Welcome back to our look at increasing the strength of the authentication systems on your Windows Server 2003 network. In Parts One and Two, we looked at the default authentication mechanism – passwords – and at some of the policies you can put in place to provide more protection for your network. In this article we'll look at what your options are if you want to take the security of your network one step further.
The Problem with Passwords
As we have already established in this series of articles, passwords can provide a sufficient level of security for most networks, particularly if they are backed up by strict policies that govern their use. The problem is, though, that no matter how strong a password is configured, and no matter how well the policies control those passwords, they are still simply a piece of knowledge. There is nothing to stop a user giving their password to another user, nor is there an easy way for a user to determine that another person has managed to discover their password. These two things alone make passwords ineffective in ensuring the highest levels of security.
There is also one other thing that makes passwords susceptible to misuse. When you use a password based authentication system, the user must only provide two pieces of evidence in order to access the network – a username and a password. Given that usernames generally follow a structured naming standard, you can consider them essentially public knowledge. A user called Phil Jones with the user ID JonesP will not need a masters degree to figure out that the user ID for Tracy Jenkins is most likely JenkinsT. So, in reality, a username and password authentication system represent what is termed as single factor authentication. In other words, only one piece of private information is required to access the network.
In order to make the authentication process more robust, we need to look at systems that require users to provide more than one piece of authentication information. Such systems are referred to as multi-factor authentication.
The most common form of multi-factor authentication system implemented on Windows Server 2003-based networks is smartcards. There are two main reasons for their growing popularity. First is that smartcards have become an increasingly affordable solution over recent years, and second is that support for smartcard authentication is tightly integrated into Windows Server 2003 and Active Directory.
Smartcards represent an excellent form of multi-factor authentication because they require that the user provide something they have (the smartcard) along with something they know (the PIN). Although the smartcard can be lost, without the PIN it is useless. And although another person could discover the PIN, without the smartcard it is useless. Additionally, you can't 'guess' a smartcard, and even though, technically, you could produce a counterfeit smartcard, the process of doing so is beyond the realms of even the most skilled hacker.
The commonly held misconception that smartcards are a relatively new authentication system is not true. Although modern smartcard systems typically use chips embedded into the card rather than the more traditional metallic strip method associated with credit cards, smartcard based authentication systems have been around for at least twenty years. In the past, though, they were more commonly associated with high security minicomputer or mainframe applications like those used in banking institutions than with general access to PC based LANs.
Some of today's smartcard solutions don't actually even use smartcards at all. Instead, USB pluggable modules that don't need a separate reader are pointing a new direction for smartcard technology that will see people carrying the physical equivalent of a USB memory stick around and using that to log on to the network.
Today, the cost of smartcards and their readers has fallen to the point where they can be considered by organizations of all sizes. In fact, many larger organizations already use smartcard technology to protect their PC-based server networks.
Smartcards and Windows Server 2003
Implementing a smartcard solution on Windows Server 2003 is relatively straightforward. The first consideration is that you need to buy smartcard readers, and the accompanying cards, or some other 'smartcard type' device. Microsoft publishes a list of the smartcard hardware that is approved for Windows Server 2003 here. A list of the smartcard types supported by Windows Server 2003 can be found here.
Although the prices of readers and cards vary, you can expect to pay somewhere in the region of $20-30 for each reader, and around $10 for a card. Of course if you are buying large quantities of either then you will likely be able to bring the overall price down, but these figures are a good approximation.
Installation of the smartcard hardware and software is generally straightforward - each computer that will support smartcard login will need a reader, but they normally connect to either a serial or USB port so installation is straightforward. You will also need to have at least one 'writing' station where digital certificates and personal identification numbers (PIN) will be downloaded to the card.