EXERCISE 12.01.E XERCISE 12.03R EQUESTING A C ERTIFICATE FROM A W EB S...
6.2.36If security is a primary concern for your organization, you might want to consider the useof smart cards for both local and remote authentication.This adds a second level of securityto the authentication process.Whereas traditional authentication via password requires only“something you know” (the password), smart card authentication also requires “somethingyou have” (the card).Along with biometric devices such as fingerprint readers and retinal scanners, smartcards represent a more secure way for users to gain access to the network. Smart cards arenot as secure as most biometric devices, but they are more widely implemented and have alonger history of use (more than 11 years). In fact, there are many companies that issuesmart cards and smart card readers along with Windows Server 2003-compliant drivers andsoftware. Primarily because of several competing standards, smart card adoption has beenslow, but their popularity continues to grow.They might not replace the standard log-onpassword anytime soon, smart card technology is full of potential.
What Are Smart Cards?
Most smart cards today look and feel like a credit card.The difference is that smart cardshave either integrated circuit technology (with gold-colored metallic contact points on thesurface of the card) or magnetic technology (located inside the card). Smart cards use thesetechnologies to house an embedded microprocessor that is capable of storing everythingfrom encryption keys to medical information (at least in theory). At present, smart cards aregenerally used for authentication, and sometimes for encrypted e-mail.In the case of authentication, the user inserts a smart card into a smart card reader andenters his or her personal identification number, or PIN, similar to the process of using anATM bank card.The reader can then forward the secure information contained in the card,eliminating the need for the user to type in a name and password (the actual process ofauthentication is described in more detail below). It is a more secure method of authentica-tion because theft of a smart card does not compromise security—without the PIN, thecard is useless, and without the card, knowledge of the PIN is useless.T
ESTD
AYT
IPFor the exam, be aware that when smart card authentication is used, you cannotpromote a server to a domain controller and you cannot join a computer to adomain. To accomplish these administrative tasks, a normal password logon isrequired from a user with appropriate permissions.How Smart Card Authentication Works
After setting up an enrollment station (described below), any user with the enrollmentagent certificate can issue smart cards to users. Enrollment is the process by which a CAgrants a certificate to the card.The card itself generates a public/private key pair, and thecertificate is used to protect the public key during transport. After enrollment, the user caninsert the card at any workstation on the network, including terminal services clients andremote access clients, as long as a smart card reader is present.If possible, clients logging on to a Windows Server 2003 network will be authenticatedwith the Kerberos protocol. In traditional authentication, a username and password typed invia the keyboard are used to encrypt communication between the client and the KeyDistribution Center (KDC).With smart cards, however, the private key stored in the carddigitally automatically signs the timestamp that is sent to the KDC, eliminating the need fora password. In addition to the encrypted timestamp, the card’s certificate (including ofcourse the card’s public key) is sent as well.When the KDC receives the package, known asa ticket-granting ticket (TGT) request, it verifies the public key and then uses the publickey to verify the digital signature on the request. If everything checks out, the serverauthenticates the client by returning a ticket that is also encrypted with the card’s publickey. Finally, the ticket is decrypted at the client’s workstation by the private key stored inthe smart card.E
XAMW
ARNINGThe CA that issues the smart card certificates must reside in the same networkforest as the users. Users from a different forest will use local domain controllersto authenticate, and these domain controllers will not be able to validate the cer-tificates they receive.Deploying Smart Card Logon
Even though smart cards have been around for some time, many different standards stillexist.This can complicate the deployment of a smart card solution, especially if WindowsServer 2003 does not natively support the hardware you’ve chosen. In that case, severalextra steps are required.Windows Server 2003, out of the box, contains drivers for twocompanies that manufacture smart cards and readers – Schlumberger and Gemplus. For anyother vendor’s equipment, you’ll need to install drivers and the CSP that the vendor uses.The first step in deployment is to prepare the appropriate certificate templates.Thesetemplates include the following:■
Enrollment agent■
Smart card logon■
Smart card user certificates The templates are not enabled by default and require some configuration.The secondstep is to issue the enrollment agent certificate. Finally, the smart cards need to be enrolledat the enrollment station.We’ll guide you through the step-by-step deployment process laterin this chapter.