You Can't Jot Down Fingerprints: Windows Beyond Passwords

Part Three: Strong passwords can do a lot, but what if your network needs an extra level of security? Here's how to get started with smartcards and biometrics in the Windows world.

Welcome back to our look at increasing the strength of the authentication systems on your Windows Server 2003 network. In Parts One and Two, we looked at the default authentication mechanism – passwords – and at some of the policies you can put in place to provide more protection for your network. In this article we'll look at what your options are if you want to take the security of your network one step further.

The Problem with Passwords
As we have already established in this series of articles, passwords can provide a sufficient level of security for most networks, particularly if they are backed up by strict policies that govern their use. The problem is, though, that no matter how strong a password is configured, and no matter how well the policies control those passwords, they are still simply a piece of knowledge. There is nothing to stop a user giving their password to another user, nor is there an easy way for a user to determine that another person has managed to discover their password. These two things alone make passwords ineffective in ensuring the highest levels of security.

There is also one other thing that makes passwords susceptible to misuse. When you use a password based authentication system, the user must only provide two pieces of evidence in order to access the network – a username and a password. Given that usernames generally follow a structured naming standard, you can consider them essentially public knowledge. A user called Phil Jones with the user ID JonesP will not need a masters degree to figure out that the user ID for Tracy Jenkins is most likely JenkinsT. So, in reality, a username and password authentication system represent what is termed as single factor authentication. In other words, only one piece of private information is required to access the network.

In order to make the authentication process more robust, we need to look at systems that require users to provide more than one piece of authentication information. Such systems are referred to as multi-factor authentication.

The most common form of multi-factor authentication system implemented on Windows Server 2003-based networks is smartcards. There are two main reasons for their growing popularity. First is that smartcards have become an increasingly affordable solution over recent years, and second is that support for smartcard authentication is tightly integrated into Windows Server 2003 and Active Directory.

Smartcards represent an excellent form of multi-factor authentication because they require that the user provide something they have (the smartcard) along with something they know (the PIN). Although the smartcard can be lost, without the PIN it is useless. And although another person could discover the PIN, without the smartcard it is useless. Additionally, you can't 'guess' a smartcard, and even though, technically, you could produce a counterfeit smartcard, the process of doing so is beyond the realms of even the most skilled hacker.

The commonly held misconception that smartcards are a relatively new authentication system is not true. Although modern smartcard systems typically use chips embedded into the card rather than the more traditional metallic strip method associated with credit cards, smartcard based authentication systems have been around for at least twenty years. In the past, though, they were more commonly associated with high security minicomputer or mainframe applications like those used in banking institutions than with general access to PC based LANs.

Some of today's smartcard solutions don't actually even use smartcards at all. Instead, USB pluggable modules that don't need a separate reader are pointing a new direction for smartcard technology that will see people carrying the physical equivalent of a USB memory stick around and using that to log on to the network.

Today, the cost of smartcards and their readers has fallen to the point where they can be considered by organizations of all sizes. In fact, many larger organizations already use smartcard technology to protect their PC-based server networks.

Smartcards and Windows Server 2003
Implementing a smartcard solution on Windows Server 2003 is relatively straightforward. The first consideration is that you need to buy smartcard readers, and the accompanying cards, or some other 'smartcard type' device. Microsoft publishes a list of the smartcard hardware that is approved for Windows Server 2003 here. A list of the smartcard types supported by Windows Server 2003 can be found here.

Although the prices of readers and cards vary, you can expect to pay somewhere in the region of $20-30 for each reader, and around $10 for a card. Of course if you are buying large quantities of either then you will likely be able to bring the overall price down, but these figures are a good approximation.

Installation of the smartcard hardware and software is generally straightforward - each computer that will support smartcard login will need a reader, but they normally connect to either a serial or USB port so installation is straightforward. You will also need to have at least one 'writing' station where digital certificates and personal identification numbers (PIN) will be downloaded to the card.

Continued on page 2: Digital Certificates

Continued From Page 1

Digital certificates are an important consideration, because they are the mechanism by which smartcards provide their authentication information. In order to produce digital certificates, you'll need to implement a Public Key Infrastructure (PKI) on your network using Windows Certificate Services. Certificate Services is included with Windows 2000 and Windows Server 2003, and is relatively easy to configure unless you want to create complex policies to manage the certificates. You can find detailed information on PKI and Certificate Services here .

Once you have programmed the smartcards and provided them to your users, each time the user logs on they will need to insert the smartcard into the reader and provide the PIN number. No smartcard or no PIN - no access to the network.

If you have a network with users of differing security levels, you can choose to require some users to have smartcards to log on to the system, while others don't. This determination is made in Active Directory on the Properties page of the user object. You can see an example of this screen in Figure 1.

Figure 1.
(Click for a larger image)

Of course configuring the user account in this way means that a smartcard-enabled account will not be able to log on to the network from any system that doesn't have a smartcard reader. You might want to keep this in mind when planning for workstation failures or other such problems.

Overall, smartcards represent the ideal choice for organizations that want to get into multi-factor authentication without spending a fortune. Economies of scale will mean that as more companies install smartcard systems, the price of readers and smartcard media may come down, but don't expect to be making vast savings. A healthy competitive market between the existing smartcard vendors has already put the systems at a reasonable price point. You might save a few bucks by waiting for a couple of years, but the reality is that if you can justify the extra security offered by smartcards now, you can also probably justify spending the money.

Beyond Smartcards
As we have already discussed, smartcards offer a multi-factor authentication system that requires a user to provide something they have, along with something they know. But there is still one more even better way of verifying a users identity – proof of person, referred to as biometrics.

Proof of person authentication systems use some kind of biological facet to verify a users identity. By far the most common method of biometric authentication is fingerprints, but others like iris recognition, facial recognition and speech verification are available.

While modern biometric authentication systems are very reliable, the hardware used for recognition is relatively expensive. Additionally, there is the added administrative overhead of programming the system in the first place with the biometric information from each user.

Although many security conscious organizations have been using biometrics for physical access purposes for many years, it has yet to make a real break through into LAN authentication. However, recent developments would suggest that biometrics is preparing to enter the mainstream. A number of consumer oriented fingerprint readers are already available at a reasonable price point ($40-$50), and even though these devices are pitched at home users rather than network systems, as we become more accepting of biometrics as an authentication system, it's highly likely that we will see LAN authentication deployments. There are a number of biometric authentication devices approved for use with Windows Server 2003 on the Windows Server 2003 Server Catalog, but they are more expensive than their consumer-oriented brethren.

Like any security implementation, if the losses that you might suffer as a result of an intruder accessing your system outweigh the cost of implementing the security, then you may have a case for biometrics. But, given the complexity of implementation and the associated costs, it's likely that large-scale biometric network authentication systems will remain the domain of government and ultra high security private organizations for some time to come.

Editor's Note: This is Drew's last column with Enterprise Networking Planet as he leaves us to pursue another opportunity. Drew's been a valuable part of the ENP bullpen for several years, and we'll miss him. Best of luck, Drew!