had different priorities during connection setup. Administrators can connect remotely irrespective of network traffic levels.

Windows XP Professional with Service Pack 2. Woodgrove National Bank must upgrade all remote access computers to Windows XP Professional with SP2 or later. Windows XP Professional with SP2 offers improved security features such as Windows Firewall and better support for automatic updates that increase the integrity of the remote access solution. Windows XP Home with SP2 provides these security advantages, but cannot join a domain and make use of Group Policy. Windows 2000 Professional with SP4 does not have the security enhancements of Windows XP Professional with SP2.

Smart card and smart card reader procurement. Although Woodgrove National Bank has a mature PKI in place, the bank would gain little benefit from the installation of the Windows for Smart Cards operating system onto blank smart cards. Most vendors offer smart cards with the operating system already installed on the card. The choice of smart cards and smart card readers from a single vendor provides the benefit of a single point of contact for any support issues.

USB or PC card smart card readers. Creation of a standard baseline for deployment minimizes the cost of the installation of a smart card solution. Woodgrove National Bank implemented a corporate policy that requires all new portable computers to have built-in smart card readers. Woodgrove National Bank has also set a common standard for the supply of USB smart card readers. The bank supplies USB card readers to employees who use their own computers to work from home. Woodgrove has ensured continuity through a contract with the card reader supplier to supply the same model of card readers for two years.

Trust relationships. The Woodgrove National Bank smart card deployment used the current trust relationships between separate forests and any one-way trusts such as those between smaller, development team forests and the main corporate forest. This arrangement did not require any changes to the certificate templates.

Windows Server 2003 Public Key Infrastructure (PKI). Windows Server 2003 Certificate Services provides the ability to assign permissions to elements of a default smart card certificate template and to customize templates. The improved flexibility of template permissions is a key element that enables Woodgrove IT to delegate the defined certificate issuance model in a secure manner. The Woodgrove IT department uses the enhanced PKI features of Windows Server 2003 to set rules for certificate autorenewal. The IT department uses the certificate template permission features to require that Woodgrove National Bank security officers manually create all new smart card certificate enrollments. However, the user can automatically renew all current smart card certificates.

Woodgrove National Bank already had a Windows 2000 Server PKI in place when the organization made the decision to implement smart cards. For the initial pilot, the Woodgrove National Bank IT department decided to use its current Windows 2000 – based security infrastructure to create and manage certificates for smart cards, instead of third-party services. However, the Woodgrove smart card security solution requires that certificates expire in one year. This requirement would incur large support costs from the manual renewal of tens of thousands of user certificates each year. Due to this increased administrative workload, the Woodgrove National Bank IT team decided to upgrade its PKI to Windows Server 2003.

If Woodgrove National Bank had used the Windows 2000 Server PKI for certificate autorenewal, their certificate renewal options would be limited to either setting all certificate renewals as autorenewal, or the manual renewal of all certificates. The autorenewal for all certificates would eliminate any flexibility for renewal options.

Designing the Solution

This section outlines the design choices that the Woodgrove National Bank IT department made to use smart cards to help secure remote access. This section includes the solution concept, solution prerequisites, and describes the solution architecture.

Solution Concept

The solution uses a combination of Group Policy settings, remote access policies, Connection Manager profiles, X.509 v3 user certificates installed onto smart cards, and smart card readers. The outline of the concept is that a remote access user launches a customized Connection Manager profile, which prompts the user to insert a smart card into the attached smart card reader. The operating system then prompts the user to enter a PIN. If the PIN is correct, the reader extracts the smart card certificate and account information. Connection Manager then makes a connection to the corporate remote access server and presents the credentials from the smart card. Active Directory authenticates these credentials and the remote access server grants the user access to the corporate network.

Solution Prerequisites

The prerequisites for the use of smart cards to secure remote access accounts are similar to those for the smart card solution to secure administrator accounts. You need to:

Consult users and groups

Recruit the project team

Set user expectations

Upgrade the hardware and software

Distribute and activate smart cards securely

Consult Users and Groups

Within the planned cycle, you should evaluate any current remote access solutions and consult those who use them. Woodgrove National Bank operates in several countries/regions that all have remote access users. The initial team canvassed feedback from the current remote access users and support teams to identify and engage potential users, groups, and support staff to include in the pilots.

Recruit the Project Team

You must ensure that you have the right personnel and skills to implement a project of this nature. The project team is likely to require input from the following representative occupations:

Program manager

Information systems architect

Systems analyst or integrator

Systems engineers

Product release manager

Product testing manager

Support or help desk manager

User support specialists

Security officers

For more information about representative occupations and role associations in the Microsoft Operations Framework (MOF), see The Microsoft Solutions Framework Supplemental Whitepapers – IT Occupation Taxonomy at http://www.microsoft.com/downloads/details.aspx?FamilyID=839058c3-d998-4700-b958-3bedfee2c053

If you do not have certain skills available in-house, you must recruit additional personnel. Because the project typically does not require all personnel at all stages, you must determine individual availability throughout the duration of the project.

Set User Expectations

The main issue for user expectations with smart card and remote access is that of the increased logon times. Users must expect logon times to increase by several seconds with smart card authentication.

Upgrade the Hardware and Software

The smart card for remote access solution requires the latest Microsoft operating systems and service packs. This requirement enables the remote access solution to take advantage of the latest advances and security facilities in Windows XP Professional with SP2 and Windows Server 2003 with SP1, such as Windows Firewall, Data Execution Prevention (DEP), Security Configuration Wizard, and VPN Quarantine.

The software upgrades might require upgrades to client or server hardware. A pilot program can establish whether older equipment can run the newer operating systems. To check whether equipment is certified for Windows XP or Windows Server 2003, see the Products Designed for Microsoft Windows – Windows Catalog and HCL topic at http://www.microsoft.com/whdc/hcl/default.mspx?gssnb=1.

Distribute and Activate Smart Cards Securely

Implementation of smart cards for remote access requires a secure method for smart card distribution and activation. Typically, this distribution process would require remote users to report to their local administrative office so that the enrollment agent can verify their identity, issue the smart card, and carry out the activation procedure. The Delegated Issuance Model section later in this chapter describes how Woodgrove National Bank distributed and activated smart cards for remote users.

Solution Architecture

The implementation of the Woodgrove National Bank smart card solution for remote access requires the following components:

Active Directory

IAS installed on a Windows Server 2003 server

Windows Server 2003 with SP1 with routing and remote access

Group Policy

Client computers that run Windows XP Professional with SP2 or later

Smart card readers

Smart cards with at least 32 KB memory

Connection Manager profiles created with CMAK

Client-side scripts for the Connection Manager profile

The Woodgrove IT department initially considered the provision of support for all currently deployed versions of Windows. However, the increased awareness of the threat to computers connected to the Internet led them to standardize on Windows XP Professional with SP2 or later.

User accounts and group memberships stored in Active Directory regulate remote connectivity and access to corporate resources at Woodgrove National Bank. Woodgrove IT also uses GPOs for the configuration of client computers to meet corporate network security policies.

How the Solution Works

This section provides technical details of the Woodgrove National Bank solution. It explains how Active Directory authenticates the user and traces the authentication path for the smart card credentials.

The following procedure enables remote access with smart cards:

1.

A remote user logs onto a computer that has Internet access and a smart card reader attached. The user initiates the customized Connection Manager profile by double-clicking on the connection labeled Woodgrove IT Connection Manager for smart cards.

2.

The Connection Manager profile checks for a smart card in the smart card reader. A dialog box appears that prompts the user to enter the PIN. Connection Manager uses the PIN to perform key operations on the card as a system service because it cannot prompt and show the user interface (UI) on the desktop. If the user enters the correct PIN, the card unlocks and allows the remainder of the remote access logon process to continue.

3.

The Local Security Authority (LSA) is the trusted operating system component that performs all authentications. SChannel, the code that implements SSL, runs partly in the LSA and initiates the mapping sequence.

4.

The Connection Manager profile initiates a link to the IAS servers at Woodgrove National Bank using a dial-up or VPN connection. The IAS server performs a revocation check on the client certificate. With the certificate mapping to the user principal name (UPN), the issuing CA must be in the NTAUTH store. Explicit mapping can also be set on the Active Directory user account.

5.

The LSA presents the user information to the IAS server. The SChannel code that runs on the IAS server sends a message to the SChannel code that resides on the domain controller and passes it the UPN information from the certificate.

6.

The SChannel code that runs on the IAS server validates the certificate and then does a user lookup against the Active Directory on the domain controller. The domain controller generates a Privilege Access Certificate (PAC) that contains the user's 128-bit identifier and the group membership of the user. Future communications from this point uses the Kerberos v5 protocol.

7.

The domain controller transmits a randomly generated session key that includes the Kerberos Ticket Granting Ticket (TGT) to the client computer. Receipt of this key authenticates the remote access server to the client. Both computers have now mutually authenticated.

8.

The client computer decrypts the logon session key and presents the Kerberos v5 TGT to the ticket granting service. After this process completes, all other Kerberos v5 protocol communication uses symmetric encryption.

9.

If the user connected through a dial-up connection, a user name and password prompt appears. The user enters the credentials and can now access all network resources at Woodgrove Bank. Users who connect through VPN do not have to complete this step.   

The following figure illustrates the steps to use a smart card for remote access authentication.

Figure 4.1 Remote access logon and authentication process that uses a smart card

Figure 4.1 Remote access logon and authentication process that uses a smart card
See full-sized image

The additional processor cycles required to process the smart card information adds approximately 20 to 25 seconds to the initial authentication process. After authentication is complete, performance is not affected.

Additional Design Considerations

The next section details additional considerations for smart card deployment, and includes the smart card distribution mechanism that Woodgrove National Bank used.

Delegated Issuance Model

The Woodgrove National Bank IT department developed a delegated issuance model for smart cards. This model offers responsive support that helps to ensure the highest level of security for the distribution of smart cards to employees around the world.

Woodgrove National Bank IT used a delegated issuance model to deploy smart cards outside the main Woodgrove National Bank IT center in London. The Woodgrove National Bank IT department sent technicians to offices around the world to train the delegated issuance officers (DIOs). The technicians trained the DIOs on how to distribute smart cards and how to use the smart card tools. After the initial visit, the DIOs participated in weekly conference calls with the Woodgrove National Bank central IT team to discuss issues that emerge.

The following figure illustrates the steps that make up the delegated issuance model for certificate request approval.

Figure 4.2 The smart card delegation process used to issue smart cards for remote access

Figure 4.2 The smart card delegation process used to issue smart cards for remote access
See full-sized image

The steps performed in accordance with this flowchart are:

1.

User requests a smart card from the DIO.

2.

The DIO validates the user’s identity against an acceptable form of identification, such as a passport or a driver's license and checks the user's identity with the head of department. After the DIO confirms the user's identity, the DIO submits a certificate request to the security officer in London.

3.

To validate the request, the security officer checks for any prior certificates issued in that user’s name. The security officer also determines if the user has made any other smart card requests. If there is no objection to issue the smart card, the security officer gives approval. If the security officer uncovers a problem, the process must be subject to an audit, as described in step five.

4.

The DIO receives the approval and uses the enrollment agent account to issue the certificate. This certificate attaches to a new smart card, which the DIO issues to the user in person. The delegated issuance process then completes.

5.

If there are concerns over the validity of the request, the security officer initiates an audit of the request to determine whether to grant approval for that user. After the audit concludes, the user must make a new request.

6.

The delegated issuance process completes.

Woodgrove National Bank could only implement the delegated issuance model after Woodgrove IT migrated the corporate certificate authorities to Windows Server 2003. The Windows Server 2003 PKI provides the ability to apply detailed permissions to sections of the certificate templates, which enables the role of DIOs within the delegated issuance model. Within the issuance model, Woodgrove developed procedures to securely reissue lost or stolen smart cards.  

Configure RADIUS Accounting

Although the maintenance of logs is not a requirement for the implementation of a remote access solution that uses smart cards, Microsoft strongly recommends it. If you use IAS, one benefit is the built-in support for the RADIUS accounting provider, which logs client connection requests and sessions. Woodgrove National Bank wants to monitor which users log on, when they log on, and for how long they connect to the corporate network. RADIUS gives Woodgrove the capability to analyze connection trends, with the aim to review and improve the service.

Each IAS server collects user session data, which it stores in Microsoft SQL Server™ Desktop Engine (Windows) (WMSDE) on Windows Server 2003 or on SQL Server 2000 Desktop Engine (MSDE 2000) on Windows 2000 Server and earlier. IAS transfers the accounting information from WMSDE or MSDE to a central SQL Server 2000 database in near real time. This arrangement ensures cost-effective use of SQL Server licensing and does not inhibit the server's performance.

Woodgrove National Bank deployed regional SQL Server – based data collection servers to collect IAS remote access session data.

Deploy Pilots

Woodgrove National Bank IT tests any solution in both a lab environment and more than one pilot before deployment to the production network. Woodgrove IT developed two pilots for the remote access smart card deployment: one involved a small but experienced group of users and the other included a more diverse group of users in several countries/regions with a wide range of remote access experience.

The pilot with the more experienced users enabled Woodgrove National Bank to identify the major problems with the smart card deployment. The more experienced users were able to cope with minor disruptions and unexpected dialog boxes. After the Woodgrove IT department completed the first pilot, they knew that the smart card solution would work but that some refinement was necessary.

The second pilot with the diverse range of users enabled the Woodgrove IT department to experience the sort of support calls expected from the full deployment. This pilot enabled the help desk to resolve technical issues and indicated any further development that might be required before the deployment of smart cards to all remote users.

Ensuring High Availability

The solution scenario must be highly reliable because maintained productivity is a key requirement to the remote access solution. Woodgrove National Bank must consider provisions for high availability. These include:

Load-balanced remote access servers

Load-balanced IAS servers

Redundant network paths

Note: Woodgrove Bank has geographically located Routing and Remote Access/IAS entry points because of the physical layout of the network.

Ensuring Adequate Network Bandwidth

System architects must consider current network paths, expected connection times, and the type and extent of the expected remote access traffic. The additional bandwidth that remote access users require should not be underestimated. The pilot deployments should help in the analysis of the remote access traffic patterns and the effect this traffic can have on the current network infrastructure. It is important that trials include nontechnical users and typical usage patterns to simulate the issues that are likely to appear in the full deployment. Hardware switches that incorporate bandwidth control and virtual local area networks (VLANs) can reduce the effects of remote access traffic on other users.

Woodgrove National Bank uses multiple Internet service providers to achieve good Internet connectivity. Much of the current bandwidth provides access to the Internet for Web research and e-mail. Woodgrove IT must reassess the current arrangements to allow for the additional traffic from remote access connections.

Exceptions

The system architects at Woodgrove National Bank understand that any solution must cope with situations in which business needs require temporary exemption for a device or devices from usual security requirements. For example, remote access for executives during a critical meeting might be exempt from the requirement for smart card authentication. If the smart card solution cannot provide exemptions for individual devices, the IT department would have to disable all secure remote access requirements simply to grant a single exemption. Hence, the smart card solution for remote access must support exceptions.

Note: The Woodgrove IT security group should be the sole authority that determines when the business need for an exemption justifies the security risk.

To deal with exceptions, Woodgrove IT created a new security group called RemoteSmartCardUsersTempException for temporary exceptions to the remote access smart card requirement. They then configured the remote access policies for the inbound remote access server as set out in the following table.

Table 4.1: Woodgrove National Bank Remote Access Policy Conditions

RequirementPolicy ConditionsAuthentication type

Require smart card authentication for members of the remote access users group

Windows-Groups matches "WOODGROVE\RemoteSmartCardUsers"

EAP - Smart Card or other Certificate only.

Do not require smart card authentication for members of the temporary exclusions group

Windows-Groups matches "WOODGROVE\RemoteSmartCardUsersTempException"

MSCHAP v2

This arrangement enforces the smart card requirement on the members of RemoteSmartCardUsers group but not on the members of RemoteSmartCardUsersTempException. For more information about how to require smart card authentication for remote users, see the Configure smart card remote access topic at http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/ServerHelp/863638a6-f9e0-48d7-9db5-0b54af3cf135.mspx.

Apply Best Practices

Woodgrove National Bank IT department established the following list of best practice recommendations:

Involve the help desk. A well-prepared help desk should be part of all smart card projects. After deployment, the help desk involvement changes to a maintenance role. It is essential to keep help desk personnel current about any changes in the internal system and any technological developments that affect usage.

Provide PIN management. Because the primary goal for the use of smart cards is to improve network security, the security of the data that the smart card stores is vital. Forgotten PINs are a challenge both during and after smart card deployment. You should check with your smart card vendor about the supply of PIN management tools and implement a PIN reset processes for users who are unable to reset their PIN at a corporate location (for example, when they travel).

Implement anti-tamper measures. Smart cards require anti-tamper protection, so that the card locks up if a user enters the incorrect PIN five times in sequence.

Retain a post-deployment team. A post-deployment team can be much smaller than the initial deployment team, but is necessary to monitor system integrity regularly and to test and coordinate any upgrades to the smart card infrastructure.

Monitoring and Management

A solution that uses smart cards to secure remote access must include the ability to monitor the operational health of the solution. This process should provide the ability to monitor the entire network, a single asset, or list of assets in real time. The monitor tools must show the necessary information that an organization needs to provide operation support. If the solution does not meet this requirement, security personnel cannot determine if the solution maintains secure remote access connections effectively.

Identify Operational Considerations

Woodgrove IT identified the following operational considerations during the deployment of the solution:

Test authentication to internal applications. A smart card should affect initial logon only. The pilot program should test and verify successful authentication to internal applications.

Troubleshoot remote-client issues. To troubleshoot successfully, client issues can require close cooperation of multiple teams spread across different time zones. Rigorous tests and a proper pilot deployment help reduce support calls

Understand organizational remote access scenarios and threats. You must understand your organization's remote access scenarios, security threats, and the balance between them. You must prioritize the assets that need the most protection and determine the appropriate balance between cost and risk are strategic decisions that senior management must take.

Anticipate technical challenges. You should anticipate technical challenges, such as installation routines and distribution of smart card management tools. You might need to integrate the smart card solution into your existing enterprise management tools.

Monitoring and manage performance issues. You must monitor and manage performance issues and set user expectations in advance of the deployment. For example, remote users who log on for the first time can experience a lengthy logon time if they select the Log on using dial-up connection check box on the Log On to Windows dialog box. You should ensure that remote users are aware of this delay.

Keep up to date. If you plan to upgrade to the latest technology, do so early in the project implementation process. This strategy provides a baseline client and server platform and removes many of the variables that you might otherwise encounter during deployment. Service stability should also increase and user support costs decrease.

Implement project phases. You should plan to implement the project in phases, and allow adequate time between phases for user adoption and for system and process stabilization. Phases that overlap can adversely affect the service, and will prevent the identification of service problems.

Consider personal assets. Remember that employees’ home computers are their personal property and are not managed by corporate IT. If an employee does not want to or is unable to install the hardware and software to support smart card – secured remote access, other options are available. For example, Microsoft Outlook® Web Access provides employees with secure access to their Microsoft Exchange Server mailbox.

Manage changes to the solution. You must manage any changes and enhancements to the solution through similar processes to those required for the initial deployment.

Optimize the solution. All aspects of the smart card solution require periodic review and optimization. On a regular basis, Woodgrove IT needs to review the processes for enrollment and the need for account exceptions with the goal to improve security and integrity.

How to Extend the Solution

Smart cards offer considerable potential for application development. For example, programmers can adapt the smart card extensible open platform and secure memory for uses such as a cashless payment system for the cafeteria.

Although the use of smart cards to secure remote access reduces attacks by unauthorized users, the solution does not ensure that remote access computers comply with network security policies. Network Access Quarantine Control, a feature of Windows Server 2003 with SP1, can confirm that remote computers run the latest antivirus updates and security updates. Quarantine control can perform other checks, for example a check that the Windows Firewall on Windows XP with SP2 is enabled. For more information about quarantine control, see Implementing Quarantine Services with Microsoft Virtual Private Network Planning Guide at http://go.microsoft.com/fwlink/?LinkId=41307.

Summary

The implementation of smart cards to authenticate remote access connections provides greater security than simple user name and password combinations. Smart cards implement two-factor authentication through a combination of the smart card and a PIN. Two-factor authentication is significantly more difficult to compromise and the PIN is easier for a user to remember than a strong password.

The provision of smart card authentication for remote access users is a reliable and cost effective method that increases network security. This guide has taken you through the steps required to plan and implement this solution.


**
**

Download

Get the Secure Access Using Smart Cards Planning Guide

Solution Accelerator Notifications

Sign up to stay informed

Feedback

Send us your comments or suggestions