Vista logon with smart card on local pc

  • Thread starter Thread starter Michele
  • Start date Start date
M

Michele

My aim is clear, i want to use the enhanced security of the smart card for
accessing to a local pc instead of using the usual weak username and password.
I know well that to perform this task is easy if you are connected to a
domain.
When you are connected to a domain you can request a certificate for Vista
logon and once obtained you can use the group policy that require smart card
for logging on to pc. And after that even if you are not connected anymore to
the domain you can use the smart card to securely access to pc at logon since
the smart card credentials are cached into the local pc.( I think you can use
the smart card always to logon to pc without the need to reconnect to the
domain, is it right?? )
For further enhancing the security you can disable the option to use
username and password in the safe mode. All that is clear.

I have two questions: First of all, are there any windows server 2003 CA or
windows server 2008 CA you can connect to freely or not (Configuring the VPN
parameters or whatever method to add the computer temporarly to the domain)
and request a certificate to use it as windows logon on local pc, and after
that use always the smart card credentials cached locally on the pc without
reconnecting to the domain that released the certificate and if so where can
i find them?

Second: If it's not possible to connect to domains that give such services,
is it possible someway to "manually" create these cached smart card
credentials ( Connected in some way to the certificate stored in the smart
card) on the local pc so that enabling the group policy that require smart
card to logon to pc make it possible to perform smart card logon?

Assumed that one of the above two things is possible is it safe to always
use the cached smart card credentials to perform logon or are there any
limits in that? ( Clearly i should make a backup of the smart card
certificate to access windows if i loose smart card or if it becomes
corrupted)

Thanks a lot for any help
Best regards
Michele
 
I'm assuming this is NOT a domain-joined PC.

What threats do you envision that local smart card logon will mitigate?

Smart card logon is typically used in a domain environment to mitigate the
threat of stolen or compromised credentials -- without the smart card, an
attacker can't log onto the domain remotely. It appears that you're thinking
you can get the same kind of protection on a standalone computer. But you
really don't need to do this, since the threat doesn't exist here. Smart
cards are useless if an attacker steals your laptop -- he can remove the
hard drive or boot with an alternate operating system.

--
Steve Riley
steve.riley@microsoft.com
http://blogs.technet.com/steriley
http://www.protectyourwindowsnetwork.com



"Michele" <Michele@discussions.microsoft.com> wrote in message
news:BB8126F3-787B-4B12-A7FE-25EA353090ED@microsoft.com...
> My aim is clear, i want to use the enhanced security of the smart card for
> accessing to a local pc instead of using the usual weak username and
> password.
> I know well that to perform this task is easy if you are connected to a
> domain.
> When you are connected to a domain you can request a certificate for Vista
> logon and once obtained you can use the group policy that require smart
> card
> for logging on to pc. And after that even if you are not connected anymore
> to
> the domain you can use the smart card to securely access to pc at logon
> since
> the smart card credentials are cached into the local pc.( I think you can
> use
> the smart card always to logon to pc without the need to reconnect to the
> domain, is it right?? )
> For further enhancing the security you can disable the option to use
> username and password in the safe mode. All that is clear.
>
> I have two questions: First of all, are there any windows server 2003 CA
> or
> windows server 2008 CA you can connect to freely or not (Configuring the
> VPN
> parameters or whatever method to add the computer temporarly to the
> domain)
> and request a certificate to use it as windows logon on local pc, and
> after
> that use always the smart card credentials cached locally on the pc
> without
> reconnecting to the domain that released the certificate and if so where
> can
> i find them?
>
> Second: If it's not possible to connect to domains that give such
> services,
> is it possible someway to "manually" create these cached smart card
> credentials ( Connected in some way to the certificate stored in the smart
> card) on the local pc so that enabling the group policy that require smart
> card to logon to pc make it possible to perform smart card logon?
>
> Assumed that one of the above two things is possible is it safe to always
> use the cached smart card credentials to perform logon or are there any
> limits in that? ( Clearly i should make a backup of the smart card
> certificate to access windows if i loose smart card or if it becomes
> corrupted)
>
> Thanks a lot for any help
> Best regards
> Michele
 
Back
Top