Planning a Smart Card Deployment

C H A P T E R 1 7 Planning a Smart Card Deployment Smart card spport in Microsoft Windows Server 2003 enables yo to enhance the secrity of many critical fnctions, inclding client athentication, interactive logon, and docment signing, in yor organization. If yo are sing or planning to se pblic key certificates, deploy smart cards to increase secrity for yor network and critical applications. In This Chapter Overview of Smart Card Deployment... 840 Creating a Plan for Smart Card Use... 842 Selecting Smart Card Hardware... 848 Creating a Smart Card Deployment Plan... 857 Planning for Ongoing Smart Card Spport... 865 Additional Resorces... 870 Related Information For more information abot creating a pblic key infrastrctre, see Designing a Pblic Key Infrastrctre in this book. For more information abot Windows Server 2003 Certificate Services and pblic key infrastrctre featres, see the Distribted Services Gide of the Microsoft Windows Server 2003 Resorce Kit (or see the Distribted Services Gide on the Web at http://www.microsoft.com/reskit).

840 Chapter 17 Planning a Smart Card Deployment Overview of Smart Card Deployment Most organizations se passwords to manage access to compter networks and resorces. However, some sers set weak passwords, write passwords down in insecre locations, or forget their passwords and reqire help desk assistance for password reset. For this reason, passwords alone might not provide the level of secrity and manageability that yor organization reqires. Smart card spport in Microsoft Windows Server 2003, Standard Edition; Windows Server 2003, Enterprise Edition; and Windows Server 2003, Datacenter Edition operating systems provides sers with stronger credentials than even the most complex passwords. If yo se, manage, and deploy smart cards properly, yo can enhance the secrity of yor organization and redce yor spport costs. Smart cards offer the following benefits: Protection. Smart cards provide tamper-resistant storage for private keys and other data. If a smart card is lost or stolen, it is difficlt for anyone except the intended ser to se the credentials that it stores. Isolation. Cryptographic operations are performed on the smart card itself rather than on the client or on a network server. This isolates secrity-sensitive data and processes from other parts of the system. Portability. Credentials and other private information stored on smart cards can easily be transported between compters at work, home, or other remote locations. The nmber and variety of smart card enabled applications is growing to meet the needs of organizations that want to rely on smart cards to enable secre athentication and to facilitate services. Before yo can deploy smart cards in yor organization, yo mst have a pblic key infrastrctre (PKI) in place. Next, yo need to identify applications to enable for se with smart cards, and plan how to implement and spport a smart card infrastrctre before yo can take advantage of the secrity benefits of smart cards. Note For a list of the job aids that are available to assist yo in deploying smart cards, see Additional Resorces later in this chapter.

Overview of Smart Card Deployment 841 Process for Planning a Smart Card Deployment Planning a smart card deployment involves making decisions abot technical standards, hardware prchases, smart card management, and the logistics of smart card distribtion. Figre 17.1 shows the process for planning a smart card deployment. Figre 17.1 Planning a Smart Card Deployment Create a plan for smart card se Select smart card hardware Create a smart card deployment plan Plan for ongoing smart card spport Smart Card Fndamentals Windows Server 2003 spports a variety of secre smart card applications and bsiness scenarios. Before yo begin to plan yor smart card deployment, it is important to nderstand the basic components of smart card technology. Components of a Smart Card Infrastrctre A nmber of hardware and software components are reqired in order to spport a smart card infrastrctre. Certificates Digital data that secrely bind a pblic key to the entity that holds the corresponding private key. Certification athorities Trsted entities or services that isse digital certificates.

842 Chapter 17 Planning a Smart Card Deployment Active Directory The Windows Server 2003 directory service that serves as a repository for accont information, primarily ser credentials, secrity grop memberships, and certificate templates. In addition, yo can also se the Active Directory directory service to store certificates, certificate revocation lists, and delta certificate revocation lists, and to pblish root certification athorities (CAs) and cross-certificates. Smart cards Hardware tokens containing integrated processors and memory chips that can be sed to store certificates and private keys and to perform pblic key cryptography operations, sch as athentication, digital signing, and key exchange. Smart card readers Devices that connect a smart card to a compter. Smart card readers can also be sed to write certificates to the smart card. Smart card software The software provided by the smart card vendor to manage smart cards. In some cases, organizations might choose to create their own software tools if cstomized fnctionality is reqired. Creating a Plan for Smart Card Use Before deploying smart cards in yor organization, yo mst determine which processes, sers, and grops of sers reqire smart cards. Figre 17.2 shows the process for creating a plan for smart card se in yor organization. Figre 17.2 Creating a Plan for Smart Card Use Create a plan for smart card se Identify processes that reqire smart cards Select smart card hardware Create a smart card deployment plan Define smart card service level reqirements Plan for ongoing smart card spport

Creating a Plan for Smart Card Use 843 Identifying the Processes That Reqire Smart Cards A smart card deployment can help yor organization meet nmeros sensitive bsiness reqirements. Yo can se smart cards for any or all of the following processes: Interactive ser logons, inclding remote access connections to the network Administrator logons Third-party athentication across the Internet Signing and encrypting e-mail Evalate additional eqipment and administrative costs, procedres, and changes to ser work patterns that each smart card enabled process reqires. Ensre that the benefits of deploying smart cards for each process otweigh the costs from hardware, administration, and potential ser difficlties. For a worksheet to assist yo in docmenting the processes in yor organization that reqire smart cards, see User and Grop Smart Card Reqirements (DSSSMC_1.doc) on the Microsoft Windows Server 2003 Deployment Kit companion CD (or see User and Grop Smart Card Reqirements on the Web at http://www.microsoft.com/reskit). Interactive User Logons Use smart cards for an interactive ser logons if yo want to enforce the se of secre encrypted logon credentials. If yo reqire sers to log on by sing smart cards, yo do not have to worry abot the qality and secrity of ser passwords. Reqiring smart cards for interactive ser logons reqires additional network administration for smart card distribtion and spport. This is problematic for organizations that are spread across different geographic locations and that do not have network or physical secrity personnel in each location to administer and spport smart cards. Yo can also se smart cards for remote access logons, and for Terminal Services and shared client logons. Remote Access Logons Local interactive logons reqire that sers have both physical access to a compter that is a logical member of the organization and a network password. Remote sers, however, can log on from any compter otside of the organization. If a malicios ser obtains the password of a remote ser, he or she can se it to access network resorces from any compter. For this reason, conventional password-based remote access logons are more vlnerable to attack than local interactive logons.

844 Chapter 17 Planning a Smart Card Deployment Yo can secre the remote access process by reqiring sers to se smart cards when they connect to the corporate network by means of remote access logon. This soltion prevents hackers from sing the remote access dial-p or Internet connections to compromise the network, even if they have physical access to laptops or home compters. One problem with reqiring the se of smart cards for remote access logons is the fact that remote sers often own compter hardware and software that does not conform to minimm corporate standards and, therefore, might not spport smart card se. This complicates the process of administering and spporting smart cards for remote access logons. Also, sers might experience longer logon times when they se smart cards, especially over slow dial-p connections. Terminal Services and Shared Clients If yor organization is deploying Terminal Services, consider sing smart cards for kiosk compters that are shared by mltiple sers. This can improve secrity in environments in which mltiple sers share a single compter terminal, relocate freqently, and do not se the conventional logoff procedre every time they move away from the terminal. This is often the case in hospitals, factories, or other bsinesses. Note Smart card logons reqire Microsoft Windows XP or Windows Server 2003 Terminal Services clients, even on compters rnning Microsoft Windows 2000. Providing smart card spport for kiosks or Terminal Services clients that are in critical locations in yor organization and are shared by several sers is less costly than providing smart card spport for interactive ser logons, becase yo do not need to prchase and deploy a large nmber of smart card readers. For more information abot deploying Windows Server 2003 Terminal Services, see Hosting Applications with Terminal Server in Planning Server Deployments in this kit. Administrator Logons There is greater potential for harm to the network when administrator credentials, as opposed to ser credentials, are missed. As a reslt, preventing nathorized sers from sing administrative credentials to access their network is an important secrity priority for most organizations. Another vlnerability is introdced when yo allow people to perform network administration tasks by sing generic administrator acconts that are shared by mltiple sers; this limits the ability of the organization to track which ser performs a specific action. Allowing administrators to log on by sing administrative credentials when they are not performing administrative tasks also creates a significant secrity risk becase attackers who compromise an administrator accont can do a greater amont of damage to the system.

Creating a Plan for Smart Card Use 845 By reqiring individals to se smart cards to perform administrative tasks, yo can significantly redce the possibility that nathorized sers can gain administrative access to yor network. Yo can se smart cards for administrator logons in the following two ways: By sing smart cards for individal administrative operations. By sing smart cards for an administrative shell. In most cases, the best soltion is to se a combination of these two strategies. For example, yo can reqire that all administrators se smart cards to access data center servers. If the administrator is sing a Windows 2000 or Windows XP client, he or she can se a smart card and administrative credentials to open a Terminal Services client session in order to log on to the data center servers. Important It is not possible to tilize mltiple credentials stored on a single smart card. Therefore, administrators who have more than one domain accont reqire a smart card for each accont. Using Smart Cards for Individal Administrative Operations When yo se smart cards for individal administrative operations, administrators log on by sing their standard ser credentials, and then se administrative credentials when they need to perform specific administrative operations. For example, yo might reqire an administrator to log on by sing a smart card in order to install Active Directory on a member server. Administrative credentials apply only to the specific operation, which helps to protect the secrity of the system. An administrator can also se smart cards to perform individal administrative operations on target compters rnning versions of the Windows operating system earlier than Windows XP or Windows Server 2003, as long as they se a smart card to log on to a compter rnning Windows XP or Windows Server 2003. Not all administrative tools work with smart cards. Therefore, before yo implement this soltion, test it to ensre that yo can perform the reqired administrative tasks and se the necessary administrative tools. If some of yor reqired tools and tasks are incompatible with sing smart cards, yo mst commnicate to yor administrators which tasks reqire smart cards and which mst be completed by sing administrative credentials. Using Smart Cards for an Administrative Shell When yo se smart cards for an administrative shell, administrators log on by sing ser credentials. Then, when the administrator needs to perform administrative operations, he or she logs on by sing a smart card and administrative credentials to open a Terminal Services client session. The administrator then performs the reqired administrative operations within the administrative shell.

846 Chapter 17 Planning a Smart Card Deployment This approach simplifies the process of performing mltiple seqential administrative operations dring a single session. However, the server that has Terminal Server enabled mst be rnning Windows Server 2003. Althogh the Windows XP Terminal Services client can rn on Windows 2000, the server-side spport is only provided by Windows Server 2003. Athenticating Third Parties Use smart cards for third-party athentication if yo want to verify that qeries, orders, or other commnications originate from the appropriate individal or organization and that they conform to preestablished standards, sch as prchase order limits. For example, banks that allow sers to check their transaction histories or pay bills online, and distribtors that accept prchase orders over the Internet can benefit from sing smart cards for third-party athentication. Deploying smart cards to third parties, however, reqires carefl administration. For example, yo mst ensre that attackers cannot obtain smart cards and gess the PIN to gain nathorized access to the system. Also, if the cstomer services that are based on smart card athentication are an important part of yor bsiness, yo need to ensre that the services are always available. If yo do not administer yor third-party smart card athentication process effectively, it can have a negative impact on yor Internet bsiness transactions. Signing and Encrypting E-mail Yo can se smart cards to enable digital signing and the encryption of electronic commnications sch as e-mails or contracts. If yo choose to deploy smart cards for digital signing, yo need to determine the types of e-mail messages that reqire smart card validated digital signatres. Use smart cards for the digital signing of e-mail messages where it is important to verify the identity of the sender and that the message has not been tampered with while in transit. Digitally signing rotine e-mails creates nnecessary network traffic and can slow down ordinary commnication between sers. Note that when yo se smart cards for the digital signing of sensitive docments, sch as legal contracts or prchase orders, yo mst configre the certificate policies and extensions that control smart card certificate se. Depending on the types of docments that yo want sers to sign digitally, yo also need to make additional decisions abot smart card enabled digital signatres, sch as whether assistants are allowed to sign docments on behalf of their speriors, whether send and read receipts are reqired, and how the receipts are to be stored. For more information abot certificates and certificate se, see Designing a Pblic Key Infrastrctre in this book. Note Yo mst ensre that sers know how to verify digital signatres. Unlike a hand-written signatre, a digital signatre is not embedded in a message or docment, and might be overlooked.

Creating a Plan for Smart Card Use 847 Defining Smart Card Service Level Reqirements Before yo deploy smart cards, establish service level agreements to help yor IT organization align smart card performance with the objectives of the organization in areas sch as reliability, response times, and spport procedres. For example, yo need to define smart card service level standards for: The types of identification reqired to obtain a smart card. Yo might choose to reqire a specific type of personal identification, sch as a driver s license or other photo ID, in order for a ser to obtain a smart card. Uniqe service garantees for special classes of employees, sch as exectives or roaming employees. Define whether certain classes of employees are permitted to operate nder spport agreements that differ from those of other sers. Acceptable time needed for sers to log on. It is best to ensre that the different steps and time needed for smart card logon time are comparable to the steps and time needed for conventional password logons. Acceptable logon times for remote access sers. Remote access logon times are more vlnerable to slowdowns than local network connections, especially if sers have slow dialp access connections. Yo might need to pgrade yor remote access configration in order ensre acceptable logon times for remote sers. Remote access exceptions. The compter configrations of some sers might not be compatible with smart cards, and remote sers might lose or forget their smart cards. Identify the circmstances, if any, in which remote sers are allowed to se remote access withot sing a smart card. Nmber of nsccessfl PIN entries allowed. Do not allow an nlimited nmber of attempts to enter a PIN. Allowing three or for attempts is generally adeqate. PIN reset reqirements. Decide whether sers are allowed to reset their own PINs, or whether they need to provide personal identification to secrity or help desk personnel to have their PINs reset. If yo decide that sers need to provide positive identification, decide whether the ser mst present the identification in person, sch as a photo ID, or demonstrate knowledge of a predefined secret, sch as a mother s maiden name. Service garantees to sers who cannot se their smart cards becase of loss, damage, or blocking. This incldes: Establishing when and how sers can regain access to the network. Determining whether to restrict these sers access to the network to certain areas, or to allow them access to any areas of the network that were previosly accessible to them. Defining these limits helps yo to establish ser expectations and spport procedres. Docment yor service level standards. Yo will need to apply these standards in yor smart card operations plan, test them in yor lab and pilot deployments, commnicate them to help desk personnel and to yor sers, and inclde them in yor spport and maintenance plan.

848 Chapter 17 Planning a Smart Card Deployment For a worksheet to assist yo in docmenting yor service level agreement, see Smart Card Service Level Agreement (DSSSMC_2.doc) on the Windows Server 2003 Deployment Kit companion CD (or see Smart Card Service Level Agreement on the Web at http://www.microsoft.com/reskit). Important Incorporate yor smart card service level agreements in the Certificate Practice and Policy Statements for yor pblic key infrastrctre. For more information abot creating Certificate Practice and Policy Statements, see Designing a Pblic Key Infrastrctre in this book. Selecting Smart Card Hardware Single smart cards and smart card readers are relatively inexpensive. However, when yo deploy smart cards and smart card readers to hndreds or even thosands of sers, eqipment cost becomes an important consideration. Yo mst evalate smart card hardware in order to select the devices that best meet the needs of yor organization at the best price. Figre 17.3 shows the process for selecting smart card hardware. Figre 17.3 Selecting Smart Card Hardware Create a plan for smart card se Select smart card hardware Create a smart card specification Create a smart card deployment plan Evalate smart cards and readers Plan for ongoing smart card spport

Selecting Smart Card Hardware 849 Creating a Smart Card Specification A wide variety of smart cards and smart card readers are available to choose from. Windows Server 2003 is designed to work with any cryptographic smart card that has an associated CryptoAPI cryptographic service provider. The physical characteristics of smart cards and readers are governed by pblished standards. Cards from any manfactrer that adheres to the ISO 7816 standard will likely be compatible with the reader yo select. Be sre, however, to test smart cards and smart card readers to verify compatibility before deploying them in yor prodction environment. For more information abot testing smart cards and smart card readers, see Evalating Smart Cards and Readers later in this chapter. Note For more information abot ISO 7816, see the Smart Card Alliance link on the Web Resorces page at http://www.microsoft.com/windows/reskits/webresorces. Becase smart cards both store and process data, it is important to create a specification for yor smart cards. Creating a smart card specification involves making decisions abot the following: Smart card hardware type Amont of memory reqired Intended sefl smart card lifetime Intended smart card roles Smart card reader hardware Smart card management software Table 17.1 lists some of the critical specifications that yo need to define when yo create yor smart card specification. Table 17.1 Smart Card Hardware Specifications Specification Memory Life expectancy Rese Description How mch data yo need to store on the smart card. The sefl lifetime of the smart card. Whether or not the smart card can be configred for se by a second ser, if the original ser leaves the organization. (contined)

850 Chapter 17 Planning a Smart Card Deployment Table 17.1 Smart Card Hardware Specifications (contined) Type of card Specification Card dimensions Nmber of cards Type of smart card reader Nmber of smart card readers Performance reqirements Smart card management tools Description The type of card that is most appropriate for yor organization. Yo might choose one or more of the following: Credit card or token style Single prpose or dal prpose The size, length, and thickness of the card, depending on the type of card that yo specify. How many cards yo need. If yo have more sers than compters, yo need fewer readers than smart cards. If yo se yor smart cards on mltiple systems, yo need more readers than smart cards. If yo specify more than one type of card, indicate the nmber of each type. The type of reader that is most appropriate for yor organization. Options inclde: USB PCMCIA Serial How many readers yo need. If yo have more sers than compters, yo need fewer readers than smart cards. If yo se yor smart cards on mltiple systems, yo need more readers than smart cards. If administrators se one smart card for ser logons and a second smart card for logging on with their administrative credentials, this will also impact the nmber of smart card readers that yo reqire. The type of performance that yo can expect. This incldes: Minimm acceptable logon times for direct network logons. Minimm acceptable logon times for remote access logons. Ability to handle alternate credentials. Ability to restrict logons by sing alternate credentials. The types and qality of the tools provided by the hardware vendor to manage smart cards.

Selecting Smart Card Hardware 851 For a worksheet to assist yo in preparing a prodct specification, see Smart Card Hardware Specification (DSSSMC_3.doc) on the Windows Server 2003 Deployment Kit companion CD (or see Smart Card Hardware Specification on the Web at http://www.microsoft.com/reskit). In the beginning of yor deployment, yo can meet ser needs by sing a single type of smart card with a single configration option. However, as yo expand yor smart card infrastrctre, yo might need to deploy a variety of smart card types and configration options. Smart Card Type Two types of smart cards are available for se with Windows Server 2003 and Windows XP: conventional credit card shaped contact cards and smaller token-style cards that plg directly into the USB port of a compter. Note Another type of smart card, called a contactless smart card, is not spported by Windows XP or Windows Server 2003. Credit card shaped contact cards Credit card shaped smart cards are available in three-volt and five-volt versions. They are the most common smart card soltion, in part becase they resemble the corporate card keys or badges that many organizations se. Note Yo can specify that yor smart cards be screen-printed with yor corporate logo and a pictre of the ser. If yo plan to add graphics to smart cards, ask yor vendor abot the methods available for blk printing and cstomizing cards. If yor organization ses card keys or badges, yo can apply smart card chips to the existing card key or badge as a sticker or skin. However, yor card keys or badges need to fit into yor smart card readers with a minimal amont of friction; therefore, be sre to inclde the physical thickness of the smart card in yor specifications. This is an important factor to consider when yo select a vendor to manfactre the stickers, as the material thickness for smart card chips can vary. Token-style smart cards Token-style smart cards are typically the size of a hose key or atomobile key. They plg directly into a USB port, providing a more compact soltion than separate cards and readers. Token-style smart cards are ideal for laptop sers who want to carry a minimm nmber of peripherals, or for workers who se a nmber of different compters. However, yo cannot se token-style smart cards if yor compters do not have USB connections, or if the USB connections are fll or difficlt to access.

852 Chapter 17 Planning a Smart Card Deployment Memory Yor smart card reqires enogh memory to store the certificate of the ser, the smart card operating system, and additional applications. Smart cards rn embedded operating systems, and in many cases, a form of file system in which data can be stored. To enable Windows smart card logon, yo mst be able to program the card to store a ser s key pair, retrieve and store an associated pblic key certificate, and perform pblic and private key operations on behalf of the ser. To calclate the amont of memory that yo need, determine the space reqirements for: User certificates. A certificate typically reqires abot 1.5 kilobytes (KB). A smart card logon certificate with a 1,024-bit key typically reqires 2.5 KB of space. The smart card operating system. The Windows for Smart Cards operating system reqires abot 15 KB. Applications reqired by the smart card vendor. A small application reqires between 2 KB and 5 KB. Yor cstom applications. Ftre applications. Figre 17.4 shows the additional space reqirements of a typical 32 KB smart card. The smart card operating system reqires abot 15 KB, leaving 17 KB for the file system, which incldes space for the card management software, the certificate, and any other cstom applications. Figre 17.4 Memory Use on a 32 KB Smart Card Free space 5K Yor cstom application (if any) 1.5K Smart card logon certificate 2.5K Smart card vendor applications 8K Windows for Smart Cards operating system 15K

Selecting Smart Card Hardware 853 It is possible to configre smart card file systems into pblic and private spaces. For example, yo can define segregated areas for protected information, sch as certificates, e-prses, and entire operating systems, and mark this data as Read Only to ensre the secrity of the smart card and restrict the amont of data that can be modified. In addition, some vendors provide cards with sb-states, sch as Add Only, which is sefl for organizations that want to restrict the ability of a ser to revise an existing credential, and Update Only, which is sefl for organizations that want to restrict ability of a ser to add new credentials to a card. The data capacity available on smart cards is increasing as smart card technology improves. However, storage space on smart cards is expensive. Card vendors often restrict the amont of storage available to individal applications so that mltiple applications or services can be stored on the card. Therefore, in yor vendor specification, define all of yor anticipated present and ftre card sage reqirements and the memory reqirements for each certificate and application that yo reqire. If yo plan to se yor smart cards for mltiple prposes, sch as physical access to facilities and ser logon, or to store additional data, yo mst increase yor memory reqirements. Also, when planning storage space on the chip, allocate space for applications that yo are planning for ftre implementation. Note Windows Server 2003 and Windows XP do not spport the se of mltiple certificates on a smart card. Life Expectancy Yo mst define the length of time for which yo will se a smart card before yo replace or pgrade it. Contact yor vendor for information abot smart card life expectancy based on normal wear and tear. In addition, yo mst take into accont yor crrent and ftre space reqirements, inclding the anticipated need for additional applications and certificates with larger keys. Anticipate adding new applications, and potentially issing new smart cards, over an 18-24 month card lifecycle. In the ftre, vendors are likely to introdce smart cards with more memory and other enhancements for a lower cost. Also, determine whether yo want yor smart cards to be resable in the event that sers leave the organization. Resing smart cards redces the costs associated with issing new ones. However, the cost associated with removing existing data and writing new data and applications is often eqal to or more than the cost of preparing and issing new smart cards.

854 Chapter 17 Planning a Smart Card Deployment Smart Card Roles Yo can se smart cards for one of three roles. Determine how many smart cards yo need to isse for each of the following roles: Enrollment card. Isse enrollment cards to individals who enroll smart cards on behalf of other sers. Enrollment cards have a special enrollment agent certificate. Isse the smallest possible nmber of enrollment cards that will enable yo to enroll all reqired smart card sers. This protects the secrity of yor system. User cards. These are the standard cards that yo isse to each ser. Two types of ser cards are available: Permanent. Permanent ser cards are cards that employees carry with them. They contain the cardholders credentials, certificates, data, and applications. They might also have a photograph or a decal applied to the card. In a Windows Server 2003 environment, the permanent card points to a permanent certificate server. Temporary. Temporary cards are a limited-se cards that are issed to gests, temporary employees, and sers who have forgotten their permanent cards. They point to a temporary certificate server and can have a limited lifetime. For a worksheet to assist yo in docmenting the roles for the smart cards that yo isse, see Smart Card Hardware Specification (DSSSMC_3.doc) on the Windows Server 2003 Deployment Kit companion CD (or see Smart Card Hardware Specification on the Web at http://www.microsoft.com/reskit). Important To ensre system secrity, isse master and enrollment cards to the smallest possible nmber of trsted employees. For more information abot issing enrollment agent cards, see Establishing Enrollment Agents later in this chapter. Smart Card Readers A variety of types of smart card readers are available. The majority of smart card readers connect to the compter throgh an RS-232 serial port, a Type II Personal Compter Memory Card International Association (PCMCIA) slot, or a niversal serial bs (USB) port. Althogh USB-compatible smart readers are the simplest type of reader to connect, the USB ports on some compters might be occpied. For this reason, it is best to order a mix of card reader connector types based on the types of connections that are available on yor systems. For a list of Windows-compatible smart card readers, see the Windows Catalog link on the Web Resorces page at http://www.microsoft.com/windows/reskits/webresorces.

Selecting Smart Card Hardware 855 Smart Card Management Tools Yo can perform most smart card related tasks by sing the Windows Server 2003 Certificate Services and software tools provided by the smart card vendor. However, it is important to assess the smart card tools that are available to determine whether they are sfficient to meet yor needs. Yo might need to create additional tools for some smart card tasks. For example, yo might reqire tools to assist yo in moving from a limited pilot phase to a fll prodction deployment. Also, developers in yor organization might need to create a direct interface between the smart card certificate and yor bilding access systems. Yo might also choose to write a script that atomatically enters critical data into a database when a smart card is created. This incldes data sch as smart card serial nmbers, the names or e-mail names of the sers who are assigned smart cards, the types of certificates that are issed to the sers, when the certificates are issed, and when they expire. For more information abot creating scripts for Windows Server 2003, see the Windows Deployment and Resorce Kits Web site at http://www.microsoft.com/reskit, or see the TechNet Script Center link on the Web Resorces page at http://www.microsoft.com/windows/reskits/webresorces. Evalating Smart Cards and Readers Yo need to evalate yor prospective smart cards and readers throghot yor smart card deployment process. Initially, obtain and evalate a variety of smart cards and smart card readers to determine which vendors provide the best balance of specifications, performance, and price. As yo deploy yor smart card infrastrctre, contine to evalate yor hardware to make sre that it performs as expected. The smart cards and smart card readers that yo deploy and the smart card prodction processes that yo develop are likely be sed many times every day. Therefore, yo mst ensre that yor hardware is reliable. The service level agreements that yo created when yo defined yor smart card reqirements provide objective standards for measring and docmenting satisfactory performance. To minimize ser dissatisfaction and maximize manageability, be sre to test the following: Installation and removal of the smart card software. Make sre the smart cards work after yo install the software. If the installation is falty, se the Windows Event Viewer to access error messages that might explain the case of the failre. Fit of smart cards in readers. Smart card dimensions, sch as thickness, are governed by international standards. However, some organizations have fond that, if the card-to-reader interface is too tight or abrasive, the cards deteriorate more rapidly.

856 Chapter 17 Planning a Smart Card Deployment Reader reliability. To test reliability, create an environment that incldes systems that have slower CPUs and less memory than compters in yor organization. Test how well yor smart card readers operate in this environment, as well as in other configrations. Yo can, for example, rn a nmber of memory-intensive applications or se the smart cards and readers over slow connections to evalate how each combination of smart cards and readers fnctions in these conditions. Yor smart card service level agreements provide objective criteria for acceptable and nacceptable performance. Card prodction. Slow card prodction processes can impede yor deployment. If yor organization is nable to prodce cards efficiently, se a third-party vendor to prodce smart cards. Ability to deploy mltiple types of cards and readers. If yo are nable to efficiently deploy the types of cards, readers, and servers that yo reqire, yor service might be inconsistent and inefficient. For a worksheet to assist yo in docmenting the reslts of yor smart card reader evalation, see Smart Card Reader Evalation (DSSSMC_4.doc) on the Windows Server 2003 Deployment Kit companion CD (or see Smart Card Reader Evalation on the Web at http://www.microsoft.com/reskit). Figre 17.5 shows an example of a completed Smart Card Reader Evalation worksheet. Figre 17.5 Example of a Smart Card Reader Evalation Worksheet

Creating a Smart Card Deployment Plan 857 Creating a Smart Card Deployment Plan Deploying a smart card infrastrctre is a time-consming process becase it involves deploying physical components (smart cards and smart card readers) and issing digital certificates individally to every ser who reqires a smart card. Carefl planning can significantly redce the amont of time this process takes and enable yo to enhance the secrity of yor organization. Figre 17.6 shows the steps involved in creating a smart card deployment plan. Figre 17.6 Creating a Smart Card Deployment Plan Create a plan for smart card se Establish certification athorities Select smart card hardware Create a smart card deployment plan Plan smart card certificate templates Establish issance processes Plan for ongoing smart card spport Prepare a smart card deployment schedle

858 Chapter 17 Planning a Smart Card Deployment Establishing Certification Athorities It is important to ensre that yor pblic key infrastrctre can spport the issance and verification of smart card certificates for the sers and applications that yo have identified. To ensre that yor PKI can spport a smart card infrastrctre, yo mst do the following Configre yor certification athorities (CAs) as enterprise CAs. Windows Server 2003 smart card certificates reqire enterprise CAs. Important CAs that isse smart card certificates need to be trsted in the CA hierarchy and mst be continosly online while the ser is enrolled. Make sre that yor issing CAs are installed on servers that have enogh storage and central processing power to spport the smart card sers in yor organization. For more information abot planning yor CA infrastrctre, see Designing a Pblic Key Infrastrctre in this book. Planning Smart Card Certificate Templates Yo can se any of the following types of Windows Server 2003 certificate templates to enable smart card se in the Windows Server 2003 PKI: Enrollment Agent. Allows an athorized ser to serve as a certificate reqest agent on behalf of other sers. Smart Card User. Enables a ser to log on and sign e-mail. SmartCardLogon. Enables a ser to log on by sing a smart card. Yo can also create yor own certificate templates to serve mltiple prposes. For example, the smart card logon certificate template is designed for smart card logon only. If yo intend to se yor smart card infrastrctre to spport mltiple applications, yo can choose mltiprpose templates instead. Mltiprpose templates generate certificates that yo can se for mltiple applications, sch as smart card logon and e-mail signing. Note Windows 2000 only spports version 1 templates, which cannot be cstomized or extended. Use Windows Server 2003, Enterprise Edition, which spports version 2 templates, if yo need to create new certificate templates, copy an existing template, or replace templates that are already in se.

Creating a Smart Card Deployment Plan 859 As part of yor planning for smart card certificate templates, yo need to establish vales for pblic keys, certificate lifetimes, and certificate renewal policies. These vales are interrelated. For example, if yo select a larger key vale, yo can implement a longer certificate lifetime. Or, yo can se a small pblic key vale if a certificate has a relatively short lifetime. Note, however, that the amont of memory that is available on the smart cards that yo select also limits the size of the pblic keys that yo can se. Important Many organizations pre-enroll sers for smart card certificates several weeks before they distribte smart cards to sers. The certificate lifetime is determined by the date that yo isse the certificate, not the date that yo distribte the card to the ser. Therefore, factor any distribtion delays into yor certificate lifetime and renewal strategy. A Windows Server 2003 CA allows yo to select a certificate pblic key length from 384 bits for minimal secrity to 16,384 bits for maximm secrity. For typical logon applications, a 1,024-bit key is adeqate. Yo can establish certificate lifetimes that are as long or as short as yo need, and yo can configre certificates to be nonrenewable, renewable a finite nmber of times, or renewable indefinitely. To define pblic key vales and certificate lifetimes and renewal policies, take into accont: The physical capacity of yor smart cards. Most of the smart cards that are available today have adeqate space for all bt the largest certificates. How yo define acceptable logon times. Pblic key based athentication often takes longer than athentication withot certificates. Note The smart card and smart card reader that yo choose might also impact logon performance. Test different combinations ntil the terms specified in yor service level agreements are satisfied. The natre of the bsiness relationship. Smart card certificates issed to permanent employees sally warrant a longer lifetime and renewal cycle than certificates issed to short-term workers or to nonemployees. The level of secrity that yo want to enforce. Highly sensitive operations warrant larger pblic key vales and, typically, shorter certificate lifetimes. For more information abot planning pblic key and certificate renewal vales, see Designing a Pblic Key Infrastrctre in this book. For more information abot how to configre certificate templates, see Certificate Templates in Help and Spport Center for Windows Server 2003.

860 Chapter 17 Planning a Smart Card Deployment Establishing Issance Processes Yo mst establish a plan for the issance of the smart cards and for the writing of smart card certificates to the cards. This involves making decisions abot the following: Smart card distribtion reqirements Certificate enrollment options Physical distribtion of smart cards A ser preparation plan Defining Smart Card Distribtion Reqirements Define the procedres for preparing and distribting smart cards and smart card certificates and replacing lost, stolen, or damaged smart cards, as well as contingencies sch as when employees change jobs, names, or occpational stats. If yo have an existing employee badge process, one soltion for smart card distribtion is to combine smart card preparation and distribtion with badge preparation and distribtion. Obtaining a badge typically reqires a visit to a secrity office where the employees mst prove their identity and then have their pictres taken. With smart cards, employees can have companyissed certificates attached to the badges that they se for bilding entry. In this case, the secrity office reqests and installs the certificates on employees badges, which also serve as their smart cards. Reqiring a person to appear in person and with physical credentials sch as a driver s license is the most secre way to distribte smart cards, bt this is not always possible. If yor organization incldes remote offices or traveling sers, yo need to establish a distribtion strategy that accommodates the sers circmstances while minimizing the secrity risk. For example, yo can have a receptionist or administrative assistant give the ser a blank smart card and then have the ser download the smart card certificate by sing self-enrollment. The administrative assistant has physical access to the cards, bt not to the PINs or the certificates necessary to activate the card. Yo can also se registered mail or another delivery service that reqires a signatre pon receipt to distribte smart cards to individals who do not have access to a secrity office. Otherwise, yo can choose a designated individal to physically distribte smart cards. This is the least secre method of smart card distribtion. Yo mst also plan for the physical distribtion of replacement cards, especially for mobile or remote office sers. For more information abot replacement card planning, see Planning for Ongoing Smart Card Spport later in this chapter.

Creating a Smart Card Deployment Plan 861 Selecting Certificate Enrollment Options By defalt, only domain administrators can modify smart card certificate templates. Domain administrators can modify the access permissions on the certificate template to enable either of the following enrollment options: Enrollment agents, which allows one or more agents to initialize smart cards on behalf of sers. Self-enrollment, which allows end sers to initialize their own smart cards. Yo need to select between the enrollment agent or self-enrollment options, based on the secrity reqirements of yor organization and yor plan for smart card management and distribtion. Using an enrollment agent provides the greatest level of secrity, bt reqires the highest level of IT spport and is the most expensive. Self-enrollment provides the greatest amont of flexibility, and accommodates remote sers, bt is not as secre. Establishing Enrollment Agents If yo decide to control smart card issance from a central location, yo need to athorize one or more individals within the organization to be enrollment agents. The enrollment agent needs to be issed an Enrollment Agent certificate, which makes it possible for the agent to enroll for certificates on behalf of sers. The advantages of sing an enrollment agent inclde: A highly trsted individal processes all certificate and smart card reqests. Domain administrators can delegate a potentially time-consming task. It simplifies the smart card setp process for sers. The disadvantages inclde: It is difficlt to ensre that enrollment agents are trstworthy. One way to enhance this trst is to reqire approval from several enrollment agents. Users in remote locations might not be able to obtain new or replacement smart cards when and where they need them. Enrollment agents are typically members of the secrity, IT secrity, or help desk teams becase these individals have already been trsted with safegarding valable resorces. In some organizations, sch as banks that have many branches, help desk and secrity workers might not be conveniently located to perform this task. In this case yo might need to designate a branch manager or other trsted employee to act as an enrollment agent. The nmber of enrollment agents yo need depends on: The nmber and proximity of locations in yor organization, especially if enrollment agents will be athenticating sers in person. The nmber of smart cards that need to be prepared by the enrollment agent. The nmber of other dties that enrollment agents need to perform.

862 Chapter 17 Planning a Smart Card Deployment Select the individals to whom yo isse Enrollment Agent certificates careflly. These individals can enroll for smart card certificates on behalf of any domain ser, inclding an administrator. If these individals are not trstworthy, they can compromise the secrity of yor organization. To ensre the secrity of yor organization, allow only a limited nmber of yor most trsted employees to serve as enrollment agents. If yo decide to se enrollment agents, prevent nathorized sers from becoming enrollment agents by placing strict controls on the CA sed to isse Enrollment Agent certificates. Establish a sbordinate CA that is only sed to isse Enrollment Agent certificates. After yo isse the initial Enrollment Agent certificates, yo can either disable certificate issance or take the CA offline ntil yo reqire additional enrollment certificates. Note For information abot delegating enrollment agent athority to individals who are not domain administrators, see Prepare a smart card certificate enrollment station in Help and Spport Center for Windows Server 2003. Pre-Enrolling User Smart Cards If yo decide to pre-enroll sers for smart card certificates, make sre that the enrollment agent has the blank smart cards as well as the following information: The CA selected to isse the smart card certificates to the ser, if there are mltiple CAs in the organization. If there is only one CA in the organization with smart card certificate templates enabled, that CA is atomatically selected. The cryptographic service provider that matches the brand of smart card that is to be issed to the ser. The name of the ser to be enrolled. This ser mst have Enroll permissions for the Smart Card certificate template. A domain administrator can set this either for the individal or for a grop of sers, sch as Athenticated Users or Prchasing. The defalt PIN for the smart card, which is set by the card manfactrer. Note Yo can create a script to force the ser to change the PIN pon first se of the smart card. Also, ensre that yor enrollment agents review the certificates to verify that the information is correct before they distribte them to sers. Using Self-Enrollment Althogh sing enrollment agents reqires more administrative time than allowing sers to enroll themselves, the secrity benefits sally otweigh the overhead costs. However, sing enrollment agents might not always be possible or necessary. For example, if it is nlikely that smart cards will be missed, or if the conseqences of misse are minimal, then yo might se self-enrollment. In sitations in which physical distribtion is not possible, self-enrollment is the best alternative.

Creating a Smart Card Deployment Plan 863 If yo decide to se certificate self-enrollment, sers can reqest a certificate from a Windows Server 2003 CA either manally or atomatically. This reqest can be held pending administrator approval, if yo decide that manal approval is reqired, or ntil the verification process is completed. Whichever option yo choose, the certificate self-enrollment process installs the certificate atomatically, or atomatically renews the certificate on behalf of the ser as soon as the certificate reqest is approved, based on the specifications in the certificate template. Edcating Users User edcation is an important component of a smart card management plan. Ensre that sers nderstand the prpose of the smart card deployment. Edcate them abot proper smart card handling and protection so that they can help the organization to meet its secrity goals. Emphasize that a smart card is a valable resorce that needs to be protected. For example, be sre that sers nderstand: The hardware and software that they need in order to se smart cards. How to install and se their smart cards and readers. How they can obtain their smart cards and smart card readers. What they need to do in order to configre their systems to se their smart cards. Note Setp instrctions are particlarly important for traveling sers, or for sers who se remote access connections on their home compters. What to do if a smart card is lost or stolen. Who to call or contact for help and spport. In addition, provide the following gidelines to sers: Protect the external smart card chip. If the chip becomes damaged (scratched, dented, and so forth) the reader might not be able to read the data on the chip. Do not bend the card. This can break critical internal components. It is risky, for example, to pt a smart card in a back pocket, becase the individal might sit on it and break its internal components. Do not expose the smart card to temperatre extremes. Leaving a smart card on the dashboard of a car on a hot day can melt or warp the card and harm the chip. Cold temperatres can make the smart card brittle and easier to break. Keep the smart card away from magnetic sorces. This incldes credit cards and scanners at retail stores. It is sefl to have a printed version of this ser training information available for distribtion along with the smart card itself. If yor organization also maintains an intranet, pblish this information as an easy-to-locate Web page so that sers can refer back to yor instrctions at a later date.