With the release of Windows 2000, Microsoft has expanded support for smart cards. Smart cards are credit card-sized devices that have a microchip with an OS and a small amount of embedded nonvolatile memory. Their potential uses are many. For example, you can use them in mobile phones or as credit cards, employee identification badges, or a means to log on to computers. Let's look at how Win2K uses smart cards for logons and how to set up a smart card system in your Win2K network.
Win2K and Smart Cards
Win2K uses smart cards to store certificates and their associated private keys; the certificates and their keys identify the smart card user. (For information about certificates, see the sidebar "What's a Certificate?" page 9.) When users walk up to a suitably configured Win2K workstation and insert their smart cards into an attached smart card reader, the system initiates a logon process that's similar to pressing Ctrl+Alt+Del. However, instead of entering a username and password, users enter their PIN, which unlocks the smart card. This process is an example of two-factor authentication: the first factor is something you have (i.e., the smart card), and the second factor is something you know (i.e., the PIN). In a domain environment, the workstation sends the certificate in the smart card to a Key Distribution Center (KDC) as part of the Kerberos authentication protocol. The KDC checks that the certificate is valid, creates a logon session key, encrypts the logon session key with the public key in the certificate, and sends the encrypted logon session key back to the workstation. The workstation passes the encrypted logon session key to the smart card for decryption. The smart card, not the workstation, performs all cryptographic functions that involve the certificate and its private key. (For more information about these functions, read the white paper "Windows 2000 Kerberos Authentication," http://www.microsoft.com/windows2000/techinfo/howitworks/security/kerberos.asp.)
Setting Up the Environment
When you're deciding which smart card system to use, you need to keep one consideration in mind. You should standardize and purchase smart cards and smart card readers from only one vendor because smart cards from one vendor might not work in another vendor's reader. Using multiple vendors might limit users' ability to log on to any available workstation with one smart card, thereby potentially weakening security because users might have to carry several smart cards. This situation might also increase the number of calls to the Help desk.
To use smart cards for logons in a Win2K environment, you need to have an established public key infrastructure (PKI) to issue certificates to users with smart cards and to validate certificates. If you don't have a PKI in place, you can install Certificate Services, which comes with Win2K Server. Certificate Services lets you create an Enterprise Certificate Authority (CA) hierarchy, which integrates with Active Directory (AD), or a Standalone CA hierarchy, which doesn't integrate with AD. Many Win2K security mechanisms that can use certificates, including smart cards, require you to install an Enterprise CA hierarchy. For step-by-step instructions on how to install and configure Certificate Services, see "Securing Win2K with Certificate Services," September 2001.
Configuring a CA for Smart Cards
Before you can start issuing certificates for smart cards, you need to configure a CA to support the certificates. For security reasons, you should consider creating a CA hierarchy, dedicating a subordinate Enterprise CA solely for smart card enrollments, and setting permissions on it with the Microsoft Management Console (MMC) Certification Authority snap-in to prevent use by unauthorized users.
To issue certificates for smart cards, you need to add support for smart card certificate templates. Open the Certification Authority snap-in, select the appropriate CA, right-click Policy Settings, click New, then click New Certificate to Issue. Figure 1, page 7, shows the Select Certificate Template dialog box. Win2K supports two smart card certificate templates: Smartcard Logon, which lets you use smart cards for logons, and Smartcard User, which lets you use smart cards for logons and secure email. You also need to install the Enrollment Agent certificate template to use smart cards. After you select the Enrollment Agent certificate template and the appropriate smart card certificate template in the dialog box, click OK.
You must have a valid Enrollment Agent certificate to issue certificates to smart card users. By default, only members of the Enterprise Admins and Domain Admins groups can request Enrollment Agent certificates. You can modify the permissions on the Enrollment Agent certificate template to let other users and groups request certificates. To change permissions, open the MMC Active Directory Sites and Services snap-in. As Figure 2 shows, expand the Services node. If this node isn't visible, click Show Services Node on the View menu. Expand Public Key Services, then Certificate Templates. Right-click EnrollmentAgent, then select Properties. In the dialog box that appears, click the Security tab to modify the template's permissions.
You obtain an Enrollment Agent certificate by pointing your Web browser to the CertSrv virtual directory that's on the server on which the issuing CA resides. For example, if you've installed Certificate Services on a server called WebServer1, the URL would be http://webserver1/ certsrv. In the Welcome page that appears, select Request a certificate, then click Next. You now need to select the type of certificate you want to request. Select Advanced Request, then click Next. This page asks you how you want to request a certificate. Select Submit a certificate request to this CA using a form, then click Next.
The form that follows asks you for information about the type of certificate you want to request, what you want to use the certificate for, the size of the public and private keys, and where you want to store the keys. In the Certificate Template section, you specify the type of certificate. Select Enrollment Agent from the drop-down list. In the Key Options section, select the type of Cryptographic Service Provider (CSP) that you want to generate the keys. Typically, you choose between two options: Microsoft Base Cryptographic Provider and Microsoft Enhanced Cryptographic Provider. Select the Base Cryptographic Provider if you need to export certificates from the United States and ensure their compatibility with international releases of Win2K. Otherwise, select the Enhanced Cryptographic Provider.
Besides specifying the type of CSP in the Key Options section, you also need to specify how you want to use the keys that the certificate generates and the key size. Because the Enrollment Agent certificate signs the certificates issued to smart card users, the key size should be reasonably large to make it difficult to crack. A key size of 1024 bits is suitable for most environments, but you can specify a larger key for enhanced security if needed. Just remember that if the key is too large, the computational load significantly increases and performance can suffer.
For the remaining options, you can usually accept the defaults. After you've completed the form, click Submit. The CA will process your request.
Installing Readers and Issuing Certificates
With the PKI installed and the CA configured, you can install the smart card readers on your servers and workstations. The installation process will vary from vendor to vendor. However, no matter the vendor, you need to check for updated drivers on the Microsoft Windows Update site (http://windowsupdate.microsoft.com/default.htm) and on the vendor's Web site. Be careful when installing or updating drivers because many vendors provide smart card logon solutions for environments that don't natively support them, such as Win2K when not networked, Windows NT 4.0, Windows Me, and Windows 9x. Install only those drivers that are necessary because other drivers can conflict with the Win2K security mechanisms for smart card logons.
After you've installed the smart card readers and verified that they work, you can issue certificates for users and write the certificates to the users' smart cards. Log on as a user who has an Enrollment Agent certificate, and point your browser to the CertSrv virtual directory on the server on which the issuing CA resides (e.g., http://web server1/certsrv). Select Request a Certificate, then click Next. Select Advanced Request, then click Next. Select Request a certificate for a smart card, then click Next. You'll now see the Smart Card Enrollment Station form that Figure 3 shows. The Smart Card Enrollment Station is a component of the CertSrv virtual directory that was added to the Default Web Site of the server on which you installed Certificate Services.
In the enrollment form, select the Certificate Template that you want to use (i.e., Smartcard Logon or Smartcard User), the CA that you want to issue the certificate, and the CSP that you want to write the certificate to the smart card. Microsoft supplies CSPs for smart card readers from two vendors: Gemplus's GemSAFE and Schlumberger's Cryptoflex. If you installed a reader from another vendor, you should see that vendor's CSP in the drop-down list.
Next, select the signing certificate that you want to use. The signing certificate you specify in the Administrator Signing Certificate field will digitally sign the certificate issued to the smart card user. The signing certificate must be an Enrollment Agent certificate. By default, the name of a valid signing certificate appears. If you have more than one signing certificate issued to you, you can click Select Certificate to change the default.
Finally, select the user to whom you want to issue the certificate. To view a list of users to whom you can issue certificates, click Select User.
After you've completed the Smart Card Enrollment Station form, place a blank smart card into the reader and click Enroll to start writing the certificate to the smart card. This process can take several seconds; you'll receive a message when the process is finished. During the process, you might be required to enter the User or Administrator PIN for the smart card. Most cards come with a default PIN, so consult the smart card reader's accompanying documentation.
Be careful when you enter PINs. If you enter the wrong User PIN several times in a row, the smart card becomes locked. The only way you can unlock the card is to enter a valid Administrator PIN. If you enter the wrong Administrator PIN several times in a row, the smart card becomes permanently locked, which means you can't recover the smart card. Keep the Administrator PIN secret. You might consider using a range of Administrator PINs across batches of smart cards to improve security.
After a smart card has a certificate, the user can log on to any workstation that has an attached smart card reader. These workstations have a slightly different Welcome to Windows dialog box. The dialog box has a smart card reader icon and text that asks the user to insert the smart card into the reader or press Ctrl+ Alt+Del. If a user inserts a valid smart card into the reader, the Log on to Windows dialog box appears and asks the user to enter a PIN to unlock the card. After the card unlocks, the OS logs the user on to the system, assuming that the certificate in the smart card is valid.
You can configure your system two ways to further enhance logon security. First, you can force smart card users to use their smart cards to log on to a workstation. As Figure 4, page 9, shows, you use the MMC Active Directory Users and Computers snap-in to enable the Smart card is required for interactive logon option for each smart card user. If the user attempts to log on by pressing Ctrl+Alt+Del, the user receives a message that states the account has been disabled.
You can also enhance logon security by using Group Policy Editor (GPE) to set the Smart card removal behavior policy on each workstation. You can configure a workstation to either lock the console or log off the user when a user removes the smart card from the reader. As Figure 5 shows, you select Lock Workstation as the policy setting. This security enhancement is especially useful when you combine smart cards with building passes.
Managing Smart Cards
After you have the smart card readers working, you need to deal with the logistics of managing the smart cards. Certificates in smart cards have expiration dates, so you'll need to implement a process to manage their renewal. You'll also need to implement a process to revoke and replace certificates for lost smart cards. These processes aren't specific to certificates in smart cards, so you might already have such processes in place if you use certificates elsewhere in your organization (e.g., on Web servers). If you don't, the Distributed Systems Guide in the Microsoft Windows 2000 Server Resource Kit contains information about how to develop and implement these processes.
You should consider creating a special account for the IT personnel who'll be responsible for certificate management. These personnel don't need to be members of the Domain Admins or Enterprise Admins group if you modify the permissions on the Enrollment Agent certificate template. However, don't issue smart cards for them—if a problem occurs with the PKI or smart cards, they might find themselves unable to log on to correct the problem.
For similar reasons, you shouldn't require administrators to use smart cards to log on to domain controllers (DCs) or member servers in your domain. If you do issue smart cards to administrators, make sure that at least one administrator has the Smart card is required for interactive logon option disabled.
Because smart card users will no longer use the Windows Security dialog box to change their password, you'll need to educate them about how to change their PINs. Smart card reader vendors supply a utility that lets users change their PINs.
A Smart Choice
Smart cards are a smart way to improve logon security in your Win2K network. And as you've just seen, the installation and use of smart cards and smart card readers is straightforward.