Login | Register   
Twitter
RSS Feed
Download our iPhone app
TODAY'S HEADLINES  |   ARTICLE ARCHIVE  |   FORUMS  |   TIP BANK
Browse DevX
Sign up for e-mail newsletters from DevX


advertisement
 

Lock Down Vista Security with Smart Cards : Page 2

Smart cards provide strong security authentication, and single sign-on can be implemented in companies using the cards.


advertisement
The resource manager service has the following service description:

<serviceData name="SCardSvr" displayName="@%SystemRoot%\System32\SCardSvr.dll,-1" errorControl="normal" group="SmartCardGroup" imagePath="%SystemRoot%\system32\svchost.exe /k LocalService" start="demand" tag="" type="win32ShareProcess" security="" description="@%SystemRoot%\System32\SCardSvr.dll,-5 requiredPrivileges="SeCreateGlobalPrivilege,SeChangeNotifyPrivilege,SeImpersonatePrivilege" dependOnGroup="" dependOnService="PlugPlay" objectName="NT AUTHORITY\LocalService">     <failureActions resetPeriod="900">       <actions>         <action type="restartService" delay="120000"/>         <action type="restartService" delay="300000"/>         <action type="none" delay="0"/>       </actions>     </failureActions>     <registryKeys>       <registryKey
keyName="HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SCardSvr\Parameters">
       <registryValue name="ServiceDll"
valueType="REG_EXPAND_SZ" value="%SystemRoot%\System32\SCardSvr.dll" buildFilter=""></registryValue>
       <registryValue name="ServiceMain" valueType="REG_SZ" value="CalaisMain" buildFilter=""></registryValue>
       <registryValue name="ServiceDllUnloadOnStop" valueType="REG_DWORD" value="1" buildFilter=""></registryValue>
      </registryKey>       <securityDescriptor name="ServiceXKeySecurity"/>
    </registryKeys>     <securityDescriptor name="ServiceXSecurity" buildFilter=""/>  </serviceData>

2. Certificate propagation service

The service starts when a user logged into the system inserts a smart card in a reader that is attached to the computer. This action causes the certificate(s) to be read from the smart card. The name of the service is CertPropSvc. The controller notifies CertPropSvc when a user has logged on. This service monitors the smart cards that are visible from the user session and reads all certificates from all inserted smart cards.



3. Smart card removal service

This works when a user has logged in with a smart card and subsequently removes that smart card from the reader.

Debugging Cards and Getting Information

A few tools and services are available in Windows Vista to help developers in debugging.

* The Command to list certificates that are available on the smart card is certutil -scinfo

* For deleting certificate use the following command. Certutil -delkey -csp "Microsoft Base Smart Card Crypto Provider" "38f813f2-ec3b-4e96-ba19-38b830923be9" When you delete a certificate on the card, you are actually deleting a container that corresponds to that certificate.

* To enable tracing for NTLM authentication, run the following at the command line. tracelog.exe -kd -rt -start ntlm -guid #5BBB6C18-AA45-49b1-A15F-085F7ED0AA90 -f .\ntlm.etl -flags 0x15003 -ft 1 To stop tracing for NTLM authentication, run the following at the command line. tracelog -stop ntlm

* To enable tracing for Kerberos authentication, run the following at the command line. tracelog.exe -kd -rt -start kerb -guid #6B510852-3583-4e2d-AFFE-A67F9F223438 -f .\kerb.etl -flags 0x43 -ft 1. To stop tracing for Kerberos authentication, run the following at the command line. tracelog.exe -stop kerb.

* To enable tracing for the KDC, run the following at the command line. tracelog.exe -kd -rt -start kdc -guid #1BBA8B19-7F31-43c0-9643-6E911F79A06B -f .\kdc.etl -flags 0x803 -ft 1 To stop tracing for the KDC, run the following at the command line. tracelog.exe -stop kdc

To check the status of the smart card service:
    1. Go to Windows Task Manager.
    2. From Windows Task Manager dialog box, click the Services tab.
    3. Check for SCardSvr, and see the Status column to see if the service is running or stopped.
    4. If the service is stopped and want to start again, run the following command from command prompt. Remember you need to Run as Administrator. net start SCardSvr To stop the service run net stop SCardSvr from the command prompt.

Figure 3. A smart card service.

Here's how to check the status of a smart card.
    1. Click on the Start button, right-click Computer, and then click Properties.
    2. Under Tasks, click Device Manager.
    3. In Device Manager, expand Smart card readers, select the smart card reader about which you want information, and then click Properties. If the smart card reader is not listed in Device Manager, in the Action menu, click Scan for hardware changes.

Conclusion

Smart Card usage by businesses will enhance protection and improve productivity. On the other hand, password authentication, the most widely used logon mechanism, is only as infallible as its users. Most of the time users share their personal passwords with friends and some team members. Even the most reliable user may write a password on a slip of paper where another user might later discover and use the same credential. If a user does not safeguard a password, the network may be subject to concurrent usage of a user account or worse, may be unprotected against malicious break-ins.

A Windows-powered smart card can be used by only one person at a time, which makes concurrent secure account usage impossible by other users. Because the card is required to access the network, users are inclined to carry the card with them wherever they go, preventing malicious break-ins and access. Windows for Smart Cards supports multiple authentication mechanisms, such as PIN, fingerprint, or retina (in human eye) recognition. If the card is lost, no one else can use it to access the network because only the owner knows the PIN or has the right fingerprint or retina.

By using the most secure cryptographic-algorithms, like RSA, DES, 3DES and SHA, and by being built on the most reliable chips, Windows-powered smart cards are virtually inviolable.


Tapas Pal is a Microsoft Platform technical professional with Tata Consultancy Services, India. He has with seven years of experience, holds Microsoft certifications in .NET 1.1 and .NET 2.0.
Comment and Contribute

 

 

 

 

 


(Maximum characters: 1200). You have 1200 characters left.

 

 

Sitemap