|
|
 |
 |
Microsoft Smart Card Logon |
| |
|
|
|
Current operating systems of Microsoft have certificate based smart card logon already integrated - but without the necessary hardware requirements (reader) it is hidden from the user. But is there a smart card reader found, you see on your Logon screen a symbol for a smart card reader showing the possibility of a secure logon. Because the smart card logon is certificate based
there has to be a handful of another prerequesites fullfilled.
|
|
 |
|
XP - Logon - Screen |
|
Prerequisites for Microsoft Smart Card Logon |
 |
Windows Server 2003 or Windows 2000 Server |
|
PKI with Active Directory Integration (microsoft certificate services) |
|
XP Professional or Windows 2000 Professional - with Microsoft GINA - msgina.dll |
|
PC/SC compliant Smart Card Reader |
|
Smart Card with right CSP (Cryptographic Service Provider) |
|
Features - Configuration |
With the prerequisites above stated, a smart card logon certificate issued by the pki for the user can be enrolled to the smart card. The behaviour for push and pull events can be configured by group policies.
With "smart card required for interactive logon" Account Policy the password logon can be totally deactivated - but not to remote access. With the "on smart card removal" policy the behaviour of pulling the card can be defined. Possible are "no action", "lock" or even "logoff" of the user.
The PIN-Policy for the Smart Card may be not so strict, because dictionary attacks on smart cards are almost impossible, because of internal PIN-administration.
There are multiple authentication procedures in Microsoft Windows which can be done with certificates and smart cards, like e.g. VPN, WLAN, Terminalserver up to E-Mailsignaturen. With smart cards, PKI and Active Directory there is factual a Single Sign On Solution hidden.
|
|
|
|
On Cryptoshop.com you are able to assemble your components yourself, which are useful for covering your requirements, or to try and evaluate in your test environment. To grant your Microsoft infrastructure a little bit smart card security you only need a Smart Card
, a Smart Card Reader
and a Smart Card CSP
.
We are recommending especially following products for this purpose.
|
|
|
Forgotten Smart Card |
Of course there is the problem of forgotten smart cards. One possible solution is the issuing of temporary cards with short time running certificates, which can be made without any effort with card management systems.
Another possibilty is to keep the possibility of passwort logon, but this very strong password is 'blabed' only in this special case - appliance-based Single Sign On Solutions
providing the possibility for a self-service password reset, after answering some self-service questions correctly.
|
|
|
|
|
|
|
|
 |
|
|
|
|
|
|
|
|
|
|
