Secure the logon process
EDITOR'S NOTE: The Buyer's Guide summarizes vendor-submitted information. To find out about future Buyer's Guide topics or to learn how to include your product in an upcoming Buyer's Guide, go to http://www.winnetmag.com/buyersguide.
Smart card solutions have enjoyed a recent rise in popularity with administrators who face the task of improving systems and network security. Smart cards are also becoming increasingly common in other areas and for services that require security, including satellite and cable descramblers, credit and stored-value cards, loyalty programs, and ID and authentication systems.
A smart card usually is credit card—sized, but rather than having a magnetic strip on the back, the smart card has a microchip attached to the card face. The microchip features some memory (usually between 4KB and 16KB) and an onboard OS that, when placed into a compatible reader, loads and waits for input/output. Host computers talk to the OS rather than access the card's memory directly, and the OS controls what the host computer can read from and write to in memory. To further protect stored data and to secure data that passes between the smart card OS and the host OS, the smart card OS supports cryptography. Smart cards are PIN-protected and support a user PIN and an administrator PIN. When a user supplies the OS with the correct PIN, the OS unlocks the card for user or administrator access. Depending on the application, users typically can read from the card and administrators can write to it.
Windows 2000 provides smart card support. Perhaps the most common smart card use in Windows environments is to secure the authentication or logon process. Rather than pressing Ctrl+Alt+Del and entering a username and password, users place their smart card into a smart card reader and enter their PIN—a process known as two-factor authentication. You can also use smart cards to store email-signing certificates, client-authentication certificates for Web sites, and certificates you use to establish VPN connections.
To support smart cards in Windows environments, you must have access to a public key infrastructure (PKI). You can use Certificate Services, which is included with Win2K Server, or a supported third-party product such as Baltimore Technologies' Baltimore UniCERT. You can use smart cards with certain applications on earlier platforms, but in those cases, you usually have to rely extensively on supporting drivers and third-party software.
Using smart cards in a Windows environment also requires smart card readers, and the vendor pool for these products is quite large. The products in this Buyer's Guide are typical of the readers available, although several leading vendors declined to participate. Most of the listed readers are Microsoft Windows Hardware Quality Labs (WHQL)—certified and feature Personal Computer/Smart Card (PC/SC) support, Microsoft's adopted industry standard. When considering smart card readers for your organization, weigh the following factors: support for various smart card standards, which interface is supported between the reader and your systems (e.g., serial, USB, PC Card), driver support in Win2K (some readers require you to install additional drivers), and the availability of technical support. Ask vendors whose products interest you whether they can also supply you with smart cards; if not, ask which smart card vendor they recommend. You might need to install a Smart Card Cryptographic Provider (SCCP) for the smart cards you use if Windows doesn't natively support them.