Embed Size (px)
Citation preview
Microsoft’s Implementation of Microsoft’s Implementation of Smart Cards for Remote Smart Cards for Remote
AccessAccess
Published January 2002
AgendaAgenda Solution OverviewSolution Overview Products & TechnologyProducts & Technology Smart Card FeaturesSmart Card Features Business BenefitsBusiness Benefits ArchitectureArchitecture DeploymentDeployment ChallengesChallenges Future PlansFuture Plans Lessons LearnedLessons Learned SummarySummary
Solution OverviewSolution Overview
Enterprises that allow for remote access to network assets are Enterprises that allow for remote access to network assets are becoming increasingly vulnerable to hackers and malicious intruders.becoming increasingly vulnerable to hackers and malicious intruders.
??SituationSituation
!!BenefitsBenefits
Using the existing Microsoft® Windows® 2000 Server infrastructure, Using the existing Microsoft® Windows® 2000 Server infrastructure, enterprises can employ Smart Cards to substantially increase the strength enterprises can employ Smart Cards to substantially increase the strength of their network security. In addition, the extensible Smart Card platform of their network security. In addition, the extensible Smart Card platform allows IT organizations to leverage the investment in Smart Cards for allows IT organizations to leverage the investment in Smart Cards for many other applications to strengthen security and add convenience to many other applications to strengthen security and add convenience to their employees.their employees.
Strengthens securityStrengthens security FlexibleFlexible SimpleSimple Leverages existing server infrastructureLeverages existing server infrastructure
SolutionSolution
Products & TechnologiesProducts & Technologies
Windows 2000 Server, Windows 2000 Server, Windows 2000, the Active Windows 2000, the Active Directory™ directory service, Directory™ directory service, Certificate ServicesCertificate Services
Smart CardsSmart Cards
““The use of Smart Cards will significantly increase the security of our The use of Smart Cards will significantly increase the security of our corporate network by improving our ability to authenticate each corporate network by improving our ability to authenticate each employee and business partner as they remotely connect to Microsoft.”employee and business partner as they remotely connect to Microsoft.”
Greg Wood, General Manager, Corporate Security, Microsoft CorporationGreg Wood, General Manager, Corporate Security, Microsoft Corporation
Remote Access Services (RAS)Remote Access Services (RAS)at Microsoftat Microsoft
Microsoft’s Information Technology GroupMicrosoft’s Information Technology Group Manages RAS security risksManages RAS security risks 50,000 employees, contingent staff & vendors using RAS50,000 employees, contingent staff & vendors using RAS 400 locations worldwide400 locations worldwide
Addressing authenticationAddressing authentication Valid username and associated passwordValid username and associated password Two-factor authenticationTwo-factor authentication
Something you have (the Smart Card) as well as something you know Something you have (the Smart Card) as well as something you know (the card’s Personal Identification Number, or PIN)(the card’s Personal Identification Number, or PIN)
Home computer vulnerabilitiesHome computer vulnerabilities Viruses, Trojan horse applications, computer wormsViruses, Trojan horse applications, computer worms Always-on, broadband Internet access heightens exposureAlways-on, broadband Internet access heightens exposure
Smart Cards were chosen over alternative technology solutions Smart Cards were chosen over alternative technology solutions due to reliability, cost, features, and mobilitydue to reliability, cost, features, and mobility
Smart Card FeaturesSmart Card Features Tamper resistantTamper resistant
Requires a Smart Card readerRequires a Smart Card reader PINPIN
Takes advantage of technologies in Microsoft’s Windows 2000 Takes advantage of technologies in Microsoft’s Windows 2000 Server infrastructureServer infrastructure Certificate Services featureCertificate Services feature Public Key Infrastructure (PKI) securityPublic Key Infrastructure (PKI) security Cryptographic Service Provider (CSP), Cryptographic Service Provider (CSP), Extensible Authentication Protocol/Transport Layer Security (EAP/TLS)Extensible Authentication Protocol/Transport Layer Security (EAP/TLS)
Current user interfaceCurrent user interface View Smart Card contents, reset the PIN, and add personal dataView Smart Card contents, reset the PIN, and add personal data
Future user interfaceFuture user interface Add new certificates for different applications for added functionalityAdd new certificates for different applications for added functionality
Smart Card Business BenefitsSmart Card Business Benefits Smart Cards offer two-factor Smart Cards offer two-factor
authenticationauthentication Lost Smart Cards are easily Lost Smart Cards are easily
rendered invalid by revoking the rendered invalid by revoking the network logon certificatenetwork logon certificate
Intruder would need the PIN to Intruder would need the PIN to unlock access to a valid Smart Cardunlock access to a valid Smart Card
Extensible, open platform and Extensible, open platform and secured memory contents provide secured memory contents provide potential future development potential future development benefitsbenefits Personal payment systems, data Personal payment systems, data
storage, and data ported between storage, and data ported between applicationsapplications
““One thing we’ve seen as a One thing we’ve seen as a potential benefit at Microsoft potential benefit at Microsoft is password consolidation is password consolidation and storage. For the most and storage. For the most part we’ve got a fairly robust part we’ve got a fairly robust single sign-on approach in single sign-on approach in our environment but a lot of our environment but a lot of enterprise customers don’t. enterprise customers don’t. They find it attractive to use They find it attractive to use the Smart Card and the the Smart Card and the Personal Identification Personal Identification Number (PIN) that unlocks Number (PIN) that unlocks the Smart Card as their one the Smart Card as their one password.”password.”
Pete Boden, Pete Boden,
Group Program Manager, Group Program Manager,
ITG Smart Card Project, ITG Smart Card Project,
Microsoft CorporationMicrosoft Corporation
ArchitectureArchitecture Replacement photo ID building access badges for all employeesReplacement photo ID building access badges for all employees
Includes embedded 32 KB cryptographic processor Smart Card chipIncludes embedded 32 KB cryptographic processor Smart Card chip Client computer requirementsClient computer requirements
Windows XP ProfessionalWindows XP Professional Smart Card reader with appropriate port connectorSmart Card reader with appropriate port connector Antivirus applicationAntivirus application Additional client-side softwareAdditional client-side software
Several OEM-based Smart Card client features in Windows XP ProfessionalSeveral OEM-based Smart Card client features in Windows XP Professional Preconfigured version of Connection Manager standardizes all Smart Card Preconfigured version of Connection Manager standardizes all Smart Card
security configuration settings upon installationsecurity configuration settings upon installation Future developmentFuture development
Extending Connection Manager scripts to check overall security of RAS client PCExtending Connection Manager scripts to check overall security of RAS client PC
Server-side changesServer-side changes Logon certificates on the Smart Card and in the Active Directory are issued Logon certificates on the Smart Card and in the Active Directory are issued
by Windows 2000 Server Certificate Services feature using PKI technologyby Windows 2000 Server Certificate Services feature using PKI technology
DeploymentDeployment Acquired 32 KB Crypto processor Smart Card chip embedded in standard RFID Acquired 32 KB Crypto processor Smart Card chip embedded in standard RFID
cardkeyscardkeys Centralized card management team formedCentralized card management team formed
Issuance, card distribution management, second tier end-user supportIssuance, card distribution management, second tier end-user support Smart Card security officers distributed new Smart CardsSmart Card security officers distributed new Smart Cards
Verification of identity Verification of identity Exchanged old building access badges for new Smart Card badgesExchanged old building access badges for new Smart Card badges User required to change initial PIN prior to remotely logging onto the networkUser required to change initial PIN prior to remotely logging onto the network
PIN required to be alphanumeric, 5 - 15 characters in lengthPIN required to be alphanumeric, 5 - 15 characters in length
Used PKI infrastructure to create logon certificates, delivered through Windows Used PKI infrastructure to create logon certificates, delivered through Windows 2000 Server’s Certificate Services2000 Server’s Certificate Services
Delegated solution for regional distribution and administrative responsibilities to Delegated solution for regional distribution and administrative responsibilities to minimize costminimize cost Authorized to distribute replacement cards after acquiring Redmond Security team Authorized to distribute replacement cards after acquiring Redmond Security team
approvalapproval Supplied with pre-build Smart Cards whose unique serial numbers were carefully trackedSupplied with pre-build Smart Cards whose unique serial numbers were carefully tracked
ChallengesChallenges Mobile usersMobile users
PDA users cannot gain RAS access (no support for the EAP/TLS protocol)PDA users cannot gain RAS access (no support for the EAP/TLS protocol)
Device issuesDevice issues Home users using Macintosh, UNIX, and Linux computers cannot gain RAS Home users using Macintosh, UNIX, and Linux computers cannot gain RAS
access (no support for the EAP/TLS protocol)access (no support for the EAP/TLS protocol)
Home computersHome computers Home systems not upgrading to the Smart Card solution can use the HTTPS Home systems not upgrading to the Smart Card solution can use the HTTPS
secure alternative to access essential data via OWAsecure alternative to access essential data via OWA
Integrated Services Digital Network (ISDN)Integrated Services Digital Network (ISDN) ISDN channel bonding is not supported, forcing potentially significant reduction ISDN channel bonding is not supported, forcing potentially significant reduction
in user ISDN performancein user ISDN performance
Product selectionProduct selection Smart Card models are evolving quickly, so enterprise-wide standardization on Smart Card models are evolving quickly, so enterprise-wide standardization on
one model may be challengingone model may be challenging
Future PlansFuture Plans Smart Card industry still maturingSmart Card industry still maturing
Interoperability problems with various business systemsInteroperability problems with various business systems Likely consolidation in the next 12-24 monthsLikely consolidation in the next 12-24 months Expect improved product standards, including plug-and-play Expect improved product standards, including plug-and-play
compatibility and greater integration with Windows platformcompatibility and greater integration with Windows platform
Better management of accounts with elevated privilegesBetter management of accounts with elevated privileges Installed mapped certificate to minimize compromise and improve audit Installed mapped certificate to minimize compromise and improve audit
trailtrail
Portable digital signaturesPortable digital signatures Expanding applications supportExpanding applications support
Signing stock grants, securing financial/HR data, signing source code, Signing stock grants, securing financial/HR data, signing source code, etc.etc.
Lessons LearnedLessons Learned PlanningPlanning
Understand Smart Card capabilitiesUnderstand Smart Card capabilities Set deployment goalsSet deployment goals Anticipate where Smart Card benefits can save money and timeAnticipate where Smart Card benefits can save money and time Anticipate changes in technology over the next 12-24 monthsAnticipate changes in technology over the next 12-24 months Ensure staff is well trained in PKIEnsure staff is well trained in PKI
Deployment considerationsDeployment considerations Not a solution to cover 100% of user populationNot a solution to cover 100% of user population
Understand impact to non-standard clients and devices Understand impact to non-standard clients and devices
Initial logon performance penalty adds ~30 seconds to logon Initial logon performance penalty adds ~30 seconds to logon processprocess
Increased network security benefits far outweigh logon delayIncreased network security benefits far outweigh logon delay
SummarySummary New focus on Security for corporations and governmentsNew focus on Security for corporations and governments Microsoft sought to implement a two-factor authentication Microsoft sought to implement a two-factor authentication
security solutionsecurity solution Smart Card technology offered several advantages over Smart Card technology offered several advantages over
competing two-factor security technologiescompeting two-factor security technologies Not burdensome for users to employNot burdensome for users to employ Takes advantage of existing Windows 2000 Server PKI Takes advantage of existing Windows 2000 Server PKI
infrastructureinfrastructure Provides ITG with an extensible platform for future internal Provides ITG with an extensible platform for future internal
application developmentapplication development
For More InformationFor More Information
Additional IT Showcase white papers, case Additional IT Showcase white papers, case studies and presentations on ITG deployments studies and presentations on ITG deployments and best practices can be found on and best practices can be found on http://www.microsoft.comhttp://www.microsoft.com
Microsoft’s TechNet Microsoft’s TechNet http://www.microsoft.com/technet/itshowcasehttp://www.microsoft.com/technet/itshowcase
The information contained in this document represents the The information contained in this document represents the current view of Microsoft Corporation on the issues discussed current view of Microsoft Corporation on the issues discussed as of the date of publication. Because Microsoft must respond as of the date of publication. Because Microsoft must respond to changing market conditions, it should not be interpreted to to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information presented cannot guarantee the accuracy of any information presented after the date of publication. after the date of publication.
This document is provided for informational purposes only. This document is provided for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS DOCUMENTIMPLIED, IN THIS DOCUMENT..
20022002 Microsoft Corporation. All rights reserved. Microsoft Corporation. All rights reserved.
Microsoft, Outlook, Where do you want to go today?, Windows, Microsoft, Outlook, Where do you want to go today?, Windows,
Windows NT, and Windows 2000 are either registered trademarks or Windows NT, and Windows 2000 are either registered trademarks or
trademarks of Microsoft Corporation in the United States and/or other trademarks of Microsoft Corporation in the United States and/or other
countries. Other product and company names mentioned herein may countries. Other product and company names mentioned herein may
be the trademarks of their respective owners.be the trademarks of their respective owners.
