Two factor authentication, such as that provided by smart cards, improves on basic passwords by ensuring that something a user has and something they know are presented before access to a system is granted; similar to taking cash from an ATM, where you must be in possession of your bank card and know the PIN. A user’s private key certificate information, which is stored on a smart card and used to uniquely identify the user, cannot be exported; the card will be automatically blocked after a number of unsuccessful PIN entries and cryptographic operations are carried out by a processor on the card itself, limiting the ability of malicious software on the PC to steal sensitive information.
Cost and an extra complication for end users are disadvantages when using physical smart cards, but they do provide a worthwhile layer of security. Passwords have long been acknowledged as a weak security mechanism that is prone to key loggers and users writing down their passwords on Post-it notes. And while smart cards don’t represent a security panacea, they are an important tool in the enterprise security arsenal.
The Windows Smart Card Infrastructure was enhanced in Vista to provide a better user experience and make it easier for card reader manufacturers to provide drivers. The support for smart card authentication in Privilege Guard 3.5 (Edit: now Defendpoint) comes just in time as Windows 8 includes a new feature called Secure sign-in that uses virtual smart cards (VSCs) stored on a device’s TPM (Trusted Platform Module) chip, alleviating the need for a physical card and card reader.
Notebooks and PCs can be stolen, but VSCs cannot be misplaced like their physical counterparts, and if a device is lost, the user will probably notice quite quickly, while physical smart cards can stay missing for much longer before the problem is reported to the helpdesk. With VSCs in Windows 8, it’s likely that TPM chips will gradually find their way into consumer grade hardware and not just found in enterprise-grade PCs.
Virtual smart card authentication in Windows 8
VSCs work with the same application-level APIs as physical smart cards and the TPM is used via a virtualized smart card reader, presented to Windows applications as if it were a physical reader. Users enroll for certificates in the usual way, and are then protected by the TPM chip in the user’s PC. No card reader or card is required. The user experience is exactly the same as with a physical card, except that the VSC is always inserted and the user just needs to enter their PIN. If a user needs to use more than one device, due to the non-exportability of the private keys, the user must apply for another VSC.
Privilege Guard 3.5 now provides support for smart card authentication via the standard Windows APIs. This allows organizations that already have smart cards deployed or are thinking about a future rollout, to integrate Privilege Guard 3.5 seamlessly in to the IT infrastructure and have users respond to custom UAC prompts with their smart cards just in the same way they would a standard prompt, providing an additional layer of protection and making it harder for unknown or malicious software to find its way onto corporate networks using elevated privileges.
Edit: Privilege Guard has now evolved into the brand new security suite, Defendpoint, which encompasses Privilege Management, Application Control and Sandboxing. For more information, please visit www.avecto.com/defendpoint.
Russell Smith, IT Consultant & Security MVP
Russell Smith specializes in the management and security of Microsoft-based IT systems. In addition to blogging about Windows and Active Directory for the Petri IT Knowledgebase, Russell is a Contributing Editor at CDW’s Biztech Magazine.
Russell has more than 15 years of experience in IT, has written a book on Windows security, co-authored one for Microsoft’s Official Academic Course (MOAC) series and has delivered several courses for Pluralsight.