1. Log on to your workstation with a user account that has permissions to the appropriate certificate template in the domain where the user's account is located, and permission to enroll other users for certificates. The account used for Exercise 3.04 has these permissions.
2. Open Internet Explorer, and browse to http://servername/certsrv/, where servername is the name of the CA on your network.
3. Select Request a certificate for a smart card on behalf of another user by using the smart card certificate enrollment station.
4. A Security Warning dialog box will open asking if you'd like to install and run the Microsoft Smart Card Enrollment Control. Click Yes. Note that your IE security settings must be set to Low for this ActiveX control to function properly.
5. In the Certificate Template drop-down box select one of the following:
■ Smart Card Logon Select this option if you want to issue a certificate that will only be valid for authenticating to the Windows domain.
■ Smart Card User Select this option to issue a certificate that will allow the user to use secure e-mail and log on to the Windows Server 2003 domain.
4. In the Certification Authority drop-down box, select the name of the CA for your domain. If there are multiple CAs in your domain, choose the one that you want to request the certificate from.
5. In the Cryptographic Service Provider drop-down box, select the CSP of the smart card's manufacturer. This choice is specific to the smart card hardware you have installed. Consult the manufacturer's documentation if you are uncertain.
6. For Administrator Signing Certificate, select the Enrollment Agent certificate that will sign the certificate enrollment request. This will actually display the user account that the Enrollment Agent certificate is issued to.
7. For User to Enroll, click Select User to browse to the user account that you are associating the smart card certificate with. Insert a smart card into the smart card device attached to the system, and click Enroll to create a certificate for this user.
8. You'll be prompted to set an initial PIN for the card.
9. If another user has previously used the smart card that you're preparing, a message will appear indicating that another certificate already exists on the card. Click Yes to replace the existing certificate with the one you just created.
10. On the final screen, you have the option to either view the certificate you just created or begin a new certificate request.
11. Close your browser when you've finished so that no extraneous certificates can be created if you walk away from the enrollment station without logging off.
Once you've preconfigured your users' smart cards, you need to establish guidelines defining how cards are assigned to users who require them.This part of your smart card deployment plan is more procedural than technical, because you need to determine accept able policies and service-level agreements for your smart cards and smart card readers. For example, what type of identification will you require in order for a user to obtain a smart card? Even if yours is a small organization and you recognize all of your users on sight, you should still record information from a driver's license or another piece of photo identification for auditing purposes.
Another set of issues revolves around your users' PINs.These are the equivalent of a password when using smart cards. How many unsuccessful logon attempts will you allow before locking out a smart card? Although this number will vary according to your individual business requirements, three or four PIN entry attempts are usually sufficient. Next, you need to decide whether you will allow users to reset their own PINs or if they'll need to provide personal information to, and have them reset by, the IT staff. The former option is more convenient for your user base, but that convenience will come at the expense of potential security liabilities. If user PINs need to be reset by the IT staff, decide what type of information users need to present in order to verify their identities. Document all applicable security policies, distribute them to your administration and security personnel, and make sure that your users are aware of these policies before they take possession of their smart cards.
To log on to a computer using a smart card, your users no longer need to enter the Ctrl + Alt + Del key combination. Rather, they simply insert the smart card into the smart card reader, at which point they'll be prompted to enter the PIN associated with the certificate on the card. Once the PIN is accepted, the user has access to all local and network resources to which the user's Active Directory account has been granted permissions.
The techniques covered here only apply to using smart card logons on computers that are attached to a domain. Third-party software is required to use smart cards on a stand-alone Windows Server 2003 computer.
Along with creating policies for issuing and configuring smart cards, you should consider how your organization will handle revoking the smart card of an employee who resigns or is terminated. To be successful, this decision should be viewed as a joint effort between your company's administrative staff, such as payroll and human resources, and the IT department. Just as employees need to return ID badges and keys as part of the exit process, they should also be required to return their smart cards to the company.Whether the employee exits the company in a graceful manner or not, you should add the employee's smart card certificate(s) to your CA's CRL at the same time that you disable or delete the employee's other logon IDs and credentials. Depending on the manufacturer of the smart card, you might have an option to physically disable the smart card itself based on a serial number or other unique identifier.
Test Day Tip
Was this article helpful?
Read how to maintain and repair any desktop and laptop computer. This Ebook has articles with photos and videos that show detailed step by step pc repair and maintenance procedures. There are many links to online videos that explain how you can build, maintain, speed up, clean, and repair your computer yourself. Put the money that you were going to pay the PC Tech in your own pocket.