Smart Card Deployment David Gautrey IT Manager – Microsoft New Zealaand Microsoft Corporation.
-
Upload
angel-perry -
Category
Documents
-
view
215 -
download
0
Transcript of Smart Card Deployment David Gautrey IT Manager – Microsoft New Zealaand Microsoft Corporation.
Smart Card DeploymentSmart Card DeploymentSmart Card DeploymentSmart Card Deployment
David GautreyDavid GautreyIT Manager – Microsoft New ZealaandIT Manager – Microsoft New ZealaandMicrosoft CorporationMicrosoft Corporation
The RAS Security ThreatThe RAS Security Threat
Unpatched vulnerabilities and weak Unpatched vulnerabilities and weak configurations expose valid network credentialsconfigurations expose valid network credentials
Home users’ machines are a frequent hacker targetHome users’ machines are a frequent hacker target
Remote network access secured only by Remote network access secured only by PasswordsPasswords
Unauthorized activity with valid credentials difficult to Unauthorized activity with valid credentials difficult to detect/preventdetect/prevent
Unmanaged and infected remote devices put Unmanaged and infected remote devices put corporate resources at riskcorporate resources at risk Viruses, Trojan horse applications, wormsViruses, Trojan horse applications, worms Always-on, broadband Internet access heightens Always-on, broadband Internet access heightens
exposureexposure
Malicious UsersMalicious Users
Malicious SoftwareMalicious Software
TokyoTokyo
DublinDublin
SingaporeSingapore
95,000 e-mail 95,000 e-mail server accountsserver accounts
RedmondRedmondTukwilaTukwila
CharlotteCharlotte
3M+ e-mail messages 3M+ e-mail messages per day internallyper day internally
99.99% availability99.99% availability
89,000 end users89,000 end users
89 countries89 countries
300,000+ PCs and devices300,000+ PCs and devices Single Instance Single Instance SAPSAP
(1.5Tb Db)(1.5Tb Db)
Silicon ValleySilicon Valley
7,000,000 remote 7,000,000 remote connections/monthconnections/month
JohannesburgJohannesburg
Microsoft IT DataMicrosoft IT Data
Secure Authentication AlternativesSecure Authentication Alternatives
Smart Smart CardsCards BiometricsBiometrics
HW HW TokensTokens
CostCost
FeatureFeaturess
MobilityMobility
ReliabilitReliabilityy
SupportSupport
Secure RAS Solution ComponentsSecure RAS Solution Components
SmartSmart CardCardRFID BadgeRFID Badge
32k chip32k chip
Windows for Smart cardsWindows for Smart cards
HardwareHardwarePC or LaptopPC or Laptop
Smart card reader Smart card reader (PCMICA, USB, Serial(PCMICA, USB, Serial
Client SoftwareClient SoftwareCryptographic Service Cryptographic Service Provider (CSP)Provider (CSP)
WindowsWindows
Resource ManagerResource Manager
Reader driversReader drivers
Connection ManagerConnection Manager
ServerServer SoftwareSoftwareWindows Active DirectoryWindows Active Directory
Windows Certificate ServerWindows Certificate Server
Card management toolsCard management tools
RAS ServicesRAS Services
SmartSmart CardCard
DeploymentDeployment
Card creation processCard creation process
PilotsPilots
Initial card distribution processInitial card distribution process
Delegated issuance modelDelegated issuance model
User install and setupUser install and setup
Training and support issuesTraining and support issues
Ongoing maintenance and operationsOngoing maintenance and operations
ChallengesChallenges
Mobile devices, Macintosh, and UNIX Mobile devices, Macintosh, and UNIX platforms not platforms not compatible with smart card EAP/TLS authenticationcompatible with smart card EAP/TLS authentication
Smart card solution Smart card solution component selectioncomponent selectionPerformance varies based on combination of cards, OS, and Performance varies based on combination of cards, OS, and readersreaders
Smart card Smart card distribution processdistribution process was resource intensive was resource intensive
Card System ExtensibilityCard System Extensibility
Managing policyManaging policy and client groups was complex and client groups was complex
Client software Client software version controlversion control
Lessons LearnedLessons LearnedDeploymentDeployment
PlanningPlanning
PKI PKI
Maintaining securityMaintaining security
Exception managementException management
PilotsPilots
Physical distributionPhysical distribution
Scripted installationScripted installation
Communicate to usersCommunicate to users
Secure RAS AdministrationSecure RAS Administration
Card IssuanceCard Issuance
Certificate approvalsCertificate approvals
DistributionDistribution
SupportSupport
Policy and Exception Policy and Exception MgmtMgmt
Card MgmtCard Mgmt DelegatesDelegates UsersUsersSubmits Submits Certificate Certificate requests in behalf requests in behalf of userof user
DistributionDistribution
PIN resetsPIN resets
Certificate renewalCertificate renewal
Future PlansFuture Plans
Smart card industry still maturingSmart card industry still maturingImproved interoperability with various business systemsImproved interoperability with various business systems
Likely industry consolidation in the next 12-24 monthsLikely industry consolidation in the next 12-24 months
Improved product standards, including plug-and-play compatibility Improved product standards, including plug-and-play compatibility and greater integration with Windows platformand greater integration with Windows platform
Securing accounts with elevated privilegesSecuring accounts with elevated privileges
Portable digital signaturesPortable digital signatures
Expanding applications supportExpanding applications supportSigning stock grants, securing financial/HR data, signing source Signing stock grants, securing financial/HR data, signing source code, etc.code, etc.
Increased use of remote data access technologies – OWA, Increased use of remote data access technologies – OWA, OMA, etc.OMA, etc.
PASSWORDSPASSWORDS
SummarySummary
More focus on security needs worldwideMore focus on security needs worldwide
Increasing security threats to corporate network Increasing security threats to corporate network assetsassets
Smart Card technology provides two-factor Smart Card technology provides two-factor authenticationauthentication
Leveraged existing infrastructureLeveraged existing infrastructure
Extensible solution for internal developmentExtensible solution for internal development
Microsoft has mitigated remote access security Microsoft has mitigated remote access security risk through the deployment of smart cards and risk through the deployment of smart cards and Connection ManagerConnection Manager
For More InformationFor More Information
Additional content on Microsoft IT Additional content on Microsoft IT deployments and best practices can be deployments and best practices can be found on found on http://www.microsoft.comhttp://www.microsoft.com
Microsoft TechNet Microsoft TechNet http://www.microsoft.com/technet/itshowcasehttp://www.microsoft.com/technet/itshowcase
Microsoft Case Study ResourcesMicrosoft Case Study Resourceshttp://www.microsoft.com/resources/casestudiehttp://www.microsoft.com/resources/casestudies s
E-mail IT ShowcaseE-mail IT [email protected]@microsoft.com
© 2003-2004 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.