Remote Smart Card Authentication and Interactive Smart Card Login using DameWare Development software
The information in this article applies to:
- DameWare NT Utilities - Version(s) 5.5 and above
- DameWare Mini Remote Control - Version(s) 5.5 and above
The use of Smart Cards for user authentication is considered by Microsoft to be the strongest form of authentication in the Windows Server 2003 family, and combines the use of something physical (Smart Card) with confidential information (PIN) to provide what is known as "two-factor authentication." A smart card is a small plastic card, about the size of a "credit card," that typically contains a small embedded computer chip (microchip), instead of the magnetic stripe found in traditional credit cards.
In accordance with U.S. President George Bush's Homeland Security Presidential Directive 12 (HSPD-12), all federal agencies are required to implement Smart Card logon to access government information systems (http://www.whitehouse.gov/news/releases/2004/08/20040827-8.html). Due to the lack of remote administration tools that provide remote Smart Card access, complying with this directive greatly restricts the ability of Administrators to perform remote administration tasks in this new Smart Card environment.
That was the case until version 5.5 of DameWare Development's software suite was released.In 2006, DameWare Development was contacted by members of the U.S. Military and asked to provide a Smart Card solution for the new CAC (Common Access Card) environment. Wanted was a solution that would not only satisfy current security requirements, but also satisfy future security requirements of existing DOD customers.
DameWare Development graciously accepted the challenge and stepped up to the plate, becoming the first third-party remote administration software to provide Interactive Smart Card Login, as well as remote Smart Card Authentication. Users of DameWare Mini Remote Control (DMRC) software now have the ability to access remote machines via their Smart Card and interactively enter the PIN to login, just as if they physically walked up to the console of the remote machine.
This has been a major undertaking and accomplishment for DameWare's development team, and reports are numerous about the tremendous impact this version of the software has had on users in the Military and the DOD.
DameWare Development's software was tested by the U.S. Army within their strict environment, and proved to meet all requirements while exceeding all expectations. At the time of this writing, this release of DameWare Development's software is the only known remote administration tool that is completely CAC (Common Access Card) compliant as well as AGM (Army Gold Master) 6.0 compliant and compatible. One Army representative stated, "Bottom line is, this version of the software has worked flawlessly for us even with our strict requirements. We are not aware of any similar product that meets all these requirements."
Also, unlike other remote administration tools that advertise the ability to remotely authenticate users via a Smart Card, the DMRC program not only has the ability to perform remote Smart Card Authentication, but also the ability to perform Interactive Smart Card logins.
This means that users of the DMRC software can access remote machines while they are at the Logon Desktop and interactively login using their PIN, just as if they were physically at the console of the remote machine. Remote Smart Card Authentication and Interactive Login within DameWare Development software also does not require any type of Smart Card Middleware, and does not even require a Smart Card reader attached to the remote machine.
Requirements & Important Notes:
1. According to Microsoft, Smart Card Login & Authentication is only supported on Windows 2000 and above, including:
- Windows 2000 Workstation
- Windows 2000 Server
- Windows XP Professional
- Windows 2003 Server
- Windows Vista
2. Other than Microsoft's implemented Smart Card Services (scardsvr), no additional middleware is directly required by DameWare software for Smart Card Authentication & Login.
3. A Smart Card reader is not required on the remote machine.
4. The Operating System and network implementation must be configured properly for Smart Card authentication.
The Smart Card & PIN must have sufficient rights to Login to the remote machine. Unfortunately, DameWare's support department does not provide training seminars on how to implement and configure a Smart Card environment. However, the following Smart Card documentation on Microsoft's website may be helpful.
- Various Microsoft Smart Card articles
6. According to Microsoft's Requirements, if the "Net Use" command can be successfully executed to access a remote machine using a Smart Card, the user should also have the ability to install, remove, start, or stop the DMRC Client Agent Service, or successfully use DNTU's LogonAs feature, via Smart Card authentication.
7. According to Microsoft, Smart Card Authentication to Active Directory requires that Smart Card workstations, Active Directory, and Active Directory Domain Controllers be configured properly. Active Directory must trust a certification authority to authenticate users based on certificates from that CA. Both Smart Card workstations and Domain Controllers must be configured with correctly configured certificates.
8. When using the Smart Card authentication method to interactively login via the DMRC program, a "New Hardware Found" notification may be displayed on the remote machine after the DameWare Virtual Smart Card reader is inserted on the user's behalf. Unfortunately this behavior is beyond DameWare's control.
Known Issues:
In some cases disconnecting and reconnecting a few times resolves the issue.
This behavior may also depend on the specific reader and version of the reader's driver. Verify the latest driver directly from the manufacturer is installed.
The following hotfix from Microsoft may be needed. A Windows 2000-based computer no longer recognizes a USB smart card reader
No comments:
Post a Comment