Password=Bad, Smartcards=Good

I often talk about Authentication and Passwords particularly with the difficulty in managing something that end users tend to forget or write on post it notes on their monitors.

Actually I’m not too concerned about people writing down their password that is a personal liability issue; I believe users are adult enough to take responsibility for their own accounts.

I am much more concerned about remote compromise and one way this occurs is via key loggers and other malware.

So how do I mitigate that risk? With the use of a Smartcard.

I am aware that the smartcard answer is not complete due to applications that don’t support Single Sign On (SSO) and mostly Kerberos is my friend but there are MANY applications who don’t share that friendship. I am going to talk about managing passwords but not for Interactive Logon, in future guides.

I once had a customer who wanted to stop his users from having to remember the complex passwords we had implemented. I advised him that at his scale about 15 Users that a 2 Factor Authentication system might not be a solution.

Like many SMB Consultants my concerns were about cost and my ability to execute.

Back then I didn’t know what I didn’t know:

§  I was nervous about the expense of cards and readers

§  I was nervous about card management system expense and complexity

§  I was nervous about integrating the smartcard solution with SCO UNIX and an Application they ran through a Terminal Emulator (Still “Nervous” about UNIX integration but only because I have not discovered how to do that. Perhaps another guide coming there)

My point is I didn’t know how to execute and I let go of that business.

SO here is one solution to the authentication problem and I think solving the other problem with a Single Sign On solution would be job done.

Lab Environment

I have chosen Small Business Server 2011 Standard Edition partly because the client had that solution and partly because this will be a series where I build on the solution as the customer grows up the complexity stack.

Of course I love Small Business Server because it is a little engrained in the heritage of where my business came from but also because:

§  Windows Server 2008 R2

§  Active Directory

§  DHCP

§  DNS

§  Group Policy

§  Certificate Services <—Really Important Here

§  Exchange Server 2010

§  SharePoint Foundation

I’m running it all on Hyper-v 2012 RC1

Really all the fun stuff :)

Let’s Start

Install Small Business Server 2011 Standard Edition

OR

Enterprise Guys … Install Windows Server 2008 R2 and add AD and AD Certificate Services

Note SBS is based on Standard Edition of Windows Server so yes this works on STD ED Certificate Services

Add Features to SBS 2011 Standard Edition Certificate Authority

·         Open Control Panel ·         Open Programs ·         Click Turn Windows features on or off

·         Expand Roles ·         Click Add Role Services

·         Select Certification Authority Web Enrollment ·         Click Next

·         Click Install

·         Confirm Installation succeed ·         Click Close

 

Issue Certificate Templates

·         Run Certification Authority from Administrative Tools ·         Select Action > New > Certificate Template to Issue

·          Select Enrollment Agent and Smartcard User ·         Click OK

·         Confirm both Templates are available for Issue

 

Issue Enrollment Agent Certificate to Card Issuing Computer

·         Open MMC and Add the Certificates Snap in ·         Choose My User Account ·         Choose Personal under Certificates – Current User

·         Click Action > All Tasks > Request New Certificate

·         Click Next

·         Click Next

·         Select Enrollment Agent ·         Click Properties

·         Select the Private Key Tab ·         Select Microsoft Base Cryptographic Provider 1.0 ·         Click Apply ·         Click OK

·         Click Enroll

Observe STATUS: Succeeded Click Finish

·         Observe a Certificate is Created

Issue a Smartcard

·         Click > Action > Advanced Operations > Enroll On Behalf Of

·         Click Next

·         Click Browse

·         Select the Certificate created previously ·         Click OK

·         Click Next

·         Select Smartcard User ·         Click Properties

·         Deselect Microsoft Strong Cryptographic Provider ·         Select Microsoft Base Smart Card Crypto Provider ·         Click Apply ·         Click OK

·         Click Next

·         Enter the User name (including Domain) ·         Click Enroll

·         Insert the Smartcard

See here is one of mine J

·         Enter the Smartcards PIN

·         Observe STATUS: Succeeded ·         Click Next User or Close

It is possible to put more than on certificate on a given card. I have issued two certs to this card so I can separate Administrative Rights

For fun I wanted to test how many Certificates’ would fit on a card I had lying about.   The answer was 8 but more importantly the card took a LONG time to load up the Certificates compared to a card with only one or two, so this would heavily impact user experience.   A use for a card like this would be where display screens for marketing, network monitoring or other logged on but unattended applications are required.

Next Steps

Now you have a simple way to let all your users logon with a smartcard things that I will cover later is PIN unblock and Card Management Features provided by the card vendor Gemalto but tools from other vendors would be work too I’ll link to them as I find them