2

I'm in the process of configuring USB Yubikeys as a smart card for our company so that staff can elevate to an admin account (added to the computer's local administrators group) by simply inserting the key and typing a PIN.

If possible I would like to disable the option to interactively login to windows using the smart card; we just want it for UAC prompts (e.g. to install software).

Things I tried:

  • Certificate templates -- removed the 'smart card logon' (but kept 'client authentication') from the Extensions.

  • AD Users and Computers -- (un)ticked 'smart card is required for interactive logon'.

  • regedit -- toggled the 'scforceoption'

  • gpedit.msc -- toggled 'Interactive Logon: Require smart card' (could be the same as the 'scforceoption'?)

  • Local Services -- toggled 'smart card plug and play service'

Should I look at Windows logon settings, certificate uses configuration, CA templates or the specific smart card device for limiting the use to only have it work with UAC and prevent interactive logons?

Not sure if this should be moved to the 'Cryptography' StackExchange.

captcha
  • 578
  • 5
  • 16

1 Answers1

0

Not sure if this is the preferred way, but someone from Yubikey offered a suggestion that actually seems to work.

The Windows scardsvr service is required to enable smart card services; without it running, the logon screen does not show any options to log on with a smart card. I simply set the service to manual and then use Task Scheduler to trigger the starting or the stopping of the service (net start scardsvr) when a user logs on or logs off.

The tasks are scheduled to run as a local administrator so that the logged-in user can still only have basic user-level privileges.

This is still prone to un-doing by the user as they can simply disable the stop-service task using their smart card, but this question was mainly raised to simplify the logon screen, rather than providing a more secure user environment.

captcha
  • 578
  • 5
  • 16