Using smart cards with Windows 2000
In a relatively short period of time, computers have evolved from large boxes with very little power to the powerful systems of today. During that time, almost every aspect of the systems has evolved to make the computers faster, more efficient, and more secure. However, one aspect that hasn't really evolved is the concept of passwords. Sure, today we have encryption and other security features in place to secure passwords--but if a user tells someone their password, that person can gain unauthorized access to the system regardless of any security systems. All that has changed in Windows 2000, though, thanks to a device called a smart card. In this article, I'll explain how smart cards improve Windows 2000 security.
What is a smart card?
It's been said that if you want to make something really secure, you should use a hardware solution. That's exactly what a smart card is--a hardware replacement for usernames and passwords. The administrator issues a smart card to each network user. The card is programmed to contain the user's login name and password. The card can also contain a user's public key certificates.
Smart card security
Right now, you may be thinking that smart cards in a Windows 2000 network are more of a security threat than a security enhancement. After all, what's to stop some unethical person from stealing a smart card, logging in, and running amuck inside the system? Well, inserting a smart card is only part of the login process. When a user inserts a smart card into the system, the system will ask for the user's PIN number. If the user enters a PIN number that matches the one programmed into the card, the smart card will proceed to send the user's login name and password to Windows 2000 and initiate the authentication process. As you can see, stealing a smart card won't gain someone access to the system unless they also know the card's PIN number.
Normally, when a user logs in using a smart card, they have to enter the PIN number once, and they never have to enter a login name or password. The only exception is when the user logs in to the local computer rather than into the domain. If a user wants to use a local user account, they'll be prompted for the PIN in the usual manner. Once the PIN is entered, they're free to access the local system within the bounds of the local security policy. However, should the user try to access any network resources, Windows 2000 will sense that a domain login is necessary and will prompt the user for the PIN again, even though it has already been entered once.
You may also be concerned about the security of the passwords being sent between the smart cards and your domain controller. However, like every other authentication between machines running Windows 2000, smart card logins depend on Kerberos 5. The password is encrypted, and either the smart card or the computer itself must contain the appropriate keys before the authentication process can be completed.
Programming smart cards
Obviously, you can't just buy a box of smart cards, start passing them out to users, and expect them to work. Smart cards must be programmed by the administrator. To do so, the administrator must request a smart card certificate from the certificate authority. You can do this by using an enroll on behalf of function.
You'll need a dedicated machine to program smart cards, because the machine must contain an enrollment agent certificate before it can begin requesting smart card certificates. Even after the enrollment agent certificate has been issued to the machine, a domain administrator must be logged in to program the smart cards (only a domain administrator has the rights to use the enrollment agent certificate). You can acquire the enrollment agent certificate through the Certificates snap-in for Microsoft Management Console.
Once you've plugged a card reader into your dedicated machine and acquired your enrollment agent certificate, you're ready to start programming the smart cards. To do so, follow these steps:
- Log in as a domain administrator.
- Open Internet Explorer and enter the certificate server's URL. The URL will consist of the server's name followed by \Certsrv. For example, you might enter something like "SERVER1\Certsrv".
- When you see the associated Web page displayed, select the Request A Certificate option and click Next.
- Select the Advanced Request option and click Next.
- Select the option to Request A Certificate For A Smart Card On Behalf Of Another User Using The Smart Card Enrollment Station, and click Next.
- The Smart Card Enrollment Station's Web page will appear. This Web page contains several options; set them as listed in Table 1.
Table 1: Smart Card Enrollment Station Option Settings
Option Value Certification Template Smart Card Login Certificate Authority The certificate authority that will be issuing the certificate Cryptographic Service Provider The card manufacturer's cryptographic service provider Administrator Signing Certificate The enrollment agent certificate User To Enroll The login name of the user to whom you'll be issuing the smart card
If the user requires other functionality to be added to the smart card, you can do so by specifying different certification templates.
- Once the options are set, click the Submit Certificate Request button. The server will take a moment to process the request. Once this process completes, you'll be prompted to insert a smart card and enter a PIN number for the user. Doing so copies the certificate to the smart card.
This process allows you to control PIN numbers. Doing so has two advantages. First, you can avoid users setting up PIN numbers such as 1111 or 1234. The other advantage is that you won't have to change any more passwords. If a user forgets their PIN number, just look it up from a master list that you create along the way.
As you can see, security has moved well beyond the vulnerable passwords of yesterday. However, smart cards are more than just a handy way to store passwords: They offer an unparalleled method of ensuring secure transactions across your network. //
Brien M. Posey is an MCSE who works as a freelance writer. His past experience includes working as the director of information systems for a national chain of health care facilities and as a network engineer for the Department of Defense. Because of the extremely high volume of e-mail that Brien receives, it's impossible for him to respond to every message, although he does read them all.