Planning a Smart Card Deployment

Save this PDF as:
 WORD  PNG  TXT  JPG

Size: px
Start display at page:

Download "Planning a Smart Card Deployment"

Transcription

1 C H A P T E R 1 7 Planning a Smart Card Deployment Smart card spport in Microsoft Windows Server 2003 enables yo to enhance the secrity of many critical fnctions, inclding client athentication, interactive logon, and docment signing, in yor organization. If yo are sing or planning to se pblic key certificates, deploy smart cards to increase secrity for yor network and critical applications. In This Chapter Overview of Smart Card Deployment Creating a Plan for Smart Card Use Selecting Smart Card Hardware Creating a Smart Card Deployment Plan Planning for Ongoing Smart Card Spport Additional Resorces Related Information For more information abot creating a pblic key infrastrctre, see Designing a Pblic Key Infrastrctre in this book. For more information abot Windows Server 2003 Certificate Services and pblic key infrastrctre featres, see the Distribted Services Gide of the Microsoft Windows Server 2003 Resorce Kit (or see the Distribted Services Gide on the Web at

2 840 Chapter 17 Planning a Smart Card Deployment Overview of Smart Card Deployment Most organizations se passwords to manage access to compter networks and resorces. However, some sers set weak passwords, write passwords down in insecre locations, or forget their passwords and reqire help desk assistance for password reset. For this reason, passwords alone might not provide the level of secrity and manageability that yor organization reqires. Smart card spport in Microsoft Windows Server 2003, Standard Edition; Windows Server 2003, Enterprise Edition; and Windows Server 2003, Datacenter Edition operating systems provides sers with stronger credentials than even the most complex passwords. If yo se, manage, and deploy smart cards properly, yo can enhance the secrity of yor organization and redce yor spport costs. Smart cards offer the following benefits: Protection. Smart cards provide tamper-resistant storage for private keys and other data. If a smart card is lost or stolen, it is difficlt for anyone except the intended ser to se the credentials that it stores. Isolation. Cryptographic operations are performed on the smart card itself rather than on the client or on a network server. This isolates secrity-sensitive data and processes from other parts of the system. Portability. Credentials and other private information stored on smart cards can easily be transported between compters at work, home, or other remote locations. The nmber and variety of smart card enabled applications is growing to meet the needs of organizations that want to rely on smart cards to enable secre athentication and to facilitate services. Before yo can deploy smart cards in yor organization, yo mst have a pblic key infrastrctre (PKI) in place. Next, yo need to identify applications to enable for se with smart cards, and plan how to implement and spport a smart card infrastrctre before yo can take advantage of the secrity benefits of smart cards. Note For a list of the job aids that are available to assist yo in deploying smart cards, see Additional Resorces later in this chapter.

3 Overview of Smart Card Deployment 841 Process for Planning a Smart Card Deployment Planning a smart card deployment involves making decisions abot technical standards, hardware prchases, smart card management, and the logistics of smart card distribtion. Figre 17.1 shows the process for planning a smart card deployment. Figre 17.1 Planning a Smart Card Deployment Create a plan for smart card se Select smart card hardware Create a smart card deployment plan Plan for ongoing smart card spport Smart Card Fndamentals Windows Server 2003 spports a variety of secre smart card applications and bsiness scenarios. Before yo begin to plan yor smart card deployment, it is important to nderstand the basic components of smart card technology. Components of a Smart Card Infrastrctre A nmber of hardware and software components are reqired in order to spport a smart card infrastrctre. Certificates Digital data that secrely bind a pblic key to the entity that holds the corresponding private key. Certification athorities Trsted entities or services that isse digital certificates.

4 842 Chapter 17 Planning a Smart Card Deployment Active Directory The Windows Server 2003 directory service that serves as a repository for accont information, primarily ser credentials, secrity grop memberships, and certificate templates. In addition, yo can also se the Active Directory directory service to store certificates, certificate revocation lists, and delta certificate revocation lists, and to pblish root certification athorities (CAs) and cross-certificates. Smart cards Hardware tokens containing integrated processors and memory chips that can be sed to store certificates and private keys and to perform pblic key cryptography operations, sch as athentication, digital signing, and key exchange. Smart card readers Devices that connect a smart card to a compter. Smart card readers can also be sed to write certificates to the smart card. Smart card software The software provided by the smart card vendor to manage smart cards. In some cases, organizations might choose to create their own software tools if cstomized fnctionality is reqired. Creating a Plan for Smart Card Use Before deploying smart cards in yor organization, yo mst determine which processes, sers, and grops of sers reqire smart cards. Figre 17.2 shows the process for creating a plan for smart card se in yor organization. Figre 17.2 Creating a Plan for Smart Card Use Create a plan for smart card se Identify processes that reqire smart cards Select smart card hardware Create a smart card deployment plan Define smart card service level reqirements Plan for ongoing smart card spport

5 Creating a Plan for Smart Card Use 843 Identifying the Processes That Reqire Smart Cards A smart card deployment can help yor organization meet nmeros sensitive bsiness reqirements. Yo can se smart cards for any or all of the following processes: Interactive ser logons, inclding remote access connections to the network Administrator logons Third-party athentication across the Internet Signing and encrypting Evalate additional eqipment and administrative costs, procedres, and changes to ser work patterns that each smart card enabled process reqires. Ensre that the benefits of deploying smart cards for each process otweigh the costs from hardware, administration, and potential ser difficlties. For a worksheet to assist yo in docmenting the processes in yor organization that reqire smart cards, see User and Grop Smart Card Reqirements (DSSSMC_1.doc) on the Microsoft Windows Server 2003 Deployment Kit companion CD (or see User and Grop Smart Card Reqirements on the Web at Interactive User Logons Use smart cards for an interactive ser logons if yo want to enforce the se of secre encrypted logon credentials. If yo reqire sers to log on by sing smart cards, yo do not have to worry abot the qality and secrity of ser passwords. Reqiring smart cards for interactive ser logons reqires additional network administration for smart card distribtion and spport. This is problematic for organizations that are spread across different geographic locations and that do not have network or physical secrity personnel in each location to administer and spport smart cards. Yo can also se smart cards for remote access logons, and for Terminal Services and shared client logons. Remote Access Logons Local interactive logons reqire that sers have both physical access to a compter that is a logical member of the organization and a network password. Remote sers, however, can log on from any compter otside of the organization. If a malicios ser obtains the password of a remote ser, he or she can se it to access network resorces from any compter. For this reason, conventional password-based remote access logons are more vlnerable to attack than local interactive logons.

6 844 Chapter 17 Planning a Smart Card Deployment Yo can secre the remote access process by reqiring sers to se smart cards when they connect to the corporate network by means of remote access logon. This soltion prevents hackers from sing the remote access dial-p or Internet connections to compromise the network, even if they have physical access to laptops or home compters. One problem with reqiring the se of smart cards for remote access logons is the fact that remote sers often own compter hardware and software that does not conform to minimm corporate standards and, therefore, might not spport smart card se. This complicates the process of administering and spporting smart cards for remote access logons. Also, sers might experience longer logon times when they se smart cards, especially over slow dial-p connections. Terminal Services and Shared Clients If yor organization is deploying Terminal Services, consider sing smart cards for kiosk compters that are shared by mltiple sers. This can improve secrity in environments in which mltiple sers share a single compter terminal, relocate freqently, and do not se the conventional logoff procedre every time they move away from the terminal. This is often the case in hospitals, factories, or other bsinesses. Note Smart card logons reqire Microsoft Windows XP or Windows Server 2003 Terminal Services clients, even on compters rnning Microsoft Windows Providing smart card spport for kiosks or Terminal Services clients that are in critical locations in yor organization and are shared by several sers is less costly than providing smart card spport for interactive ser logons, becase yo do not need to prchase and deploy a large nmber of smart card readers. For more information abot deploying Windows Server 2003 Terminal Services, see Hosting Applications with Terminal Server in Planning Server Deployments in this kit. Administrator Logons There is greater potential for harm to the network when administrator credentials, as opposed to ser credentials, are missed. As a reslt, preventing nathorized sers from sing administrative credentials to access their network is an important secrity priority for most organizations. Another vlnerability is introdced when yo allow people to perform network administration tasks by sing generic administrator acconts that are shared by mltiple sers; this limits the ability of the organization to track which ser performs a specific action. Allowing administrators to log on by sing administrative credentials when they are not performing administrative tasks also creates a significant secrity risk becase attackers who compromise an administrator accont can do a greater amont of damage to the system.

7 Creating a Plan for Smart Card Use 845 By reqiring individals to se smart cards to perform administrative tasks, yo can significantly redce the possibility that nathorized sers can gain administrative access to yor network. Yo can se smart cards for administrator logons in the following two ways: By sing smart cards for individal administrative operations. By sing smart cards for an administrative shell. In most cases, the best soltion is to se a combination of these two strategies. For example, yo can reqire that all administrators se smart cards to access data center servers. If the administrator is sing a Windows 2000 or Windows XP client, he or she can se a smart card and administrative credentials to open a Terminal Services client session in order to log on to the data center servers. Important It is not possible to tilize mltiple credentials stored on a single smart card. Therefore, administrators who have more than one domain accont reqire a smart card for each accont. Using Smart Cards for Individal Administrative Operations When yo se smart cards for individal administrative operations, administrators log on by sing their standard ser credentials, and then se administrative credentials when they need to perform specific administrative operations. For example, yo might reqire an administrator to log on by sing a smart card in order to install Active Directory on a member server. Administrative credentials apply only to the specific operation, which helps to protect the secrity of the system. An administrator can also se smart cards to perform individal administrative operations on target compters rnning versions of the Windows operating system earlier than Windows XP or Windows Server 2003, as long as they se a smart card to log on to a compter rnning Windows XP or Windows Server Not all administrative tools work with smart cards. Therefore, before yo implement this soltion, test it to ensre that yo can perform the reqired administrative tasks and se the necessary administrative tools. If some of yor reqired tools and tasks are incompatible with sing smart cards, yo mst commnicate to yor administrators which tasks reqire smart cards and which mst be completed by sing administrative credentials. Using Smart Cards for an Administrative Shell When yo se smart cards for an administrative shell, administrators log on by sing ser credentials. Then, when the administrator needs to perform administrative operations, he or she logs on by sing a smart card and administrative credentials to open a Terminal Services client session. The administrator then performs the reqired administrative operations within the administrative shell.

8 846 Chapter 17 Planning a Smart Card Deployment This approach simplifies the process of performing mltiple seqential administrative operations dring a single session. However, the server that has Terminal Server enabled mst be rnning Windows Server Althogh the Windows XP Terminal Services client can rn on Windows 2000, the server-side spport is only provided by Windows Server Athenticating Third Parties Use smart cards for third-party athentication if yo want to verify that qeries, orders, or other commnications originate from the appropriate individal or organization and that they conform to preestablished standards, sch as prchase order limits. For example, banks that allow sers to check their transaction histories or pay bills online, and distribtors that accept prchase orders over the Internet can benefit from sing smart cards for third-party athentication. Deploying smart cards to third parties, however, reqires carefl administration. For example, yo mst ensre that attackers cannot obtain smart cards and gess the PIN to gain nathorized access to the system. Also, if the cstomer services that are based on smart card athentication are an important part of yor bsiness, yo need to ensre that the services are always available. If yo do not administer yor third-party smart card athentication process effectively, it can have a negative impact on yor Internet bsiness transactions. Signing and Encrypting Yo can se smart cards to enable digital signing and the encryption of electronic commnications sch as s or contracts. If yo choose to deploy smart cards for digital signing, yo need to determine the types of messages that reqire smart card validated digital signatres. Use smart cards for the digital signing of messages where it is important to verify the identity of the sender and that the message has not been tampered with while in transit. Digitally signing rotine s creates nnecessary network traffic and can slow down ordinary commnication between sers. Note that when yo se smart cards for the digital signing of sensitive docments, sch as legal contracts or prchase orders, yo mst configre the certificate policies and extensions that control smart card certificate se. Depending on the types of docments that yo want sers to sign digitally, yo also need to make additional decisions abot smart card enabled digital signatres, sch as whether assistants are allowed to sign docments on behalf of their speriors, whether send and read receipts are reqired, and how the receipts are to be stored. For more information abot certificates and certificate se, see Designing a Pblic Key Infrastrctre in this book. Note Yo mst ensre that sers know how to verify digital signatres. Unlike a hand-written signatre, a digital signatre is not embedded in a message or docment, and might be overlooked.

9 Creating a Plan for Smart Card Use 847 Defining Smart Card Service Level Reqirements Before yo deploy smart cards, establish service level agreements to help yor IT organization align smart card performance with the objectives of the organization in areas sch as reliability, response times, and spport procedres. For example, yo need to define smart card service level standards for: The types of identification reqired to obtain a smart card. Yo might choose to reqire a specific type of personal identification, sch as a driver s license or other photo ID, in order for a ser to obtain a smart card. Uniqe service garantees for special classes of employees, sch as exectives or roaming employees. Define whether certain classes of employees are permitted to operate nder spport agreements that differ from those of other sers. Acceptable time needed for sers to log on. It is best to ensre that the different steps and time needed for smart card logon time are comparable to the steps and time needed for conventional password logons. Acceptable logon times for remote access sers. Remote access logon times are more vlnerable to slowdowns than local network connections, especially if sers have slow dialp access connections. Yo might need to pgrade yor remote access configration in order ensre acceptable logon times for remote sers. Remote access exceptions. The compter configrations of some sers might not be compatible with smart cards, and remote sers might lose or forget their smart cards. Identify the circmstances, if any, in which remote sers are allowed to se remote access withot sing a smart card. Nmber of nsccessfl PIN entries allowed. Do not allow an nlimited nmber of attempts to enter a PIN. Allowing three or for attempts is generally adeqate. PIN reset reqirements. Decide whether sers are allowed to reset their own PINs, or whether they need to provide personal identification to secrity or help desk personnel to have their PINs reset. If yo decide that sers need to provide positive identification, decide whether the ser mst present the identification in person, sch as a photo ID, or demonstrate knowledge of a predefined secret, sch as a mother s maiden name. Service garantees to sers who cannot se their smart cards becase of loss, damage, or blocking. This incldes: Establishing when and how sers can regain access to the network. Determining whether to restrict these sers access to the network to certain areas, or to allow them access to any areas of the network that were previosly accessible to them. Defining these limits helps yo to establish ser expectations and spport procedres. Docment yor service level standards. Yo will need to apply these standards in yor smart card operations plan, test them in yor lab and pilot deployments, commnicate them to help desk personnel and to yor sers, and inclde them in yor spport and maintenance plan.

10 848 Chapter 17 Planning a Smart Card Deployment For a worksheet to assist yo in docmenting yor service level agreement, see Smart Card Service Level Agreement (DSSSMC_2.doc) on the Windows Server 2003 Deployment Kit companion CD (or see Smart Card Service Level Agreement on the Web at Important Incorporate yor smart card service level agreements in the Certificate Practice and Policy Statements for yor pblic key infrastrctre. For more information abot creating Certificate Practice and Policy Statements, see Designing a Pblic Key Infrastrctre in this book. Selecting Smart Card Hardware Single smart cards and smart card readers are relatively inexpensive. However, when yo deploy smart cards and smart card readers to hndreds or even thosands of sers, eqipment cost becomes an important consideration. Yo mst evalate smart card hardware in order to select the devices that best meet the needs of yor organization at the best price. Figre 17.3 shows the process for selecting smart card hardware. Figre 17.3 Selecting Smart Card Hardware Create a plan for smart card se Select smart card hardware Create a smart card specification Create a smart card deployment plan Evalate smart cards and readers Plan for ongoing smart card spport

11 Selecting Smart Card Hardware 849 Creating a Smart Card Specification A wide variety of smart cards and smart card readers are available to choose from. Windows Server 2003 is designed to work with any cryptographic smart card that has an associated CryptoAPI cryptographic service provider. The physical characteristics of smart cards and readers are governed by pblished standards. Cards from any manfactrer that adheres to the ISO 7816 standard will likely be compatible with the reader yo select. Be sre, however, to test smart cards and smart card readers to verify compatibility before deploying them in yor prodction environment. For more information abot testing smart cards and smart card readers, see Evalating Smart Cards and Readers later in this chapter. Note For more information abot ISO 7816, see the Smart Card Alliance link on the Web Resorces page at Becase smart cards both store and process data, it is important to create a specification for yor smart cards. Creating a smart card specification involves making decisions abot the following: Smart card hardware type Amont of memory reqired Intended sefl smart card lifetime Intended smart card roles Smart card reader hardware Smart card management software Table 17.1 lists some of the critical specifications that yo need to define when yo create yor smart card specification. Table 17.1 Smart Card Hardware Specifications Specification Memory Life expectancy Rese Description How mch data yo need to store on the smart card. The sefl lifetime of the smart card. Whether or not the smart card can be configred for se by a second ser, if the original ser leaves the organization. (contined)

12 850 Chapter 17 Planning a Smart Card Deployment Table 17.1 Smart Card Hardware Specifications (contined) Type of card Specification Card dimensions Nmber of cards Type of smart card reader Nmber of smart card readers Performance reqirements Smart card management tools Description The type of card that is most appropriate for yor organization. Yo might choose one or more of the following: Credit card or token style Single prpose or dal prpose The size, length, and thickness of the card, depending on the type of card that yo specify. How many cards yo need. If yo have more sers than compters, yo need fewer readers than smart cards. If yo se yor smart cards on mltiple systems, yo need more readers than smart cards. If yo specify more than one type of card, indicate the nmber of each type. The type of reader that is most appropriate for yor organization. Options inclde: USB PCMCIA Serial How many readers yo need. If yo have more sers than compters, yo need fewer readers than smart cards. If yo se yor smart cards on mltiple systems, yo need more readers than smart cards. If administrators se one smart card for ser logons and a second smart card for logging on with their administrative credentials, this will also impact the nmber of smart card readers that yo reqire. The type of performance that yo can expect. This incldes: Minimm acceptable logon times for direct network logons. Minimm acceptable logon times for remote access logons. Ability to handle alternate credentials. Ability to restrict logons by sing alternate credentials. The types and qality of the tools provided by the hardware vendor to manage smart cards.

13 Selecting Smart Card Hardware 851 For a worksheet to assist yo in preparing a prodct specification, see Smart Card Hardware Specification (DSSSMC_3.doc) on the Windows Server 2003 Deployment Kit companion CD (or see Smart Card Hardware Specification on the Web at In the beginning of yor deployment, yo can meet ser needs by sing a single type of smart card with a single configration option. However, as yo expand yor smart card infrastrctre, yo might need to deploy a variety of smart card types and configration options. Smart Card Type Two types of smart cards are available for se with Windows Server 2003 and Windows XP: conventional credit card shaped contact cards and smaller token-style cards that plg directly into the USB port of a compter. Note Another type of smart card, called a contactless smart card, is not spported by Windows XP or Windows Server Credit card shaped contact cards Credit card shaped smart cards are available in three-volt and five-volt versions. They are the most common smart card soltion, in part becase they resemble the corporate card keys or badges that many organizations se. Note Yo can specify that yor smart cards be screen-printed with yor corporate logo and a pictre of the ser. If yo plan to add graphics to smart cards, ask yor vendor abot the methods available for blk printing and cstomizing cards. If yor organization ses card keys or badges, yo can apply smart card chips to the existing card key or badge as a sticker or skin. However, yor card keys or badges need to fit into yor smart card readers with a minimal amont of friction; therefore, be sre to inclde the physical thickness of the smart card in yor specifications. This is an important factor to consider when yo select a vendor to manfactre the stickers, as the material thickness for smart card chips can vary. Token-style smart cards Token-style smart cards are typically the size of a hose key or atomobile key. They plg directly into a USB port, providing a more compact soltion than separate cards and readers. Token-style smart cards are ideal for laptop sers who want to carry a minimm nmber of peripherals, or for workers who se a nmber of different compters. However, yo cannot se token-style smart cards if yor compters do not have USB connections, or if the USB connections are fll or difficlt to access.

14 852 Chapter 17 Planning a Smart Card Deployment Memory Yor smart card reqires enogh memory to store the certificate of the ser, the smart card operating system, and additional applications. Smart cards rn embedded operating systems, and in many cases, a form of file system in which data can be stored. To enable Windows smart card logon, yo mst be able to program the card to store a ser s key pair, retrieve and store an associated pblic key certificate, and perform pblic and private key operations on behalf of the ser. To calclate the amont of memory that yo need, determine the space reqirements for: User certificates. A certificate typically reqires abot 1.5 kilobytes (KB). A smart card logon certificate with a 1,024-bit key typically reqires 2.5 KB of space. The smart card operating system. The Windows for Smart Cards operating system reqires abot 15 KB. Applications reqired by the smart card vendor. A small application reqires between 2 KB and 5 KB. Yor cstom applications. Ftre applications. Figre 17.4 shows the additional space reqirements of a typical 32 KB smart card. The smart card operating system reqires abot 15 KB, leaving 17 KB for the file system, which incldes space for the card management software, the certificate, and any other cstom applications. Figre 17.4 Memory Use on a 32 KB Smart Card Free space 5K Yor cstom application (if any) 1.5K Smart card logon certificate 2.5K Smart card vendor applications 8K Windows for Smart Cards operating system 15K

15 Selecting Smart Card Hardware 853 It is possible to configre smart card file systems into pblic and private spaces. For example, yo can define segregated areas for protected information, sch as certificates, e-prses, and entire operating systems, and mark this data as Read Only to ensre the secrity of the smart card and restrict the amont of data that can be modified. In addition, some vendors provide cards with sb-states, sch as Add Only, which is sefl for organizations that want to restrict the ability of a ser to revise an existing credential, and Update Only, which is sefl for organizations that want to restrict ability of a ser to add new credentials to a card. The data capacity available on smart cards is increasing as smart card technology improves. However, storage space on smart cards is expensive. Card vendors often restrict the amont of storage available to individal applications so that mltiple applications or services can be stored on the card. Therefore, in yor vendor specification, define all of yor anticipated present and ftre card sage reqirements and the memory reqirements for each certificate and application that yo reqire. If yo plan to se yor smart cards for mltiple prposes, sch as physical access to facilities and ser logon, or to store additional data, yo mst increase yor memory reqirements. Also, when planning storage space on the chip, allocate space for applications that yo are planning for ftre implementation. Note Windows Server 2003 and Windows XP do not spport the se of mltiple certificates on a smart card. Life Expectancy Yo mst define the length of time for which yo will se a smart card before yo replace or pgrade it. Contact yor vendor for information abot smart card life expectancy based on normal wear and tear. In addition, yo mst take into accont yor crrent and ftre space reqirements, inclding the anticipated need for additional applications and certificates with larger keys. Anticipate adding new applications, and potentially issing new smart cards, over an month card lifecycle. In the ftre, vendors are likely to introdce smart cards with more memory and other enhancements for a lower cost. Also, determine whether yo want yor smart cards to be resable in the event that sers leave the organization. Resing smart cards redces the costs associated with issing new ones. However, the cost associated with removing existing data and writing new data and applications is often eqal to or more than the cost of preparing and issing new smart cards.

16 854 Chapter 17 Planning a Smart Card Deployment Smart Card Roles Yo can se smart cards for one of three roles. Determine how many smart cards yo need to isse for each of the following roles: Enrollment card. Isse enrollment cards to individals who enroll smart cards on behalf of other sers. Enrollment cards have a special enrollment agent certificate. Isse the smallest possible nmber of enrollment cards that will enable yo to enroll all reqired smart card sers. This protects the secrity of yor system. User cards. These are the standard cards that yo isse to each ser. Two types of ser cards are available: Permanent. Permanent ser cards are cards that employees carry with them. They contain the cardholders credentials, certificates, data, and applications. They might also have a photograph or a decal applied to the card. In a Windows Server 2003 environment, the permanent card points to a permanent certificate server. Temporary. Temporary cards are a limited-se cards that are issed to gests, temporary employees, and sers who have forgotten their permanent cards. They point to a temporary certificate server and can have a limited lifetime. For a worksheet to assist yo in docmenting the roles for the smart cards that yo isse, see Smart Card Hardware Specification (DSSSMC_3.doc) on the Windows Server 2003 Deployment Kit companion CD (or see Smart Card Hardware Specification on the Web at Important To ensre system secrity, isse master and enrollment cards to the smallest possible nmber of trsted employees. For more information abot issing enrollment agent cards, see Establishing Enrollment Agents later in this chapter. Smart Card Readers A variety of types of smart card readers are available. The majority of smart card readers connect to the compter throgh an RS-232 serial port, a Type II Personal Compter Memory Card International Association (PCMCIA) slot, or a niversal serial bs (USB) port. Althogh USB-compatible smart readers are the simplest type of reader to connect, the USB ports on some compters might be occpied. For this reason, it is best to order a mix of card reader connector types based on the types of connections that are available on yor systems. For a list of Windows-compatible smart card readers, see the Windows Catalog link on the Web Resorces page at

17 Selecting Smart Card Hardware 855 Smart Card Management Tools Yo can perform most smart card related tasks by sing the Windows Server 2003 Certificate Services and software tools provided by the smart card vendor. However, it is important to assess the smart card tools that are available to determine whether they are sfficient to meet yor needs. Yo might need to create additional tools for some smart card tasks. For example, yo might reqire tools to assist yo in moving from a limited pilot phase to a fll prodction deployment. Also, developers in yor organization might need to create a direct interface between the smart card certificate and yor bilding access systems. Yo might also choose to write a script that atomatically enters critical data into a database when a smart card is created. This incldes data sch as smart card serial nmbers, the names or names of the sers who are assigned smart cards, the types of certificates that are issed to the sers, when the certificates are issed, and when they expire. For more information abot creating scripts for Windows Server 2003, see the Windows Deployment and Resorce Kits Web site at or see the TechNet Script Center link on the Web Resorces page at Evalating Smart Cards and Readers Yo need to evalate yor prospective smart cards and readers throghot yor smart card deployment process. Initially, obtain and evalate a variety of smart cards and smart card readers to determine which vendors provide the best balance of specifications, performance, and price. As yo deploy yor smart card infrastrctre, contine to evalate yor hardware to make sre that it performs as expected. The smart cards and smart card readers that yo deploy and the smart card prodction processes that yo develop are likely be sed many times every day. Therefore, yo mst ensre that yor hardware is reliable. The service level agreements that yo created when yo defined yor smart card reqirements provide objective standards for measring and docmenting satisfactory performance. To minimize ser dissatisfaction and maximize manageability, be sre to test the following: Installation and removal of the smart card software. Make sre the smart cards work after yo install the software. If the installation is falty, se the Windows Event Viewer to access error messages that might explain the case of the failre. Fit of smart cards in readers. Smart card dimensions, sch as thickness, are governed by international standards. However, some organizations have fond that, if the card-to-reader interface is too tight or abrasive, the cards deteriorate more rapidly.

18 856 Chapter 17 Planning a Smart Card Deployment Reader reliability. To test reliability, create an environment that incldes systems that have slower CPUs and less memory than compters in yor organization. Test how well yor smart card readers operate in this environment, as well as in other configrations. Yo can, for example, rn a nmber of memory-intensive applications or se the smart cards and readers over slow connections to evalate how each combination of smart cards and readers fnctions in these conditions. Yor smart card service level agreements provide objective criteria for acceptable and nacceptable performance. Card prodction. Slow card prodction processes can impede yor deployment. If yor organization is nable to prodce cards efficiently, se a third-party vendor to prodce smart cards. Ability to deploy mltiple types of cards and readers. If yo are nable to efficiently deploy the types of cards, readers, and servers that yo reqire, yor service might be inconsistent and inefficient. For a worksheet to assist yo in docmenting the reslts of yor smart card reader evalation, see Smart Card Reader Evalation (DSSSMC_4.doc) on the Windows Server 2003 Deployment Kit companion CD (or see Smart Card Reader Evalation on the Web at Figre 17.5 shows an example of a completed Smart Card Reader Evalation worksheet. Figre 17.5 Example of a Smart Card Reader Evalation Worksheet

19 Creating a Smart Card Deployment Plan 857 Creating a Smart Card Deployment Plan Deploying a smart card infrastrctre is a time-consming process becase it involves deploying physical components (smart cards and smart card readers) and issing digital certificates individally to every ser who reqires a smart card. Carefl planning can significantly redce the amont of time this process takes and enable yo to enhance the secrity of yor organization. Figre 17.6 shows the steps involved in creating a smart card deployment plan. Figre 17.6 Creating a Smart Card Deployment Plan Create a plan for smart card se Establish certification athorities Select smart card hardware Create a smart card deployment plan Plan smart card certificate templates Establish issance processes Plan for ongoing smart card spport Prepare a smart card deployment schedle

20 858 Chapter 17 Planning a Smart Card Deployment Establishing Certification Athorities It is important to ensre that yor pblic key infrastrctre can spport the issance and verification of smart card certificates for the sers and applications that yo have identified. To ensre that yor PKI can spport a smart card infrastrctre, yo mst do the following Configre yor certification athorities (CAs) as enterprise CAs. Windows Server 2003 smart card certificates reqire enterprise CAs. Important CAs that isse smart card certificates need to be trsted in the CA hierarchy and mst be continosly online while the ser is enrolled. Make sre that yor issing CAs are installed on servers that have enogh storage and central processing power to spport the smart card sers in yor organization. For more information abot planning yor CA infrastrctre, see Designing a Pblic Key Infrastrctre in this book. Planning Smart Card Certificate Templates Yo can se any of the following types of Windows Server 2003 certificate templates to enable smart card se in the Windows Server 2003 PKI: Enrollment Agent. Allows an athorized ser to serve as a certificate reqest agent on behalf of other sers. Smart Card User. Enables a ser to log on and sign . SmartCardLogon. Enables a ser to log on by sing a smart card. Yo can also create yor own certificate templates to serve mltiple prposes. For example, the smart card logon certificate template is designed for smart card logon only. If yo intend to se yor smart card infrastrctre to spport mltiple applications, yo can choose mltiprpose templates instead. Mltiprpose templates generate certificates that yo can se for mltiple applications, sch as smart card logon and signing. Note Windows 2000 only spports version 1 templates, which cannot be cstomized or extended. Use Windows Server 2003, Enterprise Edition, which spports version 2 templates, if yo need to create new certificate templates, copy an existing template, or replace templates that are already in se.

21 Creating a Smart Card Deployment Plan 859 As part of yor planning for smart card certificate templates, yo need to establish vales for pblic keys, certificate lifetimes, and certificate renewal policies. These vales are interrelated. For example, if yo select a larger key vale, yo can implement a longer certificate lifetime. Or, yo can se a small pblic key vale if a certificate has a relatively short lifetime. Note, however, that the amont of memory that is available on the smart cards that yo select also limits the size of the pblic keys that yo can se. Important Many organizations pre-enroll sers for smart card certificates several weeks before they distribte smart cards to sers. The certificate lifetime is determined by the date that yo isse the certificate, not the date that yo distribte the card to the ser. Therefore, factor any distribtion delays into yor certificate lifetime and renewal strategy. A Windows Server 2003 CA allows yo to select a certificate pblic key length from 384 bits for minimal secrity to 16,384 bits for maximm secrity. For typical logon applications, a 1,024-bit key is adeqate. Yo can establish certificate lifetimes that are as long or as short as yo need, and yo can configre certificates to be nonrenewable, renewable a finite nmber of times, or renewable indefinitely. To define pblic key vales and certificate lifetimes and renewal policies, take into accont: The physical capacity of yor smart cards. Most of the smart cards that are available today have adeqate space for all bt the largest certificates. How yo define acceptable logon times. Pblic key based athentication often takes longer than athentication withot certificates. Note The smart card and smart card reader that yo choose might also impact logon performance. Test different combinations ntil the terms specified in yor service level agreements are satisfied. The natre of the bsiness relationship. Smart card certificates issed to permanent employees sally warrant a longer lifetime and renewal cycle than certificates issed to short-term workers or to nonemployees. The level of secrity that yo want to enforce. Highly sensitive operations warrant larger pblic key vales and, typically, shorter certificate lifetimes. For more information abot planning pblic key and certificate renewal vales, see Designing a Pblic Key Infrastrctre in this book. For more information abot how to configre certificate templates, see Certificate Templates in Help and Spport Center for Windows Server 2003.

22 860 Chapter 17 Planning a Smart Card Deployment Establishing Issance Processes Yo mst establish a plan for the issance of the smart cards and for the writing of smart card certificates to the cards. This involves making decisions abot the following: Smart card distribtion reqirements Certificate enrollment options Physical distribtion of smart cards A ser preparation plan Defining Smart Card Distribtion Reqirements Define the procedres for preparing and distribting smart cards and smart card certificates and replacing lost, stolen, or damaged smart cards, as well as contingencies sch as when employees change jobs, names, or occpational stats. If yo have an existing employee badge process, one soltion for smart card distribtion is to combine smart card preparation and distribtion with badge preparation and distribtion. Obtaining a badge typically reqires a visit to a secrity office where the employees mst prove their identity and then have their pictres taken. With smart cards, employees can have companyissed certificates attached to the badges that they se for bilding entry. In this case, the secrity office reqests and installs the certificates on employees badges, which also serve as their smart cards. Reqiring a person to appear in person and with physical credentials sch as a driver s license is the most secre way to distribte smart cards, bt this is not always possible. If yor organization incldes remote offices or traveling sers, yo need to establish a distribtion strategy that accommodates the sers circmstances while minimizing the secrity risk. For example, yo can have a receptionist or administrative assistant give the ser a blank smart card and then have the ser download the smart card certificate by sing self-enrollment. The administrative assistant has physical access to the cards, bt not to the PINs or the certificates necessary to activate the card. Yo can also se registered mail or another delivery service that reqires a signatre pon receipt to distribte smart cards to individals who do not have access to a secrity office. Otherwise, yo can choose a designated individal to physically distribte smart cards. This is the least secre method of smart card distribtion. Yo mst also plan for the physical distribtion of replacement cards, especially for mobile or remote office sers. For more information abot replacement card planning, see Planning for Ongoing Smart Card Spport later in this chapter.

23 Creating a Smart Card Deployment Plan 861 Selecting Certificate Enrollment Options By defalt, only domain administrators can modify smart card certificate templates. Domain administrators can modify the access permissions on the certificate template to enable either of the following enrollment options: Enrollment agents, which allows one or more agents to initialize smart cards on behalf of sers. Self-enrollment, which allows end sers to initialize their own smart cards. Yo need to select between the enrollment agent or self-enrollment options, based on the secrity reqirements of yor organization and yor plan for smart card management and distribtion. Using an enrollment agent provides the greatest level of secrity, bt reqires the highest level of IT spport and is the most expensive. Self-enrollment provides the greatest amont of flexibility, and accommodates remote sers, bt is not as secre. Establishing Enrollment Agents If yo decide to control smart card issance from a central location, yo need to athorize one or more individals within the organization to be enrollment agents. The enrollment agent needs to be issed an Enrollment Agent certificate, which makes it possible for the agent to enroll for certificates on behalf of sers. The advantages of sing an enrollment agent inclde: A highly trsted individal processes all certificate and smart card reqests. Domain administrators can delegate a potentially time-consming task. It simplifies the smart card setp process for sers. The disadvantages inclde: It is difficlt to ensre that enrollment agents are trstworthy. One way to enhance this trst is to reqire approval from several enrollment agents. Users in remote locations might not be able to obtain new or replacement smart cards when and where they need them. Enrollment agents are typically members of the secrity, IT secrity, or help desk teams becase these individals have already been trsted with safegarding valable resorces. In some organizations, sch as banks that have many branches, help desk and secrity workers might not be conveniently located to perform this task. In this case yo might need to designate a branch manager or other trsted employee to act as an enrollment agent. The nmber of enrollment agents yo need depends on: The nmber and proximity of locations in yor organization, especially if enrollment agents will be athenticating sers in person. The nmber of smart cards that need to be prepared by the enrollment agent. The nmber of other dties that enrollment agents need to perform.

24 862 Chapter 17 Planning a Smart Card Deployment Select the individals to whom yo isse Enrollment Agent certificates careflly. These individals can enroll for smart card certificates on behalf of any domain ser, inclding an administrator. If these individals are not trstworthy, they can compromise the secrity of yor organization. To ensre the secrity of yor organization, allow only a limited nmber of yor most trsted employees to serve as enrollment agents. If yo decide to se enrollment agents, prevent nathorized sers from becoming enrollment agents by placing strict controls on the CA sed to isse Enrollment Agent certificates. Establish a sbordinate CA that is only sed to isse Enrollment Agent certificates. After yo isse the initial Enrollment Agent certificates, yo can either disable certificate issance or take the CA offline ntil yo reqire additional enrollment certificates. Note For information abot delegating enrollment agent athority to individals who are not domain administrators, see Prepare a smart card certificate enrollment station in Help and Spport Center for Windows Server Pre-Enrolling User Smart Cards If yo decide to pre-enroll sers for smart card certificates, make sre that the enrollment agent has the blank smart cards as well as the following information: The CA selected to isse the smart card certificates to the ser, if there are mltiple CAs in the organization. If there is only one CA in the organization with smart card certificate templates enabled, that CA is atomatically selected. The cryptographic service provider that matches the brand of smart card that is to be issed to the ser. The name of the ser to be enrolled. This ser mst have Enroll permissions for the Smart Card certificate template. A domain administrator can set this either for the individal or for a grop of sers, sch as Athenticated Users or Prchasing. The defalt PIN for the smart card, which is set by the card manfactrer. Note Yo can create a script to force the ser to change the PIN pon first se of the smart card. Also, ensre that yor enrollment agents review the certificates to verify that the information is correct before they distribte them to sers. Using Self-Enrollment Althogh sing enrollment agents reqires more administrative time than allowing sers to enroll themselves, the secrity benefits sally otweigh the overhead costs. However, sing enrollment agents might not always be possible or necessary. For example, if it is nlikely that smart cards will be missed, or if the conseqences of misse are minimal, then yo might se self-enrollment. In sitations in which physical distribtion is not possible, self-enrollment is the best alternative.

25 Creating a Smart Card Deployment Plan 863 If yo decide to se certificate self-enrollment, sers can reqest a certificate from a Windows Server 2003 CA either manally or atomatically. This reqest can be held pending administrator approval, if yo decide that manal approval is reqired, or ntil the verification process is completed. Whichever option yo choose, the certificate self-enrollment process installs the certificate atomatically, or atomatically renews the certificate on behalf of the ser as soon as the certificate reqest is approved, based on the specifications in the certificate template. Edcating Users User edcation is an important component of a smart card management plan. Ensre that sers nderstand the prpose of the smart card deployment. Edcate them abot proper smart card handling and protection so that they can help the organization to meet its secrity goals. Emphasize that a smart card is a valable resorce that needs to be protected. For example, be sre that sers nderstand: The hardware and software that they need in order to se smart cards. How to install and se their smart cards and readers. How they can obtain their smart cards and smart card readers. What they need to do in order to configre their systems to se their smart cards. Note Setp instrctions are particlarly important for traveling sers, or for sers who se remote access connections on their home compters. What to do if a smart card is lost or stolen. Who to call or contact for help and spport. In addition, provide the following gidelines to sers: Protect the external smart card chip. If the chip becomes damaged (scratched, dented, and so forth) the reader might not be able to read the data on the chip. Do not bend the card. This can break critical internal components. It is risky, for example, to pt a smart card in a back pocket, becase the individal might sit on it and break its internal components. Do not expose the smart card to temperatre extremes. Leaving a smart card on the dashboard of a car on a hot day can melt or warp the card and harm the chip. Cold temperatres can make the smart card brittle and easier to break. Keep the smart card away from magnetic sorces. This incldes credit cards and scanners at retail stores. It is sefl to have a printed version of this ser training information available for distribtion along with the smart card itself. If yor organization also maintains an intranet, pblish this information as an easy-to-locate Web page so that sers can refer back to yor instrctions at a later date.

Enabling Advanced Windows Server 2003 Active Directory Features

Enabling Advanced Windows Server 2003 Active Directory Features C H A P T E R 5 Enabling Advanced Windows Server 2003 Active Directory Featres The Microsoft Windows Server 2003 Active Directory directory service enables yo to introdce advanced featres into yor environment

More information

Designing an Authentication Strategy

Designing an Authentication Strategy C H A P T E R 1 4 Designing an Athentication Strategy Most organizations need to spport seamless access to the network for mltiple types of sers, sch as workers in offices, employees who are traveling,

More information

Upgrading Windows NT 4.0 Domains to Windows Server 2003 Active Directory

Upgrading Windows NT 4.0 Domains to Windows Server 2003 Active Directory C H A P T E R 8 Upgrading Windows NT 4.0 Domains to Windows Server 2003 Active Directory Upgrading yor domains from Microsoft Windows NT 4.0 to Windows Server 2003 Active Directory directory service enables

More information

Deploying Network Load Balancing

Deploying Network Load Balancing C H A P T E R 9 Deploying Network Load Balancing After completing the design for the applications and services in yor Network Load Balancing clster, yo are ready to deploy the clster rnning the Microsoft

More information

Planning an Active Directory Deployment Project

Planning an Active Directory Deployment Project C H A P T E R 1 Planning an Active Directory Deployment Project When yo deploy the Microsoft Windows Server 2003 Active Directory directory service in yor environment, yo can take advantage of the centralized,

More information

Planning a Managed Environment

Planning a Managed Environment C H A P T E R 1 Planning a Managed Environment Many organizations are moving towards a highly managed compting environment based on a configration management infrastrctre that is designed to redce the

More information

Designing and Deploying File Servers

Designing and Deploying File Servers C H A P T E R 2 Designing and Deploying File Servers File servers rnning the Microsoft Windows Server 2003 operating system are ideal for providing access to files for sers in medim and large organizations.

More information

aééäçóáåö=táåççïë= péêîéê=ommp=oéöáçå~ä= açã~áåë

aééäçóáåö=táåççïë= péêîéê=ommp=oéöáçå~ä= açã~áåë C H A P T E R 7 aééäçóáåö=táåççïë= péêîéê=ommp=oéöáçå~ä= açã~áåë Deploying Microsoft Windows Server 2003 s involves creating new geographically based child domains nder the forest root domain. Deploying

More information

EMC VNX Series Setting Up a Unisphere Management Station

EMC VNX Series Setting Up a Unisphere Management Station EMC VNX Series Setting Up a Unisphere Management Station P/N 300-015-123 REV. 02 April, 2014 This docment describes the different types of Unisphere management stations and tells how to install and configre

More information

EMC VNX Series. EMC Secure Remote Support for VNX. Version VNX1, VNX2 300-014-340 REV 03

EMC VNX Series. EMC Secure Remote Support for VNX. Version VNX1, VNX2 300-014-340 REV 03 EMC VNX Series Version VNX1, VNX2 EMC Secre Remote Spport for VNX 300-014-340 REV 03 Copyright 2012-2014 EMC Corporation. All rights reserved. Pblished in USA. Pblished Jly, 2014 EMC believes the information

More information

High Availability for Internet Information Server Using Double-Take 4.x

High Availability for Internet Information Server Using Double-Take 4.x High Availability for Internet Information Server Using Doble-Take 4.x High Availability for Internet Information Server Using Doble-Take 4.x pblished April 2000 NSI and Doble-Take are registered trademarks

More information

The bintec HotSpot Solution. Convenient internet access anywhere

The bintec HotSpot Solution. Convenient internet access anywhere The bintec HotSpot Soltion Convenient internet access anywhere Convenient internet access for all kinds of spaces Today s internet sers are freqently on the go. They expect to have internet access on their

More information

Upgrading Windows 2000 Domains to Windows Server 2003 Domains

Upgrading Windows 2000 Domains to Windows Server 2003 Domains C H A P T E R 9 Upgrading Windows 2000 Domains to Windows Server 2003 Domains Upgrading yor network operating system from Microsoft Windows 2000 to Windows Server 2003 reqires minimal network configration

More information

Phone Banking Terms Corporate Accounts

Phone Banking Terms Corporate Accounts Phone Banking Terms Corporate Acconts If there is any inconsistency between the terms and conditions applying to an Accont and these Phone Banking Terms, these Phone Banking Terms prevail in respect of

More information

Designing a TCP/IP Network

Designing a TCP/IP Network C H A P T E R 1 Designing a TCP/IP Network The TCP/IP protocol site defines indstry standard networking protocols for data networks, inclding the Internet. Determining the best design and implementation

More information

HSBC Internet Banking. Combined Product Disclosure Statement and Supplementary Product Disclosure Statement

HSBC Internet Banking. Combined Product Disclosure Statement and Supplementary Product Disclosure Statement HSBC Internet Banking Combined Prodct Disclosre Statement and Spplementary Prodct Disclosre Statement AN IMPORTANT MESSAGE FOR HSBC CUSTOMERS NOTICE OF CHANGE For HSBC Internet Banking Combined Prodct

More information

GUIDELINE. Guideline for the Selection of Engineering Services

GUIDELINE. Guideline for the Selection of Engineering Services GUIDELINE Gideline for the Selection of Engineering Services 1998 Mission Statement: To govern the engineering profession while enhancing engineering practice and enhancing engineering cltre Pblished by

More information

High Availability for Microsoft SQL Server Using Double-Take 4.x

High Availability for Microsoft SQL Server Using Double-Take 4.x High Availability for Microsoft SQL Server Using Doble-Take 4.x High Availability for Microsoft SQL Server Using Doble-Take 4.x pblished April 2000 NSI and Doble-Take are registered trademarks of Network

More information

EMC PowerPath Virtual Appliance

EMC PowerPath Virtual Appliance EMC PowerPath Virtal Appliance Version 1.2 Administration Gide P/N 302-000-475 REV 01 Copyright 2013 EMC Corporation. All rights reserved. Pblished in USA. Pblished October, 2013 EMC believes the information

More information

EMC ViPR Analytics Pack for VMware vcenter Operations Management Suite

EMC ViPR Analytics Pack for VMware vcenter Operations Management Suite EMC ViPR Analytics Pack for VMware vcenter Operations Management Site Version 1.1.0 Installation and Configration Gide 302-000-487 01 Copyright 2013-2014 EMC Corporation. All rights reserved. Pblished

More information

EMC Storage Analytics

EMC Storage Analytics EMC Storage Analytics Version 2.1 Installation and User Gide 300-014-858 09 Copyright 2013 EMC Corporation. All rights reserved. Pblished in USA. Pblished December, 2013 EMC believes the information in

More information

Position paper smart city. economics. a multi-sided approach to financing the smart city. Your business technologists.

Position paper smart city. economics. a multi-sided approach to financing the smart city. Your business technologists. Position paper smart city economics a mlti-sided approach to financing the smart city Yor bsiness technologists. Powering progress From idea to reality The hman race is becoming increasingly rbanised so

More information

Isilon OneFS. Version 7.1. Backup and recovery guide

Isilon OneFS. Version 7.1. Backup and recovery guide Isilon OneFS Version 7.1 Backp and recovery gide Copyright 2013-2014 EMC Corporation. All rights reserved. Pblished in USA. Pblished March, 2014 EMC believes the information in this pblication is accrate

More information

CRM Customer Relationship Management. Customer Relationship Management

CRM Customer Relationship Management. Customer Relationship Management CRM Cstomer Relationship Management Farley Beaton Virginia Department of Taxation Discssion Areas TAX/AMS Partnership Project Backgrond Cstomer Relationship Management Secre Messaging Lessons Learned 2

More information

Facilities. Car Parking and Permit Allocation Policy

Facilities. Car Parking and Permit Allocation Policy Facilities Car Parking and Permit Allocation Policy Facilities Car Parking and Permit Allocation Policy Contents Page 1 Introdction....................................................2 2.0 Application

More information

The Role of the Community Occupational Therapist

The Role of the Community Occupational Therapist Ceredigion Conty Concil Social Services Department The Role of the Commnity Occpational Therapist...taking care to make a difference Large Print or other format/medim are available on reqest please telephone

More information

Chapter 1. LAN Design

Chapter 1. LAN Design Chapter 1 LAN Design CCNA3-1 Chapter 1 Note for Instrctors These presentations are the reslt of a collaboration among the instrctors at St. Clair College in Windsor, Ontario. Thanks mst go ot to Rick Graziani

More information

Planning and Implementing An Optimized Private Cloud

Planning and Implementing An Optimized Private Cloud W H I T E PA P E R Intelligent HPC Management Planning and Implementing An Optimized Private Clod Creating a Clod Environment That Maximizes Yor ROI Planning and Implementing An Optimized Private Clod

More information

EMC Smarts SAM, IP, ESM, MPLS, VoIP, and NPM Managers

EMC Smarts SAM, IP, ESM, MPLS, VoIP, and NPM Managers EMC Smarts SAM, IP, ESM, MPLS, VoIP, and NPM Managers Version 9.2.2 Spport Matrix 302-000-357 REV 02 Copyright 2013 EMC Corporation. All rights reserved. Pblished in USA. Pblished December, 2013 EMC believes

More information

A guide to safety recalls in the used vehicle industry GUIDE

A guide to safety recalls in the used vehicle industry GUIDE A gide to safety recalls in the sed vehicle indstry GUIDE Definitions Aftermarket parts means any prodct manfactred to be fitted to a vehicle after it has left the vehicle manfactrer s prodction line.

More information

Kentucky Deferred Compensation (KDC) Program Summary

Kentucky Deferred Compensation (KDC) Program Summary Kentcky Deferred Compensation (KDC) Program Smmary Smmary and Highlights of the Kentcky Deferred Compensation (KDC) Program Simple. Smart. For yo. For life. 457 Plan 401(k) Plan Roth 401(k) Deemed Roth

More information

Closer Look at ACOs. Designing Consumer-Friendly Beneficiary Assignment and Notification Processes for Accountable Care Organizations

Closer Look at ACOs. Designing Consumer-Friendly Beneficiary Assignment and Notification Processes for Accountable Care Organizations Closer Look at ACOs A series of briefs designed to help advocates nderstand the basics of Accontable Care Organizations (ACOs) and their potential for improving patient care. From Families USA Janary 2012

More information

Welcome to UnitedHealthcare. Ideally, better health coverage should cost less. In reality, now it can.

Welcome to UnitedHealthcare. Ideally, better health coverage should cost less. In reality, now it can. Welcome to UnitedHealthcare Ideally, better health coverage shold cost less. In reality, now it can. The plan designed with both qality and affordability in mind. Consistent, qality care is vitally important.

More information

Successful Conference

Successful Conference The Keynote Gide to Planning a Sccessfl Conference Dr Cathy Key A Keynote Networks Workbook Contents Introdction...2 The Role of the Conference Organiser...3 Establishing a Committee...4 Creating a Bdget...5

More information

STI Has All The Pieces Hardware Software Support

STI Has All The Pieces Hardware Software Support STI Has All The Pieces Hardware Software Spport STI has everything yo need for sccessfl practice management, now and in the ftre. The ChartMaker Medical Site Incldes: Practice Management/Electronic Billing,

More information

Borrowing for College. Table of contents. A guide to federal loans for higher education

Borrowing for College. Table of contents. A guide to federal loans for higher education Borrowing for College A gide to federal loans for higher edcation Table of contents Edcation loan basics 2 Applying for edcation loans 3 Repaying edcation loans 3 Controlling edcation loan debt 5 Glossary

More information

NAPA TRAINING PROGRAMS FOR:

NAPA TRAINING PROGRAMS FOR: NAPA TRAINING PROGRAMS FOR: Employees Otside Sales Store Managers Store Owners See NEW ecatalog Inside O V E R V I E W 2010_StoreTrainingBrochre_SinglePg.indd 1 5/25/10 12:39:32 PM Welcome 2010 Store Training

More information

Direct Loan Basics & Entrance Counseling Guide. For Graduate and Professional Student Direct PLUS Loan Borrowers

Direct Loan Basics & Entrance Counseling Guide. For Graduate and Professional Student Direct PLUS Loan Borrowers Direct Loan Basics & Entrance Conseling Gide For Gradate and Professional Stdent Direct PLUS Loan Borrowers DIRECT LOAN BASICS & ENTRANCE COUNSELING GUIDE For Gradate and Professional Stdent Direct PLUS

More information

Introducing Revenue Cycle Optimization! STI Provides More Options Than Any Other Software Vendor. ChartMaker Clinical 3.7

Introducing Revenue Cycle Optimization! STI Provides More Options Than Any Other Software Vendor. ChartMaker Clinical 3.7 Introdcing Revene Cycle Optimization! STI Provides More Options Than Any Other Software Vendor ChartMaker Clinical 3.7 2011 Amblatory EHR + Cardiovasclar Medicine + Child Health STI Provides More Choices

More information

EMC ViPR. Concepts Guide. Version 1.1.0 302-000-482 02

EMC ViPR. Concepts Guide. Version 1.1.0 302-000-482 02 EMC ViPR Version 1.1.0 Concepts Gide 302-000-482 02 Copyright 2013-2014 EMC Corporation. All rights reserved. Pblished in USA. Pblished Febrary, 2014 EMC believes the information in this pblication is

More information

Candidate: Shawn Mullane. Date: 04/02/2012

Candidate: Shawn Mullane. Date: 04/02/2012 Shipping and Receiving Specialist / Inventory Control Assessment Report Shawn Mllane 04/02/2012 www.resorceassociates.com To Improve Prodctivity Throgh People. Shawn Mllane 04/02/2012 Prepared For: NAME

More information

Member of the NKT Group. We connect renewable energy sources. Onshore, offshore and photovoltaic

Member of the NKT Group. We connect renewable energy sources. Onshore, offshore and photovoltaic Member of the NKT Grop We connect renewable energy sorces Onshore, offshore and photovoltaic Completing the pictre www.nktcables.com We connect renewable energy sorces These days, renewable and clean energies

More information

Owning A business Step-By-Step Guide to Financial Success

Owning A business Step-By-Step Guide to Financial Success Owning A bsiness Step-By-Step Gide to Financial Sccess CONTACT US For more information abot any of the services in this brochre, call 1-888-845-1850, visit or website at bsiness.mac.com or stop by the

More information

The Intelligent Choice for Disability Income Protection

The Intelligent Choice for Disability Income Protection The Intelligent Choice for Disability Income Protection provider Pls Keeping Income strong We prposeflly engineer or disability income prodct with featres that deliver benefits sooner and contine paying

More information

7 Help Desk Tools. Key Findings. The Automated Help Desk

7 Help Desk Tools. Key Findings. The Automated Help Desk 7 Help Desk Tools Or Age of Anxiety is, in great part, the reslt of trying to do today s jobs with yesterday s tools. Marshall McLhan Key Findings Help desk atomation featres are common and are sally part

More information

EMC NetWorker. Performance Optimization Planning Guide. Version 8.2 302-000-697 REV 01

EMC NetWorker. Performance Optimization Planning Guide. Version 8.2 302-000-697 REV 01 EMC NetWorker Version 8.2 Performance Optimization Planning Gide 302-000-697 REV 01 Copyright 2000-2014 EMC Corporation. All rights reserved. Pblished in USA. Pblished Janary, 2015 EMC believes the information

More information

Appraisal Firewall 1.0. Appraisal Revolution. powered by Appraisal Firewall DATA FACTS WHITE PAPER SERIES

Appraisal Firewall 1.0. Appraisal Revolution. powered by Appraisal Firewall DATA FACTS WHITE PAPER SERIES Appraisal Firewall 1.0 Appraisal Revoltion powered by Appraisal Firewall DATA FACTS WHITE PAPER SERIES The Technology Standard Appraisal Revoltion, powered by Appraisal Firewall technology maximizes yor

More information

9 Setting a Course: Goals for the Help Desk

9 Setting a Course: Goals for the Help Desk IT Help Desk in Higher Edcation ECAR Research Stdy 8, 2007 9 Setting a Corse: Goals for the Help Desk First say to yorself what yo wold be; and then do what yo have to do. Epictets Key Findings Majorities

More information

Effective governance to support medical revalidation

Effective governance to support medical revalidation Effective governance to spport medical revalidation A handbook for boards and governing bodies This docment sets ot a view of the core elements of effective local governance of the systems that spport

More information

8 Service Level Agreements

8 Service Level Agreements 8 Service Level Agreements Every organization of men, be it social or political, ltimately relies on man s capacity for making promises and keeping them. Hannah Arendt Key Findings Only abot 20 percent

More information

Technical Notes. PostgreSQL backups with NetWorker. Release number 1.0 302-001-174 REV 01. June 30, 2014. u Audience... 2. u Requirements...

Technical Notes. PostgreSQL backups with NetWorker. Release number 1.0 302-001-174 REV 01. June 30, 2014. u Audience... 2. u Requirements... PostgreSQL backps with NetWorker Release nmber 1.0 302-001-174 REV 01 Jne 30, 2014 Adience... 2 Reqirements... 2 Terminology... 2 PostgreSQL backp methodologies...2 PostgreSQL dmp backp... 3 Configring

More information

CRM Customer Relationship Management. Customer Relationship Management

CRM Customer Relationship Management. Customer Relationship Management CRM Cstomer Relationship Management Kenneth W. Thorson Tax Commissioner Virginia Department of Taxation Discssion Areas TAX/AMS Partnership Project Backgrond Cstomer Relationship Management Secre Messaging

More information

iet ITSM: Comprehensive Solution for Continual Service Improvement

iet ITSM: Comprehensive Solution for Continual Service Improvement D ATA S H E E T iet ITSM: I T I L V 3 I n n o v at i v e U s e o f B e s t P ra c t i c e s ITIL v3 is the crrent version of the IT Infrastrctre Library. The focs of ITIL v3 is on the alignment of IT Services

More information

FINANCIAL FITNESS SELECTING A CREDIT CARD. Fact Sheet

FINANCIAL FITNESS SELECTING A CREDIT CARD. Fact Sheet FINANCIAL FITNESS Fact Sheet Janary 1998 FL/FF-02 SELECTING A CREDIT CARD Liz Gorham, Ph.D., AFC Assistant Professor and Family Resorce Management Specialist, Utah State University Marsha A. Goetting,

More information

Closer Look at ACOs. Making the Most of Accountable Care Organizations (ACOs): What Advocates Need to Know

Closer Look at ACOs. Making the Most of Accountable Care Organizations (ACOs): What Advocates Need to Know Closer Look at ACOs A series of briefs designed to help advocates nderstand the basics of Accontable Care Organizations (ACOs) and their potential for improving patient care. From Families USA Updated

More information

BIS - Overview and basic package V2.5

BIS - Overview and basic package V2.5 Engineered Soltions BIS - Overview and basic package V2.5 BIS - Overview and basic package V2.5 www.boschsecrity.com Complete enterprise management for efficient, integrated bilding and secrity management

More information

Social Work Bursary: Academic year 2015/16 Application notes for students on undergraduate courses

Social Work Bursary: Academic year 2015/16 Application notes for students on undergraduate courses Social Work Brsary: Academic year 2015/16 Application notes for stdents on ndergradate corses These notes are for ndergradate stdents who have previosly received a brsary. Please make sre yo complete the

More information

Purposefully Engineered High-Performing Income Protection

Purposefully Engineered High-Performing Income Protection The Intelligent Choice for Disability Income Insrance Prposeflly Engineered High-Performing Income Protection Keeping Income strong We engineer or disability income prodcts with featres that deliver benefits

More information

DESTINATION ASSURED CONTACT US. Products for Life

DESTINATION ASSURED CONTACT US. Products for Life DESTINATION ASSURED CONTACT US For more information abot any of the services in this brochre, call 1-800-748-4302, visit or website at www.mac.com or stop by the branch nearest yo. LR-2011 Federally insred

More information

Opening the Door to Your New Home

Opening the Door to Your New Home Opening the Door to Yor New Home A Gide to Bying and Financing. Contents Navigating Yor Way to Home Ownership...1 Getting Started...3 Finding Yor Home...9 Finalizing Yor Financing...12 Final Closing...13

More information

property insurance claim report

property insurance claim report property insrance claim report CGU Insrance Limited ABN 27 004 478 371 Please retain this page for yor information Abot yor claim Most policies allow for replacement of property with the nearest eqivalent

More information

SYSTEM OF CONFORMITY ASSESSMENT SCHEMES FOR ELECTROTECHNICAL EQUIPMENT

SYSTEM OF CONFORMITY ASSESSMENT SCHEMES FOR ELECTROTECHNICAL EQUIPMENT IECEE Reporting Service for Hazardos Sbstances: Helping yo protect corporate reptation and the bottom line SYSTEM OF CONFORMITY ASSESSMENT SCHEMES FOR ELECTROTECHNICAL EQUIPMENT AND Components (iecee)

More information

The Intelligent Choice for Basic Disability Income Protection

The Intelligent Choice for Basic Disability Income Protection The Intelligent Choice for Basic Disability Income Protection provider Pls Limited Keeping Income strong We prposeflly engineer or basic disability income prodct to provide benefit-rich featres delivering

More information

The Good Governance Standard for Public Services

The Good Governance Standard for Public Services The Good Governance Standard for Pblic Services The Independent Commission for Good Governance in Pblic Services The Independent Commission for Good Governance in Pblic Services, chaired by Sir Alan Langlands,

More information

Introduction to HBase Schema Design

Introduction to HBase Schema Design Introdction to HBase Schema Design Amandeep Khrana Amandeep Khrana is a Soltions Architect at Clodera and works on bilding soltions sing the Hadoop stack. He is also a co-athor of HBase in Action. Prior

More information

The Good Governance Standard for Public Services

The Good Governance Standard for Public Services The Good Governance Standard for Pblic Services The Independent Commission on Good Governance in Pblic Services Good Governance Standard for Pblic Services OPM and CIPFA, 2004 OPM (Office for Pblic Management

More information

10 Evaluating the Help Desk

10 Evaluating the Help Desk 10 Evalating the Help Desk The tre measre of any society is not what it knows bt what it does with what it knows. Warren Bennis Key Findings Help desk metrics having to do with demand and with problem

More information

Make the College Connection

Make the College Connection Make the College Connection A college planning gide for stdents and their parents Table of contents The compelling case for college 2 Selecting a college 3 Paying for college 5 Tips for meeting college

More information

The Time is Now for Stronger EHR Interoperability and Usage in Healthcare

The Time is Now for Stronger EHR Interoperability and Usage in Healthcare The Time is Now for Stronger EHR Interoperability and Usage in Healthcare Sponsored by Table of Contents 03 Stdy: Large Nmber of EHRs Do Not Meet Usability Standards 05 Black Book: EHR Satisfaction Growing

More information

What to buy: The ordering guide for VDO RoadLog VDO and RoadLog Trademarks of the Continental Corporation

What to buy: The ordering guide for VDO RoadLog VDO and RoadLog Trademarks of the Continental Corporation www.vdoroadlog.com What to by: The ordering gide for VDO RoadLog VDO and RoadLog Trademarks of the Continental Corporation Here s what yo ll need to get p and rnning on RoadLog: VDO RoadLog is the simple

More information

Introducing ChartMaker Cloud! STI Provides More Options Than Any Other Software Vendor

Introducing ChartMaker Cloud! STI Provides More Options Than Any Other Software Vendor Introdcing ChartMaker Clod! STI Provides More Options Than Any Other Software Vendor ChartMaker Clinical 3.7 2011 Amblatory EHR + Cardiovasclar Medicine + Child Health The ChartMaker Medical Site is made

More information

www.macu.com LH-2011 Products for Life

www.macu.com LH-2011 Products for Life www.mac.com LH-2011 Prodcts for Life 2 6 8 10 12 13 prchase Qick 14 insrance There s nothing like the feeling of bying yor own home. Yo finally have yor own space, and yor money is going toward something

More information

Candidate: Kevin Taylor. Date: 04/02/2012

Candidate: Kevin Taylor. Date: 04/02/2012 Systems Analyst / Network Administrator Assessment Report 04/02/2012 www.resorceassociates.com To Improve Prodctivity Throgh People. 04/02/2012 Prepared For: Resorce Associates Prepared by: John Lonsbry,

More information

MVM-BVRM Video Recording Manager v2.22

MVM-BVRM Video Recording Manager v2.22 Video MVM-BVRM Video Recording Manager v2.22 MVM-BVRM Video Recording Manager v2.22 www.boschsecrity.com Distribted storage and configrable load balancing iscsi disk array failover for extra reliability

More information

Corporate performance: What do investors want to know? Innovate your way to clearer financial reporting

Corporate performance: What do investors want to know? Innovate your way to clearer financial reporting www.pwc.com Corporate performance: What do investors want to know? Innovate yor way to clearer financial reporting October 2014 PwC I Innovate yor way to clearer financial reporting t 1 Contents Introdction

More information

EMC PowerPath/VE Installation and Administration Guide

EMC PowerPath/VE Installation and Administration Guide EMC PowerPath/VE Installation and Administration Gide Version 5.9 and Minor Releases for VMware vsphere P/N 302-000-236 REV 03 Copyright 2009-2014. All rights reserved. Pblished in USA. EMC believes the

More information

SME Business. Solutions

SME Business. Solutions SME Bsiness Soltions For more information, please contact SME Banking: Bahrain World Trade Center, East Tower 15th Floor Tel: 17 13 3383 Fax: 17 13 1043 E-mail: sme@bmi.com.bh ABOUT BMI BANK We re a yong,

More information

Candidate: Suzanne Maxwell. Date: 09/19/2012

Candidate: Suzanne Maxwell. Date: 09/19/2012 Medical Coder / Billing Clerk Assessment Report Szanne Maxwell 09/19/2012 www.resorceassociates.com Szanne Maxwell 09/19/2012 Prepared For: NAME Prepared by: John Lonsbry, Ph.D. & Lcy Gibson, Ph.D., Licensed

More information

EMC Data Domain Operating System

EMC Data Domain Operating System EMC Data Domain Operating System Version 5.4 Administration Gide 302-000-072 REV. 06 Copyright 2009-2014 EMC Corporation. All rights reserved. Pblished in USA. Pblished September, 2014 EMC believes the

More information

Candidate: Kyle Jarnigan. Date: 04/02/2012

Candidate: Kyle Jarnigan. Date: 04/02/2012 Cstomer Service Manager Assessment Report 04/02/2012 www.resorceassociates.com To Improve Prodctivity Throgh People. Cstomer Service Manager Assessment Report 04/02/2012 Prepared For: NAME Prepared by:

More information

A Novel QR Code and mobile phone based Authentication protocol via Bluetooth Sha Liu *1, Shuhua Zhu 2

A Novel QR Code and mobile phone based Authentication protocol via Bluetooth Sha Liu *1, Shuhua Zhu 2 International Conference on Materials Engineering and Information Technology Applications (MEITA 2015) A Novel QR Code and mobile phone based Athentication protocol via Bletooth Sha Li *1, Shha Zh 2 *1

More information

Accelerated Implementation Model

Accelerated Implementation Model ABOUT US SALES CLOUD SOLUTION CLIENT SUCCESS STORIES Accelerated Implementation Model Sales Clod implementation Fastest ROI - delivered in as few as 60-90 days Three implementation plan options Terillim

More information

VRM Video Recording Manager v3.0

VRM Video Recording Manager v3.0 Video VRM Video Recording Manager v3.0 VRM Video Recording Manager v3.0 www.boschsecrity.com Distribted storage and configrable load balancing iscsi disk array failover for extra reliability Used with

More information

BIS - Overview and basic package V4.0

BIS - Overview and basic package V4.0 Engineered Soltions BIS - Overview and basic package V4.0 BIS - Overview and basic package V4.0 www.boschsecrity.com Complete enterprise management for efficient, integrated bilding and secrity management

More information

Galvin s All Things Enterprise

Galvin s All Things Enterprise Galvin s All Things Enterprise The State of the Clod, Part 2 PETER BAER GALVIN Peter Baer Galvin is the CTO for Corporate Technologies, a premier systems integrator and VAR (www.cptech. com). Before that,

More information

Candidate: Cassandra Emery. Date: 04/02/2012

Candidate: Cassandra Emery. Date: 04/02/2012 Market Analyst Assessment Report 04/02/2012 www.resorceassociates.com To Improve Prodctivity Throgh People. 04/02/2012 Prepared For: Resorce Associates Prepared by: John Lonsbry, Ph.D. & Lcy Gibson, Ph.D.,

More information

Bosch Security Training Academy Training Course Catalogue 2015. uk.boschsecurity.com

Bosch Security Training Academy Training Course Catalogue 2015. uk.boschsecurity.com Bosch Secrity Training Academy Training Corse Cataloge 2015 k.boschsecrity.com 2 Bosch Secrity Training Academy Training Corses 2015 Bosch Secrity Training Academy Training Corses 2015 3 Contents Enqiries

More information

f.airnet DECT over IP System

f.airnet DECT over IP System The modlar IP commnication system for voice and messaging with the greatest mobility: flexible, easy to maintain, expandable. Fnkwerk Secrity Commnications For s, efficient commnication is vital. New:

More information

Social Work Bursary: Academic Year 2014/15 Application notes for students on postgraduate courses

Social Work Bursary: Academic Year 2014/15 Application notes for students on postgraduate courses Social Work Brsary: Academic Year 2014/15 Application notes for stdents on postgradate corses These notes are for stdents who do not have a partner or any dependants. Please make sre yo complete the correct

More information

Executive Coaching to Activate the Renegade Leader Within. Renegades Do What Others Won t To Get the Results that Others Don t

Executive Coaching to Activate the Renegade Leader Within. Renegades Do What Others Won t To Get the Results that Others Don t Exective Coaching to Activate the Renegade Leader Within Renegades Do What Others Won t To Get the Reslts that Others Don t Introdction Renegade Leaders are a niqe breed of leaders. The Renegade Leader

More information

B5512 Control Panel. Intrusion Alarm Systems B5512 Control Panel. www.boschsecurity.com

B5512 Control Panel. Intrusion Alarm Systems B5512 Control Panel. www.boschsecurity.com Intrsion Alarm Systems B5512 Control Panel B5512 Control Panel www.boschsecrity.com Spports p to 48 points sing a combination of hardwired or wireless points for installation flexibility and p to 4 areas

More information

Form M-1 Report for Multiple Employer Welfare Arrangements (MEWAs) and Certain Entities Claiming Exception (ECEs)

Form M-1 Report for Multiple Employer Welfare Arrangements (MEWAs) and Certain Entities Claiming Exception (ECEs) U.S. Department of Labor Employee Benefits Secrity Administration Room N5511 200 Constittion Avene, NW Washington, DC 20210 P-450 Form M-1 Report for Mltiple Employer Welfare Arrangements (MEWAs) and Certain

More information

Firewall Feature Overview

Firewall Feature Overview PALO ALTO NETWORKS: Firewall Featre Overview Firewall Featre Overview Palo Alto Networks family of next generation firewalls delivers nprecedented visibility and control of applications, sers and content

More information

Every manufacturer is confronted with the problem

Every manufacturer is confronted with the problem HOW MANY PARTS TO MAKE AT ONCE FORD W. HARRIS Prodction Engineer Reprinted from Factory, The Magazine of Management, Volme 10, Nmber 2, Febrary 1913, pp. 135-136, 152 Interest on capital tied p in wages,

More information

CONTACT US. The Financial ABCs for Raising a Family

CONTACT US. The Financial ABCs for Raising a Family The Financial ABCs for Raising a Family CONTACT US For more information abot any of the in this brochre, call 1-800-748-4302, visit or at www.mac.com or stop by the branch nearest yo. Federally insred

More information

Analog Telephones. User Guide. BusinessPhone Communication Platform

Analog Telephones. User Guide. BusinessPhone Communication Platform Analog Telephones BsinessPhone Commnication Platform User Gide Cover Page Graphic Place the graphic directly on the page, do not care abot ptting it in the text flow. Select Graphics > Properties and make

More information

Building Trust How Banks are Attracting and Retaining Business Clients With Institutional Money Fund Portals

Building Trust How Banks are Attracting and Retaining Business Clients With Institutional Money Fund Portals Bilding Trst How Banks are Attracting and Retaining Bsiness Clients With Instittional Money Fnd Portals By George Hagerman, Fonder and CEO, CacheMatrix Holdings, LLC C ompetitive pressres are driving innovation

More information

At your service. Your guide to Alinta and the Gas Customer Service Charter

At your service. Your guide to Alinta and the Gas Customer Service Charter At yor service Yor gide to Alinta and the Gas Cstomer Service Charter Contents Welcome to Alinta 4 Yor accont 8 Cstomer Service Charter 18 Yor gas service 29 Using gas safely 34 Using gas wisely 39 Alinta

More information

Herzfeld s Outlook: Seasonal Factors Provide Opportunities in Closed-End Funds

Herzfeld s Outlook: Seasonal Factors Provide Opportunities in Closed-End Funds VIRTUS HERZFELD FUND Herzfeld s Otlook: Seasonal Factors Provide Opportnities in Closed-End Fnds When it comes to investing in closed-end fnds, a comprehensive nderstanding of the inefficiencies of the

More information

Using GPU to Compute Options and Derivatives

Using GPU to Compute Options and Derivatives Introdction Algorithmic Trading has created an increasing demand for high performance compting soltions within financial organizations. The actors of portfolio management and ris assessment have the obligation

More information