Replacements for Passwords
The weakest link in the Windows Server 2008 security scheme is probably the use of passwords. Users give their passwords to others or forget them, and passwords are stolen or just "found" in many different ways. There is nothing to tie a password to an individual. With someone's password in hand, nothing can stop you from impersonating that person on a password-protected system. Two potential replacements for passwords are smart cards and biometric devices.
Smart Cards Smart cards are credit card-sized pieces of plastic that have a tamper-resistant electronic circuit embedded in them that permanently stores an ID, a password, a digital signature, an encryption key, or any combination of those. Smart cards require a personal identification number (PIN), so they add a second layer (smart card plus PIN in place of a password) that an impersonator would have to obtain to log onto a system. Also, smart cards can be configured to lock up after a few unsuccessful attempts to enter a PIN.
Windows Server 2008 fully supports smart cards and lets them be used to log onto a computer or network or to enable certificate-based authentication for opening documents or performing other tasks. Smart cards require a reader attached to the computer through a USB port, a PCMCIA or just "PC Card" slot, or an ExpressCard slot. With a smart-card reader, users do not have to press ctrl-alt-del. They only need to insert their card, at which point they are prompted for their PIN. With a valid card and PIN, users are authenticated and allowed on the system in the same way as they would be by entering a valid username and password.
A number of smart-card readers are Plug and Play-compliant, and drivers for these devices are either included with Windows Server 2008 or available from the manufacturer. Installing them requires little more than plugging them in. With a smart-card reader installed, set up new accounts (as previously described) and then, for both new and old accounts, open the user's Properties dialog box by double-clicking a user in the Active Directory Users And Computers window (see "Network User Authentication" earlier in this tutorial for directions on opening this window). In the user's Properties dialog box, click the Account tab and scroll the Account Options list and check Smart Card Is Required For Interactive Logon (if a smart card is not installed or detected by Windows Server 2008, this option may not be visible).
NOTE: In case you wondered, the PIN is encrypted and placed on the smart card when it is made. The PIN is not stored on the computer or in Active Directory.
Smart cards are particularly valuable for remote entry to a network, and they can be used by a traveling staff member with a laptop, probably using virtual private networking (VPN) over the Internet. Smart cards are also frequently used in the issuance of certificates of authenticity for documents and other objects (see the discussion of certificates later in the tutorial under "Secure Data Transmission").
Biometric Devices Smart cards do provide an added degree of security over passwords, but if someone obtains both the card and the PIN, that person is home free. The only way to be totally sure that the computer is talking to the real person is to require some physical identification of the person. This is the purpose of biometric devices, which identify people by physical traits, such as their voice, handprint, fingerprint, face, or eyes. Often, these devices are used with a smart card to replace the PIN. Biometric devices are now moving into the mainstream with some laptops having fingerprint readers built in. While there is nothing built into Windows Server 2008 specifically to handle them, drivers and the implementing technology are readily available. USB plug-in fingerprint scanners and their software can be purchased for less than $50. Other devices can cost several hundred to several thousand dollars for a face scanner. In the next few years, these devices will be everywhere, so, depending on your needs, you may want to keep them in mind.
In this tutorial:
- Windows Server 2008 Security
- Authenticate the User
- Network User Authentication
- Replacements for Passwords
- Certificate Authentication
- Control Access
- Groups
- Permissions
- Add New Permissions
- Share Permission
- Secure Stored Data
- Use File and Folder Encryption
- Drive Encryption with BitLocker
- Use a Computer with BitLocker
- Understand Private/Public Key Encryption
- Secure Data Transmission
- Implement Secure LAN Transmission