Microsoft’s Implementation of
Smart Cards for Remote
Access
Published January 2002
Agenda
Solution Overview
Products & Technology
Smart Card Features
Business Benefits
Architecture
Deployment
Challenges
Future Plans
Lessons Learned
Summary
Solution Overview
?
!
Situation
Enterprises that allow for remote access to network assets are
becoming increasingly vulnerable to hackers and malicious intruders.
Solution
Using the existing Microsoft® Windows® 2000 Server infrastructure,
enterprises can employ Smart Cards to substantially increase the
strength of their network security. In addition, the extensible Smart Card
platform allows IT organizations to leverage the investment in Smart
Cards for many other applications to strengthen security and add
convenience to their employees.
Benefits
Strengthens security
Flexible
Simple
Leverages existing server infrastructure
Products & Technologies
Windows 2000 Server,
Windows 2000, the Active
Directory™ directory service,
Certificate Services
Smart Cards
“The use of Smart Cards will significantly increase the security
of our corporate network by improving our ability to
authenticate each employee and business partner as they
remotely connect to Microsoft.”
Greg Wood, General Manager, Corporate Security, Microsoft Corporation
Remote Access Services (RAS)
at Microsoft
Microsoft’s Information Technology Group
Manages RAS security risks
50,000 employees, contingent staff & vendors using RAS
400 locations worldwide
Addressing authentication
Valid username and associated password
Two-factor authentication
Something you have (the Smart Card) as well as something you know
(the card’s Personal Identification Number, or PIN)
Home computer vulnerabilities
Viruses, Trojan horse applications, computer worms
Always-on, broadband Internet access heightens exposure
Smart Cards were chosen over alternative technology solutions
due to reliability, cost, features, and mobility
Smart Card Features
Tamper resistant
Requires a Smart Card reader
PIN
Takes advantage of technologies in Microsoft’s Windows
2000 Server infrastructure
Certificate Services feature
Public Key Infrastructure (PKI) security
Cryptographic Service Provider (CSP),
Extensible Authentication Protocol/Transport Layer Security
(EAP/TLS)
Current user interface
View Smart Card contents, reset the PIN, and add personal data
Future user interface
Add new certificates for different applications for added
functionality
Smart Card Business Benefits
Smart Cards offer two-factor
authentication
Lost Smart Cards are easily
rendered invalid by revoking the
network logon certificate
Intruder would need the PIN to
unlock access to a valid Smart Card
Extensible, open platform and
secured memory contents provide
potential future development
benefits
Personal payment systems, data
storage, and data ported between
applications
“One thing we’ve seen as a
potential benefit at
Microsoft is password
consolidation and storage.
For the most part we’ve
got a fairly robust single
sign-on approach in our
environment but a lot of
enterprise customers
don’t. They find it
attractive to use the Smart
Card and the Personal
Identification Number (PIN)
that unlocks the Smart
Card as their one
password.”
Pete Boden,
Group Program Manager,
ITG Smart Card Project,
Microsoft Corporation
Architecture
Replacement photo ID building access badges for all employees
Includes embedded 32 KB cryptographic processor Smart Card chip
Client computer requirements
Windows XP Professional
Smart Card reader with appropriate port connector
Antivirus application
Additional client-side software
Several OEM-based Smart Card client features in Windows XP
Professional
Preconfigured version of Connection Manager standardizes all Smart Card
security configuration settings upon installation
Future development
Extending Connection Manager scripts to check overall security of RAS
client PC
Server-side changes
Logon certificates on the Smart Card and in the Active Directory are
issued by Windows 2000 Server Certificate Services feature using PKI
technology
Deployment
Acquired 32 KB Crypto processor Smart Card chip embedded in
standard RFID cardkeys
Centralized card management team formed
Issuance, card distribution management, second tier end-user support
Smart Card security officers distributed new Smart Cards
Verification of identity
Exchanged old building access badges for new Smart Card badges
User required to change initial PIN prior to remotely logging onto the
network
PIN required to be alphanumeric, 5 - 15 characters in length
Used PKI infrastructure to create logon certificates, delivered through
Windows 2000 Server’s Certificate Services
Delegated solution for regional distribution and administrative
responsibilities to minimize cost
Authorized to distribute replacement cards after acquiring Redmond
Security team approval
Supplied with pre-build Smart Cards whose unique serial numbers were
carefully tracked
Challenges
Mobile users
PDA users cannot gain RAS access (no support for the EAP/TLS
protocol)
Device issues
Home users using Macintosh, UNIX, and Linux computers
cannot gain RAS access (no support for the EAP/TLS protocol)
Home computers
Home systems not upgrading to the Smart Card solution can use
the HTTPS secure alternative to access essential data via OWA
Integrated Services Digital Network (ISDN)
ISDN channel bonding is not supported, forcing potentially
significant reduction in user ISDN performance
Product selection
Smart Card models are evolving quickly, so enterprise-wide
standardization on one model may be challenging
Future Plans
Smart Card industry still maturing
Interoperability problems with various business systems
Likely consolidation in the next 12-24 months
Expect improved product standards, including plug-and-play
compatibility and greater integration with Windows platform
Better management of accounts with elevated privileges
Installed mapped certificate to minimize compromise and improve
audit trail
Portable digital signatures
Expanding applications support
Signing stock grants, securing financial/HR data, signing source
code, etc.
Lessons Learned
Planning
Understand Smart Card capabilities
Set deployment goals
Anticipate where Smart Card benefits can save money and time
Anticipate changes in technology over the next 12-24 months
Ensure staff is well trained in PKI
Deployment considerations
Not a solution to cover 100% of user population
Understand impact to non-standard clients and devices
Initial logon performance penalty adds ~30 seconds to logon
process
Increased network security benefits far outweigh logon delay
Summary
New focus on Security for corporations and governments
Microsoft sought to implement a two-factor authentication
security solution
Smart Card technology offered several advantages over
competing two-factor security technologies
Not burdensome for users to employ
Takes advantage of existing Windows 2000 Server PKI
infrastructure
Provides ITG with an extensible platform for future internal
application development
For More Information
Additional IT Showcase white papers, case
studies and presentations on ITG deployments
and best practices can be found on
http://www.microsoft.com
Microsoft’s TechNet
http://www.microsoft.com/technet/itshowcase
The information contained in this document represents the current view of
Microsoft Corporation on the issues discussed as of the date of
publication. Because Microsoft must respond to changing market
conditions, it should not be interpreted to be a commitment on the part of
Microsoft, and Microsoft cannot guarantee the accuracy of any
information presented after the date of publication.
This document is provided for informational purposes only.
MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS
DOCUMENT.
2002 Microsoft Corporation. All rights reserved.
Microsoft, Outlook, Where do you want to go today?, Windows, Windows NT, and
Windows 2000 are either registered trademarks or trademarks of Microsoft
Corporation in the United States and/or other countries. Other product and
company names mentioned herein may be the trademarks of their respective
owners.
0
