Windows SmartCard for Shared Workstations

Question

We have a Windows x64 workstation that controls special equipment critical to our operations. This workstation only has a set few of trained operators who "know" how to operate it. However, it runs Windows, and this has proven encouraging for others who are not trained to operate the workstation to tinker around, which obviously causes problems.

We've discussed how to alleviate the issue, and multiple user accounts are not an option. The best thing we've come up with is some kind of SmartCard functionality. SmartCards are new to me, but in reading up on them, it seems that they're tied in to the login process. I'm looking for something that would lock the screen/keyboard/mouse if the SmartCard were removed, then immediately unlocked it if it were re-inserted. Anybody know of anything like this?

Update

Thanks for all the responses. I was actually hoping for a turnkey software package, or some suggestions to something like that.

Windows XP x64 that's been slightly altered by the manufacturer. — churnd, Aug 12 '09 at 11:57
Smartcards are great! I use them with the Sun "Sunray" thin clients. Always feels so clunky to go back to a regular PC after being able to carry my session around on my smartcard. :-) — Brian Knoblauch, Oct 09 '09 at 20:01

score 2 · Answer 1 · edited Jun 21 '13 at 10:54

If you ever came around updating this system to a newer version of Windows, take a look at Smart Card Group Policy and Registry Settings in the Technet docs.

The smart card removal policy service available with Windows 7 would give you the desired locking/unlocking functionality out of the box. All you have to do is configure it.

For older Windows versions, you would need add-on software to accomplish locking/unlocking. Various proximity lock/unlock/logon solutions are in the market which mostly use RFID keys.

score 1 · Accepted Answer · answered Aug 11 '09 at 21:49

1

Have you considered biometrics? A fingerprint reader will generally allow either 5 or 10 fingerprints per user account (one for each finger), or in theory, 5-10 people on one user account (just scan each person's finger into a different location).

This won't work if it's in an industrial location - the reader will get dirty, fingers are dirty, grime, dust, all bad for biometrics. And it's not exactly foolproof either (there was a great Mythbusters episode on this), but it should keep honest users out.

I also saw a brilliant system at TradeLink of all places (too bad it didn't stop them from screwing up our order).

They had Sun Thin Clients with smartcards. Every time the hopped up from their desk and took their card with them, the session would lock. Pop it back in, and session would un-lock.

Of course, being thin-client it means that it relies on a Terminal Server and I'm guessing given the sensitive nature of your equipment this wouldn't be practical, but if it exists at a thin client level, I'm sure that there'll be a product that works with traditional desktops as well.

answered Aug 11 '09 at 21:49

Mark Henderson

68,823
31
180
259

I like this better then the Smart Card idea if you can. No one can say I lost my finger and someon else used it! – SpaceManSpiff Aug 11 '09 at 22:58
Hmm. but would you rather loose your smartcard or your finger if the baddies a-la James Bond want to gain access? Anyhoo, consumer level biometrics are not an exact science (far from it), and are very sensitive to himidity and dust and grime and dirt (hence why they're no good for industrial use) but it would be a pretty cheap option. They just need to remember to lock the PC when they're finished (or have it auto-lock after 1 minute of inactivity) – Mark Henderson Aug 11 '09 at 23:42
1

The Sun Thin Client session locking and unlocking is exactly what I want. I don't want the workstation to log off if the card is removed. Biometrics wouldn't work, as it's not constantly present to the workstation like a smartcard is. – churnd Aug 12 '09 at 11:56
I seem to recall that some of our older SPARC based workstations had built-in card readers too. Unfortunately, none of them would run Windows. Hmmm. – Brian Knoblauch Oct 09 '09 at 20:02

score 1 · Answer 3 · answered Nov 21 '09 at 02:36

I have actually implemented this and done extensive testing in regards to SmartCard authentication. There are things hinted at what it checks and how it works in Sam's link to the Microsoft KB article: http://support.microsoft.com/kb/281245

When you use a SmartCard certificate, most of the time the certificate attached to the SmartCard is generated ON the card and the private key cannot be exported. So using the same certificate on multiple cards may not work, unless it is generated outside the card then imported. Not all cards allow the key to be imported like that. However, you can issue multiple certificates that logon to the same account. All you have to make sure is the UPN on all the certificates match, even if the certificates are not the same.

Through experience and some of the technet/MSDN articles, Microsoft Active Directory checks the following things to see if they are true to allow access based upon the certificate provided by the SmartCard:

Is the issuing CA trusted for certifying SmartCard logon?
Is the issuing CA certificate valid (not expired, not revoked)?
Is the SmartCard certificate issued by the trusted and valid CA?
Is the SmartCard certificate valid (not expired, not revoked)?
Does the User Principal Name on the certificate SubjAltName match the User Principal Name in Active Directory? Example: joesmith@ADDomain.com
Can the Certificate Revocation List be positively retrieved as specified in the Smart Card certificate and the CA to confirm revocation status?
Does the SmartCard certificate have a key usage of SmartCard Logon?

Once all the above are true, the SmartCard authentication will succeed.

You could even use one SmartCard to authenticate an unrelated or untrusted domain. For example, if a user with the Windows login of john.doe@domainA.com is issued with a SmartCard logon certificate for john.doe@domainA.com; John Doe can login to domainB.com even as Jane Smith so long as the Issuing CA is imported to domainB's AD properly as trusted for SmartCard issuance, and Jane Smith's account is set to be able to login with john.doe@domainA.com.

It is important to note that the Pre-Windows 2000 login format: DOMAIN\username is not used to authenticate SmartCard Certificates. So you can set the Pre-Windows 2000 login as one thing, while the UPN to another thing.

Finally, due to the above implications, in a higher security setting, the CA's practices are extremely important as forged authentication is easy if the CA is not controlled. As you can imagine, a CA that does not verify the identity of those requesting a certificate can issue duplicate certificates that allows others to impersonate a particular individual.

score 0 · Answer 4 · answered Aug 11 '09 at 21:14

Smart Card Logon is referenced in these links:

http://support.microsoft.com/kb/281245

http://technet.microsoft.com/en-us/library/dd277386.aspx

You could also change the password periodically and threaten the authorized operators to not give it out. Of course, this may not work with the critical software.

score 0 · Answer 5 · answered Aug 11 '09 at 22:13

Why not issue a single certificate for a user in your domain and provision multiple smartcards with that single certificate? This will allow multiple cards to share the same identity, which is what you need (if I understood correctly). Smartcards do require some level of domain functionality and possibly PKI infrastructure. If you don't have that, you might look at some products that will allow you to accomplish something similar.

Windows SmartCard for Shared Workstations

5 Answers5