Planning Distributed Security |
Windows 2000 supports optional smart card authentication. Smart cards provide a very secure means of user authentication, interactive logon, code signing, and secure e-mail. However, deploying and maintaining a smart card program requires additional resources and costs.
The smart card contains a chip that stores the user's private key, logon information, and public key certificate for various purposes. The user inserts the card into a smart card reader attached to the computer. The user then types in a personal identification number (PIN) when requested.
Smart cards provide tamper-resistant authentication through onboard private key storage. The private key is used in turn to provide other forms of security related to digital signatures and encryption.
Smart cards directly implement a two-factor authentication policy, and indirectly permit data confidentiality, data integrity, and nonrepudiation for multiple applications, including domain logon, secure mail, and secure Web access.
Smart cards rely on the public key infrastructure (PKI) of Windows 2000. For more information about PKI, see "Planning Your Public Key Infrastructure" in this book.
In addition to PKI and the cards themselves, each computer needs a smart-card reader. Set up at least one computer as a smart-card enrollment station, and authorize at least one user to operate it. This does not require special hardware beyond a smart card reader, but the user who operates the enrollment station needs to be issued an Enrollment Agent certificate.
For detailed procedures on implementing smart cards, see Windows 2000 Server Help.
You need an enterprise certification authority rather than a stand-alone or third-party certification authority to support smart card logon to Windows 2000 domains.
Microsoft supports industry standard Personal Computer/Smart Card (PC/SC)–compliant smart cards and readers and provides drivers for commercially available Plug and Play smart card readers. Smart card logon is supported for Windows 2000 Professional, Windows 2000 Server, and Windows 2000 Advanced Server systems. The security benefits of using smart cards are realized as more users of the enterprise become able to use smart cards for domain authentication, remote dial-up network access, and other applications.
Microsoft Windows 2000 does not support non-PC/SC-compliant or non–Plug and Play smart card readers. Some manufacturers might provide drivers for non–Plug and Play smart card readers that work with Windows 2000; nevertheless, it is recommended that you purchase only Plug and Play PC/SC-compliant smart card readers.
Smart cards can be combined with employee card keys and identification badges to support multiple uses per card.
The overall cost of administering the smart card program depends on several factors, including:
Your network security deployment plan needs to describe the network logon and authentication methods you use. Include the following information in your security plan: