Smart Card DeploymentSmart Card DeploymentSmart Card DeploymentSmart Card Deployment

David GautreyDavid GautreyIT Manager – Microsoft New ZealaandIT Manager – Microsoft New ZealaandMicrosoft CorporationMicrosoft Corporation

The RAS Security ThreatThe RAS Security Threat

Unpatched vulnerabilities and weak Unpatched vulnerabilities and weak configurations expose valid network credentialsconfigurations expose valid network credentials

Home users’ machines are a frequent hacker targetHome users’ machines are a frequent hacker target

Remote network access secured only by Remote network access secured only by PasswordsPasswords

Unauthorized activity with valid credentials difficult to Unauthorized activity with valid credentials difficult to detect/preventdetect/prevent

Unmanaged and infected remote devices put Unmanaged and infected remote devices put corporate resources at riskcorporate resources at risk Viruses, Trojan horse applications, wormsViruses, Trojan horse applications, worms Always-on, broadband Internet access heightens Always-on, broadband Internet access heightens

exposureexposure

Malicious UsersMalicious Users

Malicious SoftwareMalicious Software

TokyoTokyo

DublinDublin

SingaporeSingapore

95,000 e-mail 95,000 e-mail server accountsserver accounts

RedmondRedmondTukwilaTukwila

CharlotteCharlotte

3M+ e-mail messages 3M+ e-mail messages per day internallyper day internally

99.99% availability99.99% availability

89,000 end users89,000 end users

89 countries89 countries

300,000+ PCs and devices300,000+ PCs and devices Single Instance Single Instance SAPSAP

(1.5Tb Db)(1.5Tb Db)

Silicon ValleySilicon Valley

7,000,000 remote 7,000,000 remote connections/monthconnections/month

JohannesburgJohannesburg

Microsoft IT DataMicrosoft IT Data

Secure Authentication AlternativesSecure Authentication Alternatives

Smart Smart CardsCards BiometricsBiometrics

HW HW TokensTokens

CostCost

FeatureFeaturess

MobilityMobility

ReliabilitReliabilityy

SupportSupport

Secure RAS Solution ComponentsSecure RAS Solution Components

SmartSmart CardCardRFID BadgeRFID Badge

32k chip32k chip

Windows for Smart cardsWindows for Smart cards

HardwareHardwarePC or LaptopPC or Laptop

Smart card reader Smart card reader (PCMICA, USB, Serial(PCMICA, USB, Serial

Client SoftwareClient SoftwareCryptographic Service Cryptographic Service Provider (CSP)Provider (CSP)

WindowsWindows

Resource ManagerResource Manager

Reader driversReader drivers

Connection ManagerConnection Manager

ServerServer SoftwareSoftwareWindows Active DirectoryWindows Active Directory

Windows Certificate ServerWindows Certificate Server

Card management toolsCard management tools

RAS ServicesRAS Services

SmartSmart CardCard

DeploymentDeployment

Card creation processCard creation process

PilotsPilots

Initial card distribution processInitial card distribution process

Delegated issuance modelDelegated issuance model

User install and setupUser install and setup

Training and support issuesTraining and support issues

Ongoing maintenance and operationsOngoing maintenance and operations

ChallengesChallenges

Mobile devices, Macintosh, and UNIX Mobile devices, Macintosh, and UNIX platforms not platforms not compatible with smart card EAP/TLS authenticationcompatible with smart card EAP/TLS authentication

Smart card solution Smart card solution component selectioncomponent selectionPerformance varies based on combination of cards, OS, and Performance varies based on combination of cards, OS, and readersreaders

Smart card Smart card distribution processdistribution process was resource intensive was resource intensive

Card System ExtensibilityCard System Extensibility

Managing policyManaging policy and client groups was complex and client groups was complex

Client software Client software version controlversion control

Lessons LearnedLessons LearnedDeploymentDeployment

PlanningPlanning

PKI PKI

Maintaining securityMaintaining security

Exception managementException management

PilotsPilots

Physical distributionPhysical distribution

Scripted installationScripted installation

Communicate to usersCommunicate to users

Secure RAS AdministrationSecure RAS Administration

Card IssuanceCard Issuance

Certificate approvalsCertificate approvals

DistributionDistribution

SupportSupport

Policy and Exception Policy and Exception MgmtMgmt

Card MgmtCard Mgmt DelegatesDelegates UsersUsersSubmits Submits Certificate Certificate requests in behalf requests in behalf of userof user

DistributionDistribution

PIN resetsPIN resets

Certificate renewalCertificate renewal

Future PlansFuture Plans

Smart card industry still maturingSmart card industry still maturingImproved interoperability with various business systemsImproved interoperability with various business systems

Likely industry consolidation in the next 12-24 monthsLikely industry consolidation in the next 12-24 months

Improved product standards, including plug-and-play compatibility Improved product standards, including plug-and-play compatibility and greater integration with Windows platformand greater integration with Windows platform

Securing accounts with elevated privilegesSecuring accounts with elevated privileges

Portable digital signaturesPortable digital signatures

Expanding applications supportExpanding applications supportSigning stock grants, securing financial/HR data, signing source Signing stock grants, securing financial/HR data, signing source code, etc.code, etc.

Increased use of remote data access technologies – OWA, Increased use of remote data access technologies – OWA, OMA, etc.OMA, etc.

PASSWORDSPASSWORDS

SummarySummary

More focus on security needs worldwideMore focus on security needs worldwide

Increasing security threats to corporate network Increasing security threats to corporate network assetsassets

Smart Card technology provides two-factor Smart Card technology provides two-factor authenticationauthentication

Leveraged existing infrastructureLeveraged existing infrastructure

Extensible solution for internal developmentExtensible solution for internal development

Microsoft has mitigated remote access security Microsoft has mitigated remote access security risk through the deployment of smart cards and risk through the deployment of smart cards and Connection ManagerConnection Manager

For More InformationFor More Information

Additional content on Microsoft IT Additional content on Microsoft IT deployments and best practices can be deployments and best practices can be found on found on http://www.microsoft.comhttp://www.microsoft.com

Microsoft TechNet Microsoft TechNet http://www.microsoft.com/technet/itshowcasehttp://www.microsoft.com/technet/itshowcase

Microsoft Case Study ResourcesMicrosoft Case Study Resourceshttp://www.microsoft.com/resources/casestudiehttp://www.microsoft.com/resources/casestudies s

E-mail IT ShowcaseE-mail IT Showcaseshowcase@microsoft.comshowcase@microsoft.com

© 2003-2004 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.