Planning for Smart Card Support

Like any device or technology used to enhance network security, smart cards require you to make plans to educate your users on how to use them and provide administrative tools to support their ongoing use. First, make sure that your users understand the purpose of deploying smart cards.You'll receive a much better response if they comprehend the importance of the added security, rather than if they're simply handed a smart card and told to use it. Emphasize that the smart card is a valuable resource to protect the company and its assets, rather than simply another corporate procedure designed to annoy employees or waste their time. They should know who to call for help and technical support, and what to do if their card is lost or stolen. Maintain a printed version of this information, and distribute it to your users when they receive their smart cards.You can also publish this information on your corporate intranet, if you have one.When orienting your users to the use of smart cards, make sure you cover the following key points:

■ Protect the external smart card chip If the chip itself becomes scratched, dented, or otherwise damaged, the smart card reader might not be able to read the data on the chip. This is similar to the magnetic strip on a credit card or an ATM card.

■ Do not bend the card Bending the card can destroy the card's internal components. This can extend to something as simple as a user putting the smart card in a back pocket, because he or she might sit on the card and break its internal components.

■ Avoid exposing the card to extreme temperatures Leaving a smart card on the dashboard of a car on a hot day can melt or warp the card. Extreme cold can make the card brittle and cause it to break.

■ Keep the smart card away from magnetic sources Avoid magnetic sources such as credit card scanners at retail stores.

Along with user education, there are several settings within Active Directory Group Policy that can simplify the administration of smart cards on your network. Some of these, such as account lockout policies and restricted logon times, will impact users by default if they rely on their smart cards for domain logons. Other policy settings are specific to managing smart cards on your network. Within Group Policy, you can enable the following settings:

■ Smart card required for interactive logon This setting prevents a user account from logging on to the network by presenting a username/password combination. When enabled, the user will only be able to authenticate by using a smart card. This provides strict security for your users; however, you should plan an alternate means of authentication in case your smart card implementation becomes unavailable.

Exam Warning_

This policy only applies to interactive and network logons. Remote access logons are managed by separate policies on the remote access server.

■ On smart card removal Allows you to mandate that when a user removes his or her smart card from the reader, the active session is either logged off or locked. User education is critical if you select the forced logoff option, because users need to make sure that they've saved changes to any of their documents and files before they remove their smart cards.

■ Do not allow smart card device redirection Prevents your users from using smart cards to log on to a Terminal Services session. Set this policy if you're concerned about conserving network resources associated with your Terminal Server environment.

■ Account lockout threshold Although this setting is not specific to smart cards, smart card PINs are more susceptible to password attacks because of their short length, so your lockout threshold settings should be adjusted accordingly.

From an administrative standpoint, there are several other important considerations in creating a support structure for smart card use.You need to identify the people within your organization who will be able to perform security-related tasks such as resetting PINs or distributing temporary cards to replace those that are lost or stolen.You also need to decide how you'll handle personnel issues such as changes in name and employment status. Finally, you'll need to carefully consider your procedures for high-level employees, traveling users, and support personnel.

Was this article helpful?

0 0
The Ultimate Computer Repair Guide

The Ultimate Computer Repair Guide

Read how to maintain and repair any desktop and laptop computer. This Ebook has articles with photos and videos that show detailed step by step pc repair and maintenance procedures. There are many links to online videos that explain how you can build, maintain, speed up, clean, and repair your computer yourself. Put the money that you were going to pay the PC Tech in your own pocket.

Get My Free Ebook

Post a comment