Microsoft’s Implementation of Smart Cards for Remote Access - PowerPoint PPT Presentation

Microsoft’s Implementation of Smart Cards for Remote Access

Published January 2002

• Solution Overview
• Products & Technology
• Smart Card Features
• Business Benefits
• Architecture
• Deployment
• Challenges
• Future Plans
• Lessons Learned
• Summary

Situation

?

• Enterprises that allow for remote access to network assets are becoming increasingly vulnerable to hackers and malicious intruders.

ü

Solution

• Using the existing Microsoft® Windows® 2000 Server infrastructure, enterprises can employ Smart Cards to substantially increase the strength of their network security. In addition, the extensible Smart Card platform allows IT organizations to leverage the investment in Smart Cards for many other applications to strengthen security and add convenience to their employees.

Benefits

!

• Strengthens security
• Flexible
• Simple
• Leverages existing server infrastructure

• Windows 2000 Server, Windows 2000, the Active Directory™ directory service, Certificate Services
• Smart Cards

“The use of Smart Cards will significantly increase the security of our corporate network by improving our ability to authenticate each employee and business partner as they remotely connect to Microsoft.”

Greg Wood, General Manager, Corporate Security, Microsoft Corporation

• Microsoft’s Information Technology Group
• Manages RAS security risks
• 50,000 employees, contingent staff & vendors using RAS
• 400 locations worldwide
• Addressing authentication
• Valid username and associated password
• Two-factor authentication
• Something you have (the Smart Card) as well as something you know (the card’s Personal Identification Number, or PIN)
• Home computer vulnerabilities
• Viruses, Trojan horse applications, computer worms
• Always-on, broadband Internet access heightens exposure
• Smart Cards were chosen over alternative technology solutions due to reliability, cost, features, and mobility

• Tamper resistant
• Requires a Smart Card reader
• PIN
• Takes advantage of technologies in Microsoft’s Windows 2000 Server infrastructure
• Certificate Services feature
• Public Key Infrastructure (PKI) security
• Cryptographic Service Provider (CSP),
• Extensible Authentication Protocol/Transport Layer Security (EAP/TLS)
• Current user interface
• View Smart Card contents, reset the PIN, and add personal data
• Future user interface
• Add new certificates for different applications for added functionality

“One thing we’ve seen as a potential benefit at Microsoft is password consolidation and storage. For the most part we’ve got a fairly robust single sign-on approach in our environment but a lot of enterprise customers don’t. They find it attractive to use the Smart Card and the Personal Identification Number (PIN) that unlocks the Smart Card as their one password.”

Pete Boden, Group Program Manager, ITG Smart Card Project, Microsoft Corporation

• Smart Cards offer two-factor authentication
• Lost Smart Cards are easily rendered invalid by revoking the network logon certificate
• Intruder would need the PIN to unlock access to a valid Smart Card
• Extensible, open platform and secured memory contents provide potential future development benefits
• Personal payment systems, data storage, and data ported between applications

• Replacement photo ID building access badges for all employees
• Includes embedded 32 KB cryptographic processor Smart Card chip
• Client computer requirements
• Windows XP Professional
• Smart Card reader with appropriate port connector
• Antivirus application
• Additional client-side software
• Several OEM-based Smart Card client features in Windows XP Professional
• Preconfigured version of Connection Manager standardizes all Smart Card security configuration settings upon installation
• Future development
• Extending Connection Manager scripts to check overall security of RAS client PC
• Server-side changes
• Logon certificates on the Smart Card and in the Active Directory are issued by Windows 2000 Server Certificate Services feature using PKI technology

• Acquired 32 KB Crypto processor Smart Card chip embedded in standard RFID cardkeys
• Centralized card management team formed
• Issuance, card distribution management, second tier end-user support
• Smart Card security officers distributed new Smart Cards
• Verification of identity
• Exchanged old building access badges for new Smart Card badges
• User required to change initial PIN prior to remotely logging onto the network
• PIN required to be alphanumeric, 5 - 15 characters in length
• Used PKI infrastructure to create logon certificates, delivered through Windows 2000 Server’s Certificate Services
• Delegated solution for regional distribution and administrative responsibilities to minimize cost
• Authorized to distribute replacement cards after acquiring Redmond Security team approval
• Supplied with pre-build Smart Cards whose unique serial numbers were carefully tracked

• Mobile users
• PDA users cannot gain RAS access (no support for the EAP/TLS protocol)
• Device issues
• Home users using Macintosh, UNIX, and Linux computers cannot gain RAS access (no support for the EAP/TLS protocol)
• Home computers
• Home systems not upgrading to the Smart Card solution can use the HTTPS secure alternative to access essential data via OWA
• Integrated Services Digital Network (ISDN)
• ISDN channel bonding is not supported, forcing potentially significant reduction in user ISDN performance
• Product selection
• Smart Card models are evolving quickly, so enterprise-wide standardization on one model may be challenging

• Smart Card industry still maturing
• Interoperability problems with various business systems
• Likely consolidation in the next 12-24 months
• Expect improved product standards, including plug-and-play compatibility and greater integration with Windows platform
• Better management of accounts with elevated privileges
• Installed mapped certificate to minimize compromise and improve audit trail
• Portable digital signatures
• Expanding applications support
• Signing stock grants, securing financial/HR data, signing source code, etc.

• Planning
• Understand Smart Card capabilities
• Set deployment goals
• Anticipate where Smart Card benefits can save money and time
• Anticipate changes in technology over the next 12-24 months
• Ensure staff is well trained in PKI
• Deployment considerations
• Not a solution to cover 100% of user population
• Understand impact to non-standard clients and devices
• Initial logon performance penalty adds ~30 seconds to logon process
• Increased network security benefits far outweigh logon delay

• New focus on Security for corporations and governments
• Microsoft sought to implement a two-factor authentication security solution
• Smart Card technology offered several advantages over competing two-factor security technologies
• Not burdensome for users to employ
• Takes advantage of existing Windows 2000 Server PKI infrastructure
• Provides ITG with an extensible platform for future internal application development

• Additional IT Showcase white papers, case studies and presentations on ITG deployments and best practices can be found on http://www.microsoft.com
• Microsoft’s TechNet http://www.microsoft.com/technet/itshowcase

The information contained in this document represents the current view of Microsoft Corporation on the issues discussed as of the date of publication. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information presented after the date of publication.

This document is provided for informational purposes only.

MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS DOCUMENT.

Ó2002Microsoft Corporation. All rights reserved.

Microsoft, Outlook, Where do you want to go today?, Windows, Windows NT, and Windows 2000 are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. Other product and company names mentioned herein may be the trademarks of their respective owners.