Microsoft’s Implementation of Smart Cards for Remote Access Published January 2002

Agenda Solution Overview Solution Overview Products & Technology Products & Technology Smart Card Features Smart Card Features Business Benefits Business Benefits Architecture Architecture Deployment Deployment Challenges Challenges Future Plans Future Plans Lessons Learned Lessons Learned Summary Summary

Solution Overview Enterprises that allow for remote access to network assets are becoming increasingly vulnerable to hackers and malicious intruders. Enterprises that allow for remote access to network assets are becoming increasingly vulnerable to hackers and malicious intruders. ? Situation ! Benefits Using the existing Microsoft® Windows® 2000 Server infrastructure, enterprises can employ Smart Cards to substantially increase the strength of their network security. In addition, the extensible Smart Card platform allows IT organizations to leverage the investment in Smart Cards for many other applications to strengthen security and add convenience to their employees. Using the existing Microsoft® Windows® 2000 Server infrastructure, enterprises can employ Smart Cards to substantially increase the strength of their network security. In addition, the extensible Smart Card platform allows IT organizations to leverage the investment in Smart Cards for many other applications to strengthen security and add convenience to their employees. Strengthens security Strengthens security Flexible Flexible Simple Simple Leverages existing server infrastructure Leverages existing server infrastructure Solution

Products & Technologies Windows 2000 Server, Windows 2000, the Active Directory™ directory service, Certificate Services Windows 2000 Server, Windows 2000, the Active Directory™ directory service, Certificate Services Smart Cards Smart Cards “The use of Smart Cards will significantly increase the security of our corporate network by improving our ability to authenticate each employee and business partner as they remotely connect to Microsoft.” Greg Wood, General Manager, Corporate Security, Microsoft Corporation

Remote Access Services (RAS) at Microsoft Microsoft’s Information Technology Group Microsoft’s Information Technology Group Manages RAS security risks Manages RAS security risks 50,000 employees, contingent staff & vendors using RAS 50,000 employees, contingent staff & vendors using RAS 400 locations worldwide 400 locations worldwide Addressing authentication Addressing authentication Valid username and associated password Valid username and associated password Two-factor authentication Two-factor authentication Something you have (the Smart Card) as well as something you know (the card’s Personal Identification Number, or PIN) Something you have (the Smart Card) as well as something you know (the card’s Personal Identification Number, or PIN) Home computer vulnerabilities Home computer vulnerabilities Viruses, Trojan horse applications, computer worms Viruses, Trojan horse applications, computer worms Always-on, broadband Internet access heightens exposure Always-on, broadband Internet access heightens exposure Smart Cards were chosen over alternative technology solutions due to reliability, cost, features, and mobility Smart Cards were chosen over alternative technology solutions due to reliability, cost, features, and mobility

Smart Card Features Tamper resistant Tamper resistant Requires a Smart Card reader Requires a Smart Card reader PIN PIN Takes advantage of technologies in Microsoft’s Windows 2000 Server infrastructure Takes advantage of technologies in Microsoft’s Windows 2000 Server infrastructure Certificate Services feature Certificate Services feature Public Key Infrastructure (PKI) security Public Key Infrastructure (PKI) security Cryptographic Service Provider (CSP), Cryptographic Service Provider (CSP), Extensible Authentication Protocol/Transport Layer Security (EAP/TLS) Extensible Authentication Protocol/Transport Layer Security (EAP/TLS) Current user interface Current user interface View Smart Card contents, reset the PIN, and add personal data View Smart Card contents, reset the PIN, and add personal data Future user interface Future user interface Add new certificates for different applications for added functionality Add new certificates for different applications for added functionality

Smart Card Business Benefits Smart Cards offer two-factor authentication Smart Cards offer two-factor authentication Lost Smart Cards are easily rendered invalid by revoking the network logon certificate Lost Smart Cards are easily rendered invalid by revoking the network logon certificate Intruder would need the PIN to unlock access to a valid Smart Card Intruder would need the PIN to unlock access to a valid Smart Card Extensible, open platform and secured memory contents provide potential future development benefits Extensible, open platform and secured memory contents provide potential future development benefits Personal payment systems, data storage, and data ported between applications Personal payment systems, data storage, and data ported between applications “One thing we’ve seen as a potential benefit at Microsoft is password consolidation and storage. For the most part we’ve got a fairly robust single sign-on approach in our environment but a lot of enterprise customers don’t. They find it attractive to use the Smart Card and the Personal Identification Number (PIN) that unlocks the Smart Card as their one password.” Pete Boden, Group Program Manager, ITG Smart Card Project, Microsoft Corporation

Architecture Replacement photo ID building access badges for all employees Replacement photo ID building access badges for all employees Includes embedded 32 KB cryptographic processor Smart Card chip Includes embedded 32 KB cryptographic processor Smart Card chip Client computer requirements Client computer requirements Windows XP Professional Windows XP Professional Smart Card reader with appropriate port connector Smart Card reader with appropriate port connector Antivirus application Antivirus application Additional client-side software Additional client-side software Several OEM-based Smart Card client features in Windows XP Professional Several OEM-based Smart Card client features in Windows XP Professional Preconfigured version of Connection Manager standardizes all Smart Card security configuration settings upon installation Preconfigured version of Connection Manager standardizes all Smart Card security configuration settings upon installation Future development Future development Extending Connection Manager scripts to check overall security of RAS client PC Extending Connection Manager scripts to check overall security of RAS client PC Server-side changes Server-side changes Logon certificates on the Smart Card and in the Active Directory are issued by Windows 2000 Server Certificate Services feature using PKI technology Logon certificates on the Smart Card and in the Active Directory are issued by Windows 2000 Server Certificate Services feature using PKI technology

Deployment Acquired 32 KB Crypto processor Smart Card chip embedded in standard RFID cardkeys Acquired 32 KB Crypto processor Smart Card chip embedded in standard RFID cardkeys Centralized card management team formed Centralized card management team formed Issuance, card distribution management, second tier end-user support Issuance, card distribution management, second tier end-user support Smart Card security officers distributed new Smart Cards Smart Card security officers distributed new Smart Cards Verification of identity Verification of identity Exchanged old building access badges for new Smart Card badges Exchanged old building access badges for new Smart Card badges User required to change initial PIN prior to remotely logging onto the network User required to change initial PIN prior to remotely logging onto the network PIN required to be alphanumeric, characters in length PIN required to be alphanumeric, characters in length Used PKI infrastructure to create logon certificates, delivered through Windows 2000 Server’s Certificate Services Used PKI infrastructure to create logon certificates, delivered through Windows 2000 Server’s Certificate Services Delegated solution for regional distribution and administrative responsibilities to minimize cost Delegated solution for regional distribution and administrative responsibilities to minimize cost Authorized to distribute replacement cards after acquiring Redmond Security team approval Authorized to distribute replacement cards after acquiring Redmond Security team approval Supplied with pre-build Smart Cards whose unique serial numbers were carefully tracked Supplied with pre-build Smart Cards whose unique serial numbers were carefully tracked

Challenges Mobile users Mobile users PDA users cannot gain RAS access (no support for the EAP/TLS protocol) PDA users cannot gain RAS access (no support for the EAP/TLS protocol) Device issues Device issues Home users using Macintosh, UNIX, and Linux computers cannot gain RAS access (no support for the EAP/TLS protocol) Home users using Macintosh, UNIX, and Linux computers cannot gain RAS access (no support for the EAP/TLS protocol) Home computers Home computers Home systems not upgrading to the Smart Card solution can use the HTTPS secure alternative to access essential data via OWA Home systems not upgrading to the Smart Card solution can use the HTTPS secure alternative to access essential data via OWA Integrated Services Digital Network (ISDN) Integrated Services Digital Network (ISDN) ISDN channel bonding is not supported, forcing potentially significant reduction in user ISDN performance ISDN channel bonding is not supported, forcing potentially significant reduction in user ISDN performance Product selection Product selection Smart Card models are evolving quickly, so enterprise-wide standardization on one model may be challenging Smart Card models are evolving quickly, so enterprise-wide standardization on one model may be challenging

Future Plans Smart Card industry still maturing Smart Card industry still maturing Interoperability problems with various business systems Interoperability problems with various business systems Likely consolidation in the next months Likely consolidation in the next months Expect improved product standards, including plug-and-play compatibility and greater integration with Windows platform Expect improved product standards, including plug-and-play compatibility and greater integration with Windows platform Better management of accounts with elevated privileges Better management of accounts with elevated privileges Installed mapped certificate to minimize compromise and improve audit trail Installed mapped certificate to minimize compromise and improve audit trail Portable digital signatures Portable digital signatures Expanding applications support Expanding applications support Signing stock grants, securing financial/HR data, signing source code, etc. Signing stock grants, securing financial/HR data, signing source code, etc.

Lessons Learned Planning Planning Understand Smart Card capabilities Understand Smart Card capabilities Set deployment goals Set deployment goals Anticipate where Smart Card benefits can save money and time Anticipate where Smart Card benefits can save money and time Anticipate changes in technology over the next months Anticipate changes in technology over the next months Ensure staff is well trained in PKI Ensure staff is well trained in PKI Deployment considerations Deployment considerations Not a solution to cover 100% of user population Not a solution to cover 100% of user population Understand impact to non-standard clients and devices Understand impact to non-standard clients and devices Initial logon performance penalty adds ~30 seconds to logon process Initial logon performance penalty adds ~30 seconds to logon process Increased network security benefits far outweigh logon delay Increased network security benefits far outweigh logon delay

Summary New focus on Security for corporations and governments New focus on Security for corporations and governments Microsoft sought to implement a two-factor authentication security solution Microsoft sought to implement a two-factor authentication security solution Smart Card technology offered several advantages over competing two-factor security technologies Smart Card technology offered several advantages over competing two-factor security technologies Not burdensome for users to employ Not burdensome for users to employ Takes advantage of existing Windows 2000 Server PKI infrastructure Takes advantage of existing Windows 2000 Server PKI infrastructure Provides ITG with an extensible platform for future internal application development Provides ITG with an extensible platform for future internal application development

For More Information Additional IT Showcase white papers, case studies and presentations on ITG deployments and best practices can be found on Additional IT Showcase white papers, case studies and presentations on ITG deployments and best practices can be found on Microsoft’s TechNet Microsoft’s TechNet

The information contained in this document represents the current view of Microsoft Corporation on the issues discussed as of the date of publication. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information presented after the date of publication. This document is provided for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS DOCUMENT.  2002 Microsoft Corporation. All rights reserved. Microsoft, Outlook, Where do you want to go today?, Windows, Windows NT, and Windows 2000 are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. Other product and company names mentioned herein may be the trademarks of their respective owners.