Jump to content

Vista logon with smart card on local pc

Guest Michele

By Guest Michele
in Techno Babble

 Share

Recommended Posts

Guest Michele

Guest Michele

Posted
Posted

My aim is clear, i want to use the enhanced security of the smart card for

accessing to a local pc instead of using the usual weak username and password.

I know well that to perform this task is easy if you are connected to a

domain.

When you are connected to a domain you can request a certificate for Vista

logon and once obtained you can use the group policy that require smart card

for logging on to pc. And after that even if you are not connected anymore to

the domain you can use the smart card to securely access to pc at logon since

the smart card credentials are cached into the local pc.( I think you can use

the smart card always to logon to pc without the need to reconnect to the

domain, is it right?? )

For further enhancing the security you can disable the option to use

username and password in the safe mode. All that is clear.

 

I have two questions: First of all, are there any windows server 2003 CA or

windows server 2008 CA you can connect to freely or not (Configuring the VPN

parameters or whatever method to add the computer temporarly to the domain)

and request a certificate to use it as windows logon on local pc, and after

that use always the smart card credentials cached locally on the pc without

reconnecting to the domain that released the certificate and if so where can

i find them?

 

Second: If it's not possible to connect to domains that give such services,

is it possible someway to "manually" create these cached smart card

credentials ( Connected in some way to the certificate stored in the smart

card) on the local pc so that enabling the group policy that require smart

card to logon to pc make it possible to perform smart card logon?

 

Assumed that one of the above two things is possible is it safe to always

use the cached smart card credentials to perform logon or are there any

limits in that? ( Clearly i should make a backup of the smart card

certificate to access windows if i loose smart card or if it becomes

corrupted)

 

Thanks a lot for any help

Best regards

Michele

  • Replies 1
  • Created
  • Last Reply

Popular Days

Popular Days

Guest Steve Riley [MSFT]

Guest Steve Riley [MSFT]

Posted
Posted

I'm assuming this is NOT a domain-joined PC.

 

What threats do you envision that local smart card logon will mitigate?

 

Smart card logon is typically used in a domain environment to mitigate the

threat of stolen or compromised credentials -- without the smart card, an

attacker can't log onto the domain remotely. It appears that you're thinking

you can get the same kind of protection on a standalone computer. But you

really don't need to do this, since the threat doesn't exist here. Smart

cards are useless if an attacker steals your laptop -- he can remove the

hard drive or boot with an alternate operating system.

 

--

Steve Riley

steve.riley@microsoft.com

http://blogs.technet.com/steriley

http://www.protectyourwindowsnetwork.com

 

 

 

"Michele" <Michele@discussions.microsoft.com> wrote in message

news:BB8126F3-787B-4B12-A7FE-25EA353090ED@microsoft.com...<span style="color:blue">

> My aim is clear, i want to use the enhanced security of the smart card for

> accessing to a local pc instead of using the usual weak username and

> password.

> I know well that to perform this task is easy if you are connected to a

> domain.

> When you are connected to a domain you can request a certificate for Vista

> logon and once obtained you can use the group policy that require smart

> card

> for logging on to pc. And after that even if you are not connected anymore

> to

> the domain you can use the smart card to securely access to pc at logon

> since

> the smart card credentials are cached into the local pc.( I think you can

> use

> the smart card always to logon to pc without the need to reconnect to the

> domain, is it right?? )

> For further enhancing the security you can disable the option to use

> username and password in the safe mode. All that is clear.

>

> I have two questions: First of all, are there any windows server 2003 CA

> or

> windows server 2008 CA you can connect to freely or not (Configuring the

> VPN

> parameters or whatever method to add the computer temporarly to the

> domain)

> and request a certificate to use it as windows logon on local pc, and

> after

> that use always the smart card credentials cached locally on the pc

> without

> reconnecting to the domain that released the certificate and if so where

> can

> i find them?

>

> Second: If it's not possible to connect to domains that give such

> services,

> is it possible someway to "manually" create these cached smart card

> credentials ( Connected in some way to the certificate stored in the smart

> card) on the local pc so that enabling the group policy that require smart

> card to logon to pc make it possible to perform smart card logon?

>

> Assumed that one of the above two things is possible is it safe to always

> use the cached smart card credentials to perform logon or are there any

> limits in that? ( Clearly i should make a backup of the smart card

> certificate to access windows if i loose smart card or if it becomes

> corrupted)

>

> Thanks a lot for any help

> Best regards

> Michele </span>

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...