deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-25 03:37:23 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

updates

Browse Source
This commit is contained in:
Paolo Matarazzo 2023-11-07 09:06:46 -05:00
parent 5beab6114f
commit 062433f00a
15 changed files with 125 additions and 174 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
windows/security/identity-protection/smart-cards/smart-card-and-remote-desktop-services.md
View File

@ -1,5 +1,5 @@
---
ms.date: 11/06/2023
ms.date: 11/07/2023
title: Smart Card and Remote Desktop Services
description: This topic for the IT professional describes the behavior of Remote Desktop Services when you implement smart card sign-in.
ms.topic: conceptual

2
windows/security/identity-protection/smart-cards/smart-card-architecture.md
View File

@ -268,7 +268,7 @@ The following diagram shows the Cryptography architecture that is used by the Wi
| `PP_USER_CERTSTORE` | - Used to return an `HCERTSTORE` that contains all user certificates on the smart card<br>- Read-only (used only by `CryptGetProvParam`)<br>- Caller responsible for closing the certificate store<br>- Certificate encoded using `PKCS_7_ASN_ENCODING` or `X509_ASN_ENCODING`<br>- CSP should set `KEY_PROV_INFO` on certificates<br>- Certificate store should be assumed to be an in-memory store<br>- Certificates should have a valid `CRYPT_KEY_PROV_INFO` as a property |
| `PP_ROOT_CERTSTORE` | - Read and Write (used by `CryptGetProvParam` and `CryptSetProvParam`)<br>- Used to write a collection of root certificates to the smart card or return `HCERTSTORE`, which contains root certificates from the smart card<br>- Used primarily for joining a domain by using a smart card<br>- Caller responsible for closing the certificate store |
| `PP_SMARTCARD_READER` | - Read-only (used only by `CryptGetProvParam`)<br>- Returns the smart card reader name as an ANSI string that is used to construct a fully qualified container name (that is, a smart card reader plus a container) |
| `PP_SMARTCARD_GUID `| - Return smart card GUID (also known as a serial number), which should be unique for each smart card<br>- Used by the certificate propagation service to track the source of a root certificate |
| `PP_SMARTCARD_GUID` | - Return smart card GUID (also known as a serial number), which should be unique for each smart card<br>- Used by the certificate propagation service to track the source of a root certificate |
| `PP_UI_PROMPT` | - Used to set the search string for the `SCardUIDlgSelectCard` card insertion dialog box<br>- Persistent for the entire process when it is set<br>- Write-only (used only by `CryptSetProvParam`) |
### Implications for CSPs in Windows

2
windows/security/identity-protection/smart-cards/smart-card-certificate-propagation-service.md
View File

@ -21,8 +21,6 @@ The following figure shows the flow of the certificate propagation service. The
1. The arrow labeled **2** indicates the certification to the reader
1. The arrow labeled **3** indicates the access to the certificate store during the client session
### Certificate propagation service
![Certificate propagation service.](images/sc-image302.gif)
1. A signed-in user inserts a smart card

2
windows/security/identity-protection/smart-cards/smart-card-certificate-requirements-and-enumeration.md
View File

@ -15,7 +15,7 @@ When a smart card is inserted, the following steps are performed.
> Unless otherwise mentioned, all operations are performed silently (CRYPT_SILENT is passed to CryptAcquireContext).
1. The smart card resource manager database searches for the smart card's cryptographic service provider (CSP).
1. A qualified container name is constructed by using the smart card reader name, and it is passed to the CSP. The format is *\\.<Reader name>\
1. A qualified container name is constructed by using the smart card reader name, and it is passed to the CSP. The format is `\\.<Reader name>\`
1. CryptAcquireContext is called to retrieve a context to the default container. If a failure occurs, the smart card will be unusable for smart card sign-in.
1. The name of the container is retrieved by using the PP_CONTAINER parameter with CryptGetProvParam.
1. Using the context acquired in Step 3, the CSP is queried for the PP_USER_CERTSTORE parameter (added in Windows Vista). For more information, see [Smart Card Architecture](smart-card-architecture.md). If the operation is successful, the name of a certificate store is returned, and the program flow skips to Step 8.

6
windows/security/identity-protection/smart-cards/smart-card-debugging-information.md
View File

@ -88,9 +88,7 @@ tracelog.exe -stop <*FriendlyName*>
logman.exe -stop <*FriendlyName*> -ets
```
#### Examples
To stop a trace:
For example, to stop a trace:
```cmd
tracelog.exe -stop scardsvr
@ -102,7 +100,7 @@ logman.exe -stop scardsvr -ets
You can use these resources to troubleshoot these protocols and the KDC:
- [Kerberos and LDAP Troubleshooting Tips](/previous-versions/tn-archive/bb463167(v=technet.10))
- [Windows Driver Kit (WDK) and Debugging Tools for Windows (WinDbg)](https://developer.microsoft.com/en-us/windows/hardware/windows-driver-kit). You can use the trace log tool in this SDK to debug Kerberos authentication failures.
- [Windows Driver Kit (WDK) and Debugging Tools for Windows (WinDbg)](https://developer.microsoft.com/windows/hardware/windows-driver-kit). You can use the trace log tool in this SDK to debug Kerberos authentication failures.
To begin tracing, you can use `Tracelog`. Different components use different control GUIDs as explained in these examples. For more information, see [`Tracelog`](/windows-hardware/drivers/devtest/tracelog)

4
windows/security/identity-protection/smart-cards/smart-card-group-policy-and-registry-settings.md
View File

@ -344,7 +344,7 @@ The registry keys for the smart card KSP are in `HKEY_LOCAL_MACHINE\SYSTEM\Contr
| **RequireOnCardPrivateKeyGen** | This key sets the flag that requires on-card private key generation (default). If this value is set, a key generated on a host can be imported into the smart card. This is used for smart cards that don't support on-card key generation or where key escrow is required.<br>Default value: 00000000 |
| **TransactionTimeoutMilliseconds** | Default timeout values allow you to specify whether transactions that take an excessive amount of time will fail.<br>Default value: 000005dc<br>The default timeout for holding transactions to the smart card is 1.5 seconds. |
**Additional registry keys for the smart card KSP**
Additional registry keys for the smart card KSP:
| Registry Key | Description |
|--|--|
@ -355,8 +355,6 @@ The registry keys for the smart card KSP are in `HKEY_LOCAL_MACHINE\SYSTEM\Contr
The following table lists the keys and the corresponding values to turn off certificate revocation list (CRL) checking at the Key Distribution Center (KDC) or client. To manage CRL checking, you must configure settings for both the KDC and the client.
### CRL checking registry keys
| Registry Key | Details |
|--|--|
| `HKEY_LOCAL_MACHINE\SYSTEM\CCS\Services\Kdc\UseCachedCRLOnlyAndIgnoreRevocationUnknownErrors` | Type = DWORD<br>Value = 1 |

11
windows/security/identity-protection/smart-cards/smart-card-removal-policy-service.md
View File

@ -11,19 +11,14 @@ This topic for the IT professional describes the role of the removal policy serv
The smart card removal policy service is applicable when a user has signed in with a smart card and then removes that smart card from the reader. The action that is performed when the smart card is removed is controlled by Group Policy settings. For more information, see [Smart Card Group Policy and Registry Settings](smart-card-group-policy-and-registry-settings.md).
**Smart card removal policy service**
![Smart card removal policy service.](images/sc-image501.gif)
The numbers in the previous figure represent the following actions:
1. Winlogon is not directly involved in monitoring for smart card removal events. The sequence of steps that are involved when a smart card is removed begins with the smart card credential provider in the sign-in UI process. When a user successfully signs in with a smart card, the smart card credential provider captures the reader name. This information is then stored in the registry with the session identifier where the sign-in was initiated.
2. The smart card resource manager service notifies the smart card removal policy service that a sign-in has occurred.
3. ScPolicySvc retrieves the smart card information that the smart card credential provider stored in the registry. This call is redirected if the user is in a remote session. If the smart card is removed, ScPolicySvc is notified.
4. ScPolicySvc calls Remote Desktop Services to take the appropriate action if the request is to sign out the user or to disconnect the user's session, which might result in data loss. If the setting is configured to lock the computer when the smart card is removed, ScPolicySvc sends a message to Winlogon to lock the computer.
1. The smart card resource manager service notifies the smart card removal policy service that a sign-in has occurred.
1. ScPolicySvc retrieves the smart card information that the smart card credential provider stored in the registry. This call is redirected if the user is in a remote session. If the smart card is removed, ScPolicySvc is notified.
1. ScPolicySvc calls Remote Desktop Services to take the appropriate action if the request is to sign out the user or to disconnect the user's session, which might result in data loss. If the setting is configured to lock the computer when the smart card is removed, ScPolicySvc sends a message to Winlogon to lock the computer.
## See also

2
windows/security/identity-protection/smart-cards/smart-card-windows-smart-card-technical-reference.md
View File

@ -28,7 +28,7 @@ Smart cards provide:
Smart cards can be used to sign in to domain accounts only, not local accounts. When you use a password to sign in interactively to a domain account, Windows uses the Kerberos version 5 (v5) protocol for authentication. If you use a smart card, the operating system uses Kerberos v5 authentication with X.509 v3 certificates.
**Virtual smart cards** were introduced in Windows Server 2012 and Windows 8 to alleviate the need for a physical smart card, the smart card reader, and the associated administration of that hardware.
Virtual smart cards were introduced to alleviate the need for a physical smart card, the smart card reader, and the associated administration of that hardware.
[!INCLUDE [virtual-smart-card-deprecation-notice](../../includes/virtual-smart-card-deprecation-notice.md)]

6
windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-deploy-virtual-smart-cards.md
View File

@ -157,7 +157,7 @@ Similar to physical smart cards, virtual smart cards require certificate enrollm
#### Certificate issuance
Users can enroll for certificates from within a remote desktop session that is established to provision the card. This process can also be managed by the smart card management tool that the user runs through the remote desktop connection. This model works for deployments that require the user to sign a request for enrollment by using a physical smart card. The driver for the physical smart card doesn't need to be installed on the client computer if it's installed on the remote computer. This is made possible by smart card redirection functionality that was introduced in Windows Server 2003, which ensures that smart cards that are connected to the client computer are available for use during a remote session.
Users can enroll for certificates from within a remote desktop session that is established to provision the card. This process can also be managed by the smart card management tool that the user runs through the remote desktop connection. This model works for deployments that require the user to sign a request for enrollment by using a physical smart card. The driver for the physical smart card doesn't need to be installed on the client computer if it's installed on the remote computer. This is made possible by smart card redirection functionality, which ensures that smart cards that are connected to the client computer are available for use during a remote session.
Alternatively, without establishing a remote desktop connection, users can enroll for certificates from the Certificate Management console (certmgr.msc) on a client computer. Users can also create a request and submit it to a server from within a custom certificate enrollment application (for example, a registration authority) that has controlled access to the certification authority (CA). This requires specific enterprise configuration and deployments for Certificate Enrollment Policies (CEP) and Certificate Enrollment Services (CES).
@ -211,9 +211,7 @@ For deployments that require users to use a physical smart card to sign the cert
Another option to ensure that users are strongly authenticated before virtual smart card certificates are issued, is to send a user a one-time password through SMS, email, or phone. The user then types the one-time password during the certificate enrollment from an application or a script on a desktop that invokes built-in command-line tools.
#### Certificate lifecycle management
Certificate renewal can be done from the same tools that are used for the initial certificate enrollment. Certificate enrollment policies and certificate enrollment services can also be used to perform automatic renewal.
**Certificate lifecycle management**: certificate renewal can be done from the same tools that are used for the initial certificate enrollment. Certificate enrollment policies and certificate enrollment services can also be used to perform automatic renewal.
Certificate revocation requires careful planning. When information about the certificate to be revoked is reliably available, the specific certificate can be easily revoked. When information about the certificate to be revoked isn't easy to determine, all certificates issued to the user under the policy that was used to issue the certificate might need to be revoked. For example, if an employee reports a lost or compromised device, and information that associates the device with a certificate isn't available.

92
windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-get-started.md
View File

@ -15,11 +15,9 @@ Virtual smart cards are a technology from Microsoft that offer comparable securi
This step-by-step walkthrough shows you how to set up a basic test environment for using TPM virtual smart cards. After you complete this walkthrough, you will have a functional virtual smart card installed on the Windows computer.
### Time requirements
You should be able to complete this walkthrough in less than one hour, excluding installing software and setting up the test domain.
### Walkthrough steps
## Walkthrough steps
- [Prerequisites](#prerequisites)
- [Step 1: Create the certificate template](#step-1-create-the-certificate-template)
@ -44,61 +42,39 @@ On your domain server, you need to create a template for the certificate that yo
### To create the certificate template
1. On your server, open the Microsoft Management Console (MMC). One way to do this is to type **mmc.exe** from the **Start** menu, right-click **mmc.exe**, and click **Run as administrator**
2. Select **File** > **Add/Remove Snap-in**
1. Select **File** > **Add/Remove Snap-in**
![Add or remove snap-in.](images/vsc-02-mmc-add-snap-in.png)
3. In the available snap-ins list, click **Certificate Templates**, and then click **Add**
1. In the available snap-ins list, click **Certificate Templates**, and then click **Add**
![Add Certificate Templates snap-in.](images/vsc-03-add-certificate-templates-snap-in.png)
4. Certificate Templates is now located under **Console Root** in the MMC. Double-click it to view all the available certificate templates.
5. Right-click the **Smartcard Logon** template, and click **Duplicate Template**.
1. Certificate Templates is now located under **Console Root** in the MMC. Double-click it to view all the available certificate templates.
1. Right-click the **Smartcard Logon** template, and click **Duplicate Template**.
![Duplicating the Smartcard Logon template.](images/vsc-04-right-click-smartcard-logon-template.png)
6. On the **Compatibility** tab, under **Certification Authority**, review the selection, and change it if needed.
1. On the **Compatibility** tab, under **Certification Authority**, review the selection, and change it if needed.
![Compatibility tab, certification authority setting.](images/vsc-05-certificate-template-compatibility.png)
7. On the **General** tab:
1. On the **General** tab:
1. Specify a name, such as **TPM Virtual Smart Card Logon**.
2. Set the validity period to the desired value.
8. On the **Request Handling** tab:
1. Set the validity period to the desired value.
1. On the **Request Handling** tab:
1. Set the **Purpose** to **Signature and smartcard logon**.
2. Click **Prompt the user during enrollment**.
9. On the **Cryptography** tab:
1. Click **Prompt the user during enrollment**.
1. On the **Cryptography** tab:
1. Set the minimum key size to 2048.
2. Click **Requests must use one of the following providers**, and then select **Microsoft Base Smart Card Crypto Provider**.
10. On the **Security** tab, add the security group that you want to give **Enroll** access to. For example, if you want to give access to all users, select the **Authenticated users** group, and then select **Enroll** permissions for them.
11. Click **OK** to finalize your changes and create the new template. Your new template should now appear in the list of Certificate Templates.
12. Select **File**, then click **Add/Remove Snap-in** to add the Certification Authority snap-in to your MMC console. When asked which computer you want to manage, select the computer on which the CA is located, probably **Local Computer**.
1. Click **Requests must use one of the following providers**, and then select **Microsoft Base Smart Card Crypto Provider**.
1. On the **Security** tab, add the security group that you want to give **Enroll** access to. For example, if you want to give access to all users, select the **Authenticated users** group, and then select **Enroll** permissions for them.
1. Click **OK** to finalize your changes and create the new template. Your new template should now appear in the list of Certificate Templates.
1. Select **File**, then click **Add/Remove Snap-in** to add the Certification Authority snap-in to your MMC console. When asked which computer you want to manage, select the computer on which the CA is located, probably **Local Computer**.
![Add Certification Authority snap-in.](images/vsc-06-add-certification-authority-snap-in.png)
13. In the left pane of the MMC, expand **Certification Authority (Local)**, and then expand your CA within the Certification Authority list.
14. Right-click **Certificate Templates**, click **New**, and then click **Certificate Template to Issue**.
1. In the left pane of the MMC, expand **Certification Authority (Local)**, and then expand your CA within the Certification Authority list.
1. Right-click **Certificate Templates**, click **New**, and then click **Certificate Template to Issue**.
![Right-click menu for Certificate Templates.](images/vsc-07-right-click-certificate-templates.png)
15. From the list, select the new template that you just created (**TPM Virtual Smart Card Logon**), and then click **OK**.
1. From the list, select the new template that you just created (**TPM Virtual Smart Card Logon**), and then click **OK**.
> [!NOTE]
> It can take some time for your template to replicate to all servers and become available in this list.
> It can take some time for your template to replicate to all servers and become available in this list.
![Selecting a certificate template.](images/vsc-08-enable-certificate-template.png)
16. After the template replicates, in the MMC, right-click in the Certification Authority list, click **All Tasks**, and then click **Stop Service**. Then, right-click the name of the CA again, click **All Tasks**, and then click **Start Service**.
1. After the template replicates, in the MMC, right-click in the Certification Authority list, click **All Tasks**, and then click **Stop Service**. Then, right-click the name of the CA again, click **All Tasks**, and then click **Start Service**.
![Stopping and starting the service.](images/vsc-09-stop-service-start-service.png)
@ -109,18 +85,15 @@ In this step, you will create the virtual smart card on the client computer by u
### To create the TPM virtual smart card
1. On a domain-joined computer, open a Command Prompt window with Administrative credentials.
![Cmd prompt, Run as administrator.](images/vsc-10-cmd-run-as-administrator.png)
2. At the command prompt, type the following, and then press ENTER:
1. At the command prompt, type the following, and then press ENTER:
`tpmvscmgr.exe create /name TestVSC /pin default /adminkey random /generate`
This will create a virtual smart card with the name **TestVSC**, omit the unlock key, and generate the file system on the card. The PIN will be set to the default, 12345678. To be prompted for a PIN, instead of **/pin default** you can type **/pin prompt**.
This will create a virtual smart card with the name **TestVSC**, omit the unlock key, and generate the file system on the card. The PIN will be set to the default, 12345678. To be prompted for a PIN, instead of **/pin default** you can type **/pin prompt**.\
For more information about the Tpmvscmgr command-line tool, see [Use Virtual Smart Cards](virtual-smart-card-use-virtual-smart-cards.md) and [Tpmvscmgr](virtual-smart-card-tpmvscmgr.md).
4. Wait several seconds for the process to finish. Upon completion, Tpmvscmgr.exe will provide you with the device instance ID for the TPM Virtual Smart Card. Store this ID for later reference because you will need it to manage or remove the virtual smart card.
1. Wait several seconds for the process to finish. Upon completion, Tpmvscmgr.exe will provide you with the device instance ID for the TPM Virtual Smart Card. Store this ID for later reference because you will need it to manage or remove the virtual smart card.
## Step 3: Enroll for the certificate on the TPM Virtual Smart Card
@ -128,21 +101,14 @@ The virtual smart card must be provisioned with a sign-in certificate for it to
### To enroll the certificate
1. Open the Certificates console by typing **certmgr.msc** on the **Start** menu.
2. Right-click **Personal**, click **All Tasks**, and then click **Request New Certificate**.
1. Open the Certificates console by typing **certmgr.msc** on the **Start** menu
1. Right-click **Personal**, click **All Tasks**, and then click **Request New Certificate**
![Request New Certificate.](images/vsc-11-certificates-request-new-certificate.png)
3. Follow the prompts and when offered a list of templates, select the **TPM Virtual Smart Card Logon** check box (or whatever you named the template in Step 1).
1. Follow the prompts and when offered a list of templates, select the **TPM Virtual Smart Card Logon** check box (or whatever you named the template in Step 1)
![Certificate enrollment, select certificate.](images/vsc-12-certificate-enrollment-select-certificate.png)
4. If prompted for a device, select the Microsoft virtual smart card that corresponds to the one you created in the previous section. It displays as **Identity Device (Microsoft Profile)**.
5. Enter the PIN that was established when you created the TPM virtual smart card, and then click **OK**.
6. Wait for the enrollment to finish, and then click **Finish**.
1. If prompted for a device, select the Microsoft virtual smart card that corresponds to the one you created in the previous section. It displays as **Identity Device (Microsoft Profile)**
1. Enter the PIN that was established when you created the TPM virtual smart card, and then click **OK**
1. Wait for the enrollment to finish, and then click **Finish**
The virtual smart card can now be used as an alternative credential to sign in to your domain. To verify that your virtual smart card configuration and certificate enrollment were successful, sign out of your current session, and then sign in. When you sign in, you will see the icon for the new TPM virtual smart card on the Secure Desktop (sign in) screen or you will be automatically directed to the TPM smart card sign-in dialog box. Click the icon, enter your PIN (if necessary), and then click **OK**. You should be signed in to your domain account.

12
windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-overview.md
View File

@ -23,27 +23,27 @@ Virtual smart cards are functionally similar to physical smart cards, appearing
### Authentication use cases
**Two-factor authenticationbased remote access**
#### Two-factor authenticationbased remote access
After a user has a fully functional TPM virtual smart card, provisioned with a sign-in certificate, the certificate is used to gain authenticated access to corporate resources. When the proper certificate is provisioned to the virtual card, the user need only provide the PIN for the virtual smart card, as if it was a physical smart card, to sign in to the domain.
In practice, this is as easy as entering a password to access the system. Technically, it's far more secure. Using the virtual smart card to access the system proves to the domain that the user who is requesting authentication has possession of the personal computer upon which the card has been provisioned and knows the virtual smart card PIN. Because this request couldn't have possibly originated from a system other than the system certified by the domain for this user's access, and the user couldn't have initiated the request without knowing the PIN, a strong two-factor authentication is established.
**Client authentication**
#### Client authentication
Virtual smart cards can also be used for client authentication by using TLS/SSL or a similar technology. Similar to domain access with a virtual smart card, an authentication certificate can be provisioned for the virtual smart card, provided to a remote service, as requested in the client authentication process. This adheres to the principles of two-factor authentication because the certificate is only accessible from the computer that hosts the virtual smart card, and the user is required to enter the PIN for initial access to the card.
**Virtual smart card redirection for remote desktop connections**
#### Virtual smart card redirection for remote desktop connections
The concept of two-factor authentication associated with virtual smart cards relies on the proximity of users to the devices that they use to access domain. When you connect to a device that is hosting virtual smart cards, you can't use the virtual smart cards located on the remote device during the remote session. However, you can access the virtual smart cards on the connecting device (which is under your physical control), which are loaded onto the remote device. You can use the virtual smart cards as if they were installed by using the remote devices' TPM, extending your privileges to the remote device, while maintaining the principles of two-factor authentication.
### Confidentiality use cases
**S/MIME email encryption**
#### S/MIME email encryption
Physical smart cards are designed to hold private keys. You can use the private keys for email encryption and decryption. The same functionality exists in virtual smart cards. By using S/MIME with a user's public key to encrypt email, the sender of an email is assured that only the person with the corresponding private key can decrypt the email. This assurance is a result of the non-exportability of the private key. It never exists within reach of malicious software, and it remains protected by the TPM—even during decryption.
**BitLocker for data volumes**
#### BitLocker for data volumes
BitLocker Drive Encryption technology makes use of symmetric-key encryption to protect the content of a user's hard drive. BitLocker ensures that if the physical ownership of a hard drive is compromised, an adversary won't be able to read data off the drive. The key used to encrypt the drive can be stored in a virtual smart card, which necessitates knowledge of the virtual smart card PIN to access the drive, and possession of the device that is hosting the TPM virtual smart card. If the drive is obtained without access to the TPM that hosts the virtual smart card, any brute force attack will be difficult.
@ -51,7 +51,7 @@ You can use BitLocker to encrypt portable drives, storing keys in virtual smart
### Data integrity use case
**Signing data**
#### Signing data
To verify authorship of data, a user can sign it by using a private key stored in the virtual smart card. Digital signatures confirm the integrity and origin of the data.

16
windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-understanding-and-evaluating.md
View File

@ -43,7 +43,7 @@ Virtual smart cards maintain the three key properties of physical smart cards:
The following subsections compare the functionality, security, and cost of virtual smart cards and physical smart cards.
**Functionality**
### Functionality
The virtual smart card system that was designed by Microsoft closely mimics the functionality of conventional smart cards. The most striking difference to the end user is that the virtual smart card is essentially a smart card that is always inserted into the computer. There's no method to export the user's virtual smart card for use on other computers, which adds to the security of virtual smart cards. If a user requires access to network resources on multiple computers, multiple virtual smart cards can be issued for that user. Additionally, a computer that is shared among multiple users can host multiple virtual smart cards for different users.
@ -51,7 +51,7 @@ The basic user experience for a virtual smart card is as simple as using a passw
Additionally, although the anti-hammering functionality of the virtual smart card is equally secure to that of a physical smart card, virtual smart card users are never required to contact an administrator to unblock the card. Instead, they simply wait a period of time (depending on the TPM specifications) before they reattempt to enter the PIN. Alternatively, the administrator can reset the lockout by providing owner authentication data to the TPM on the host computer.
**Security**
### Security
Physical smart cards and virtual smart cards offer comparable levels of security. They both implement two-factor authentication for using network resources. However, they differ in certain aspects, including physical security and the practicality of an attack. Due to their compact and portable design, conventional smart cards are most frequently kept close to their intended user. They offer little opportunity for acquisition by a potential adversary, so any sort of interaction with the card is difficult without committing some variety of theft.
@ -59,13 +59,13 @@ TPM virtual smart cards, however, reside on a user's computer that may frequentl
However, there are several advantages provided by virtual smart cards to mitigate these slight security deficits. Most importantly, a virtual smart card is much less likely to be lost. Virtual smart cards are integrated into computers and devices that the user already owns for other purposes and has incentive to keep safe. If the computer or device that hosts the virtual smart card is lost or stolen, a user will more immediately notice its loss than the loss of a physical smart card. When a computer or device is identified as lost, the user can notify the administrator of the system, who can revoke the certificate that is associated with the virtual smart card on that device. This precludes any future unauthorized access on that computer or device if the PIN for the virtual smart card is compromised.
**Cost**
### Cost
If a company wants to deploy physical smart cards, they need to purchase smart cards and smart card readers for all employees. Although relatively inexpensive options can be found, options that ensure the three key properties of smart card security (most notably, non-exportability) are more expensive. If employees have computers with a built-in TPM, virtual smart cards can be deployed with no additional material costs. These computers and devices are relatively common in the market.
The maintenance cost of virtual smart cards is less than that for physical smart cards, which are easily lost, stolen, or broken from normal wear. TPM virtual smart cards are only lost or broken if the host computer or device is lost or broken, which in most cases is much less frequently.
**Comparison summary**
### Comparison summary
| Physical Smart Cards | TPM virtual smart cards |
|---------------------|-------------------|
@ -87,17 +87,17 @@ The maintenance cost of virtual smart cards is less than that for physical smart
The following section presents several commonly used options and their respective strengths and weaknesses, which organizations can consider for authentication.
**Passwords**
### Passwords
A password is a secret string of characters that is tied to the identification credentials for a user's account. This establishes the user's identity. Although passwords are the most commonly used form of authentication, they're also the weakest. In a system where passwords are used as the sole method of user authentication, only individuals who know their passwords are considered valid users.
Password authentication places a great deal of responsibility on the user. Passwords must be sufficiently complex so they can't be easily guessed, but they must be simple enough to be committed to memory and not stored in a physical location. Even if this balance is successfully achieved, a wide variety of attacks exist (such as brute force attacks, eavesdropping, and social engineering tactics) where a malicious user can acquire a user's password and impersonate that person's identity. A user often won't realize that the password is compromised, which makes it's easy for a malicious user to maintain access to a system if a valid password has been obtained.
**One-time passwords**
### One-time passwords
A one-time password (OTP) is similar to a traditional password, but it's more secure in that it can be used only once to authenticate a user. The method for determining each new password varies by implementation. Assuming a secure deployment of each new password, OTPs have several advantages over the classic password model of authentication. Most importantly, if a given OTP token is intercepted in transmission between the user and the system, the interceptor can't use it for any future transactions. Similarly, if a malicious user obtains a valid user's OTP, the interceptor will have limited access to the system (only one session).
**Smart cards**
### Smart cards
Smart cards are physical authentication devices, which improve on the concept of a password by requiring that users actually have their smart card device with them to access the system, in addition to knowing the PIN that provides access to the smart card. Smart cards have three key properties that help maintain their security:
@ -111,7 +111,7 @@ Additional security is achieved by the singular nature of the card because only
The additional security comes with added material and support costs. Traditional smart cards are expensive to purchase (cards and card readers must be supplied to employees), and users can misplace or lose them.
**Virtual smart cards**
### Virtual smart cards
Virtual smart cards emulate the functionality of traditional smart cards. Instead of requiring the purchase of additional hardware, virtual smart cards utilize technology that users already own and are more likely to always have with them. Theoretically, any device that can provide the three key properties of smart cards (non-exportability, isolated cryptography, and anti-hammering) can be commissioned as a virtual smart card. The virtual smart card platform is limited to the use of the Trusted Platform Module (TPM) chip, which is on most modern devices.

18
windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-use-virtual-smart-cards.md
View File

@ -30,11 +30,8 @@ To create and delete TPM virtual smart cards for end users, the Tpmvscmgr comman
Virtual smart cards can also be created and deleted by using APIs. For more information, see the following classes and interfaces:
- [TpmVirtualSmartCardManager](/previous-versions/windows/desktop/legacy/hh707171(v=vs.85))
- [RemoteTpmVirtualSmartCardManager](/previous-versions/windows/desktop/legacy/hh707166(v=vs.85))
- [ITpmVirtualSmartCardManager](/windows/win32/api/tpmvscmgr/nn-tpmvscmgr-itpmvirtualsmartcardmanager)
- [ITPMVirtualSmartCardManagerStatusCallBack](/windows/win32/api/tpmvscmgr/nn-tpmvscmgr-itpmvirtualsmartcardmanagerstatuscallback)
You can use APIs that were introduced in the Windows.Device.SmartCards namespace in Windows Server 2012 R2 and Windows 8.1 to build Microsoft Store apps to manage the full lifecycle of virtual smart cards. For information about how to build an app to do this, see [Strong Authentication: Building Apps That Leverage Virtual Smart Cards in Enterprise, BYOD, and Consumer Environments | Build 2013 | Channel 9](https://channel9.msdn.com/events/build/2013/2-041).
@ -42,7 +39,7 @@ You can use APIs that were introduced in the Windows.Device.SmartCards namespace
The following table describes the features that can be developed in a Microsoft Store app:
| Feature | Physical Smart Card | Virtual Smart Card |
|----------------------------------------------|---------------------|--------------------|
|--|--|--|
| Query and monitor smart card readers | Yes | Yes |
| List available smart cards in a reader, and retrieve the card name and card ID | Yes | Yes |
| Verify if the administrative key of a card is correct | Yes | Yes |
@ -56,7 +53,6 @@ The following table describes the features that can be developed in a Microsoft
For more information about these Windows APIs, see:
- [Windows.Devices.SmartCards namespace (Windows)](/uwp/api/Windows.Devices.SmartCards)
- [Windows.Security.Cryptography.Certificates namespace (Windows)](/uwp/api/Windows.Security.Cryptography.Certificates)
## Distinguishing TPM-based virtual smart cards from physical smart cards
@ -70,11 +66,13 @@ A TPM-based virtual smart card is labeled **Security Device** in the user interf
## Changing the PIN
The PIN for a virtual smart card can be changed by following these steps:
- Sign in with the old PIN or password.
- Press Ctrl+Alt+Del and choose **Change a password**.
- Select **Sign-in Options**.
- Select the virtual smart card icon.
- Enter and confirm the new PIN.
- Sign in with the old PIN or password
- Press Ctrl+Alt+Del and choose **Change a password**
- Select **Sign-in Options**
- Select the virtual smart card icon
- Enter and confirm the new PIN
## Resolving issues
### TPM not provisioned