mirror of
https://github.com/MicrosoftDocs/windows-itpro-docs.git
synced 2025-06-19 20:33:42 +00:00
VSC updates
This commit is contained in:
Paolo Matarazzo
@ -2,7 +2,7 @@
|
||||
title: Deploy Virtual Smart Cards
|
||||
description: Learn about what to consider when deploying a virtual smart card authentication solution
|
||||
ms.topic: conceptual
|
||||
ms.date: 02/22/2023
|
||||
ms.date: 11/06/2023
|
||||
---
|
||||
|
||||
# Deploy Virtual Smart Cards
|
||||
@ -19,11 +19,9 @@ A device manufacturer creates physical devices, and then an organization purchas
|
||||
|
||||
This topic contains information about the following phases in a virtual smart card lifecycle:
|
||||
|
||||
- [Create and personalize virtual smart cards](#create-and-personalize-virtual-smart-cards)
|
||||
|
||||
- [Provision virtual smart cards](#provision-virtual-smart-cards)
|
||||
|
||||
- [Maintain virtual smart cards](#maintain-virtual-smart-cards)
|
||||
- [Create and personalize virtual smart cards](#create-and-personalize-virtual-smart-cards)
|
||||
- [Provision virtual smart cards](#provision-virtual-smart-cards)
|
||||
- [Maintain virtual smart cards](#maintain-virtual-smart-cards)
|
||||
|
||||
## Create and personalize virtual smart cards
|
||||
|
||||
@ -54,9 +52,7 @@ A virtual smart card appears within the operating system as a physical smart car
|
||||
|
||||
- **Non-exportability**: Because all private information on the virtual smart card is encrypted by using the TPM on the host computer, it can't be used on a different computer with a different TPM. Additionally, TPMs are designed to be tamper-resistant and non-exportable, so a malicious user can't reverse engineer an identical TPM or install the same TPM on a different computer.
|
||||
For more information, see [Evaluate Virtual Smart Card Security](virtual-smart-card-evaluate-security.md).
|
||||
|
||||
- **Isolated cryptography**: TPMs provide the same properties of isolated cryptography that is offered by physical smart cards, which is utilized by virtual smart cards. Unencrypted copies of private keys are loaded only within the TPM and never into memory that is accessible by the operating system. All cryptographic operations with these private keys occur inside the TPM.
|
||||
|
||||
- **Anti-hammering**: If a user enters a PIN incorrectly, the virtual smart card responds by using the anti-hammering logic of the TPM, which rejects further attempts for some time instead of blocking the card. This is also known as lockout.
|
||||
For more information, see [Blocked virtual smart card](#blocked-virtual-smart-card) and [Evaluate Virtual Smart Card Security](virtual-smart-card-evaluate-security.md).
|
||||
|
||||
@ -70,12 +66,9 @@ During virtual smart card personalization, the values for the administrator key,
|
||||
|
||||
Because the administrator key is critical to the security of the card, it's important to consider the deployment environment and decide on the proper administrator key setting strategy. Options for these strategies include:
|
||||
|
||||
- **Uniform**: Administrator keys for all the virtual smart cards deployed in the organization are the same. Although using the same key makes the maintenance infrastructure easy (only one key needs to be stored), it's highly insecure. This strategy might be sufficient for small organizations, but if the administrator key is compromised, all virtual smart cards that use the key must be reissued.
|
||||
|
||||
- **Random, not stored**: Administrator keys are assigned randomly for all virtual smart cards, and they aren't recorded. This is a valid option if the deployment administrators don't require the ability to reset PINs, and instead prefer to delete and reissue virtual smart cards. This is a viable strategy if the administrator prefers to set PUK values for the virtual smart cards and then use this value to reset PINs, if necessary.
|
||||
|
||||
- **Random, stored**: you assign the administrator keys randomly, storing them in a central location. Each card's security is independent of the others. This is a secure strategy on a large scale, unless the administrator key database is compromised.
|
||||
|
||||
- **Uniform**: Administrator keys for all the virtual smart cards deployed in the organization are the same. Although using the same key makes the maintenance infrastructure easy (only one key needs to be stored), it's highly insecure. This strategy might be sufficient for small organizations, but if the administrator key is compromised, all virtual smart cards that use the key must be reissued
|
||||
- **Random, not stored**: Administrator keys are assigned randomly for all virtual smart cards, and they aren't recorded. This is a valid option if the deployment administrators don't require the ability to reset PINs, and instead prefer to delete and reissue virtual smart cards. This is a viable strategy if the administrator prefers to set PUK values for the virtual smart cards and then use this value to reset PINs, if necessary
|
||||
- **Random, stored**: you assign the administrator keys randomly, storing them in a central location. Each card's security is independent of the others. This is a secure strategy on a large scale, unless the administrator key database is compromised
|
||||
- **Deterministic**: Administrator keys are the result of some function or known information. For example, the user ID could be used to randomly generate data that can be further processed through a symmetric encryption algorithm by using a secret. This administrator key can be similarly regenerated when needed, and it doesn't need to be stored. The security of this method relies on the security of the secret used.
|
||||
|
||||
Although the PUK and the administrator key methodologies provide unlocking and resetting functionality, they do so in different ways. The PUK is a PIN that is entered on the computer to enable a user PIN reset.
|
||||
@ -112,9 +105,8 @@ You can use APIs to build Microsoft Store apps that you can use to manage the fu
|
||||
|
||||
When a device or computer isn't joined to a domain, the TPM ownerAuth is stored in the registry under HKEY\_LOCAL\_MACHINE. This exposes some threats. Most of the threat vectors are protected by BitLocker, but threats that aren't protected include:
|
||||
|
||||
- A malicious user possesses a device that has an active local sign-in session before the device locks. The malicious user could attempt a brute-force attack on the virtual smart card PIN, and then access the corporate secrets.
|
||||
|
||||
- A malicious user possesses a device that has an active virtual private network (VPN) session. The device is then compromised.
|
||||
- A malicious user possesses a device that has an active local sign-in session before the device locks. The malicious user could attempt a brute-force attack on the virtual smart card PIN, and then access the corporate secrets
|
||||
- A malicious user possesses a device that has an active virtual private network (VPN) session. The device is then compromised
|
||||
|
||||
The proposed mitigation for the previous scenarios is to use Exchange ActiveSync (EAS) policies to reduce the automatic lockout time from five minutes to 30 seconds of inactivity. You can set policies for automatic lockout while provisioning virtual smart cards. If an organization wants more security, they can also configure a setting to remove the ownerAuth from the local device.
|
||||
|
||||
@ -189,11 +181,11 @@ This command creates a card with a randomized administrator key. The key is auto
|
||||
|
||||
`tpmvscmgr.exe destroy /instance <instance ID>`
|
||||
|
||||
where <instance ID> is the value that is printed on the screen when the user creates the card. Specifically, for the first card created, the instance ID is ROOT\\SMARTCARDREADER\\0000).
|
||||
where `<instance ID>` is the value that is printed on the screen when the user creates the card. Specifically, for the first card created, the instance ID is `ROOT\SMARTCARDREADER\0000`.
|
||||
|
||||
### Certificate management for unmanaged cards
|
||||
|
||||
Depending on the security requirements that are unique to an organization, users can initially enroll for certificates from the certificate management console (certmgr.msc) or from within custom certificate enrollment applications. The latter method can create a request and submit it to a server that has access to the Certification Authority. This requires specific organizational configurations and deployments for certificate enrollment policies and certificate enrollment services. Windows has built-in tools, specifically Certreq.exe and Certutil.exe, which can be used by scripts to perform the enrollment from the command line.
|
||||
Depending on the security requirements that are unique to an organization, users can initially enroll for certificates from the certificate management console (certmgr.msc) or from within custom certificate enrollment applications. The latter method can create a request and submit it to a server that has access to the Certification Authority. This requires specific organizational configurations and deployments for certificate enrollment policies and certificate enrollment services. Windows has built-in tools, specifically Certreq.exe and Certutil.exe, which can be used by scripts to perform the enrollment from the command line.
|
||||
|
||||
#### Requesting the certificate by providing domain credentials only
|
||||
|
||||
@ -211,11 +203,9 @@ The user can import the certificate into the **MY** store (which is the user's c
|
||||
|
||||
For deployments that require users to use a physical smart card to sign the certificate request, you can use the procedure:
|
||||
|
||||
1. Users initiate a request on a domain-joined computer.
|
||||
|
||||
2. Users complete the request by using a physical smart card to sign the request.
|
||||
|
||||
3. Users download the request to the virtual smart card on their client computer.
|
||||
1. Users initiate a request on a domain-joined computer
|
||||
1. Users complete the request by using a physical smart card to sign the request
|
||||
1. Users download the request to the virtual smart card on their client computer
|
||||
|
||||
#### Using one-time password for enrollment
|
||||
|
||||
@ -235,11 +225,11 @@ Maintenance is a significant portion of the virtual smart card lifecycle and one
|
||||
|
||||
When renewing with a previously used key, no extra steps are required because a strong certificate with this key was issued during the initial provisioning. However, when the user requests a new key pair, you must take the same steps that were used during provisioning to assure the strength of the credentials. Renewal with new keys should occur periodically to counter sophisticated long-term attempts by malicious users to infiltrate the system. When new keys are assigned, you must ensure that the new keys are being used by the expected individuals on the same virtual smart cards.
|
||||
|
||||
**Resetting PINs**: Resetting virtual smart card PINs is also a frequent necessity, because employees forget their PINs. There are two ways to accomplish this, depending on choices made earlier in the deployment: Use a PUK (if the PUK is set), or use a challenge-response approach with the administration key. Before resetting the PIN, the user's identity must be verified by using some means other than the card—most likely the verification method that you used during initial provisioning (for example, in-person proofing). This is necessary in user-error scenarios when users forget their PINs. However, you should never reset a PIN if it has been compromised because the level of vulnerability after the PIN is exposed is difficult to identify. The entire card should be reissued.
|
||||
**Reset PINs**: Resetting virtual smart card PINs is also a frequent necessity, because employees forget their PINs. There are two ways to accomplish this, depending on choices made earlier in the deployment: Use a PUK (if the PUK is set), or use a challenge-response approach with the administration key. Before resetting the PIN, the user's identity must be verified by using some means other than the card—most likely the verification method that you used during initial provisioning (for example, in-person proofing). This is necessary in user-error scenarios when users forget their PINs. However, you should never reset a PIN if it has been compromised because the level of vulnerability after the PIN is exposed is difficult to identify. The entire card should be reissued.
|
||||
|
||||
**Lockout reset**: A frequent precursor to resetting a PIN is the necessity of resetting the TPM lockout time because the TPM anti-hammering logic will be engaged with multiple PIN entry failures for a virtual smart card. This is currently device specific.
|
||||
|
||||
**Retiring cards**: The final aspect of virtual smart card management is retiring cards when they're no longer needed. When an employee leaves the company, it's desirable to revoke domain access. Revoking sign-in credentials from the certification authority (CA) accomplishes this goal.
|
||||
**Retire cards**: The final aspect of virtual smart card management is retiring cards when they're no longer needed. When an employee leaves the company, it's desirable to revoke domain access. Revoking sign-in credentials from the certification authority (CA) accomplishes this goal.
|
||||
|
||||
The card should be reissued if the same computer is used by other employees without reinstalling the operating system. Reusing the former card can allow the former employee to change the PIN after leaving the organization, and then hijack certificates that belong to the new user to obtain unauthorized domain access. However, if the employee takes the virtual smart card-enabled computer, it's only necessary to revoke the certificates that are stored on the virtual smart card.
|
||||
|
||||
|
||||
@ -2,7 +2,7 @@
|
||||
title: Evaluate Virtual Smart Card Security
|
||||
description: Learn about the security characteristics and considerations when deploying TPM virtual smart cards.
|
||||
ms.topic: conceptual
|
||||
ms.date: 02/22/2023
|
||||
ms.date: 11/06/2023
|
||||
---
|
||||
|
||||
# Evaluate Virtual Smart Card Security
|
||||
@ -39,7 +39,7 @@ The Trusted Computing Group specifies that if the response to attacks involves s
|
||||
1. Allow only a limited number of wrong PIN attempts before enabling a lockout that enforces a time delay before any further commands are accepted by the TPM.
|
||||
|
||||
> [!NOTE]
|
||||
>
|
||||
>
|
||||
> If the user enters the wrong PIN five consecutive times for a virtual smart card (which works in conjunction with the TPM), the card is blocked. When the card is blocked, it must be unblocked by using the administrative key or the PUK.
|
||||
|
||||
1. Increase the time delay exponentially as the user enters the wrong PIN so that an excessive number of wrong PIN attempts quickly trigger long delays in accepting commands.
|
||||
@ -49,4 +49,4 @@ For example, it will take 14 years to guess an eight character PIN for a TPM tha
|
||||
|
||||
1. Number of wrong PINs allowed before entering lockout (threshold): 9
|
||||
1. Time the TPM is in lockout after the threshold is reached: 10 seconds
|
||||
1. Timed delay doubles for each wrong PIN after the threshold is reached
|
||||
1. Timed delay doubles for each wrong PIN after the threshold is reached
|
||||
|
||||
@ -2,7 +2,7 @@
|
||||
title: Get Started with Virtual Smart Cards - Walkthrough Guide
|
||||
description: This topic for the IT professional describes how to set up a basic test environment for using TPM virtual smart cards.
|
||||
ms.topic: conceptual
|
||||
ms.date: 02/22/2023
|
||||
ms.date: 11/06/2023
|
||||
---
|
||||
|
||||
# Get Started with Virtual Smart Cards: Walkthrough Guide
|
||||
@ -15,31 +15,27 @@ Virtual smart cards are a technology from Microsoft that offer comparable securi
|
||||
|
||||
This step-by-step walkthrough shows you how to set up a basic test environment for using TPM virtual smart cards. After you complete this walkthrough, you will have a functional virtual smart card installed on the Windows computer.
|
||||
|
||||
**Time requirements**
|
||||
### Time requirements
|
||||
|
||||
You should be able to complete this walkthrough in less than one hour, excluding installing software and setting up the test domain.
|
||||
|
||||
**Walkthrough steps**
|
||||
### Walkthrough steps
|
||||
|
||||
- [Prerequisites](#prerequisites)
|
||||
- [Prerequisites](#prerequisites)
|
||||
- [Step 1: Create the certificate template](#step-1-create-the-certificate-template)
|
||||
- [Step 2: Create the TPM virtual smart card](#step-2-create-the-tpm-virtual-smart-card)
|
||||
- [Step 3: Enroll for the certificate on the TPM Virtual Smart Card](#step-3-enroll-for-the-certificate-on-the-tpm-virtual-smart-card)
|
||||
|
||||
- [Step 1: Create the certificate template](#step-1-create-the-certificate-template)
|
||||
|
||||
- [Step 2: Create the TPM virtual smart card](#step-2-create-the-tpm-virtual-smart-card)
|
||||
|
||||
- [Step 3: Enroll for the certificate on the TPM Virtual Smart Card](#step-3-enroll-for-the-certificate-on-the-tpm-virtual-smart-card)
|
||||
|
||||
> **Important** This basic configuration is for test purposes only. It is not intended for use in a production environment.
|
||||
> [!IMPORTANT]
|
||||
> This basic configuration is for test purposes only. It is not intended for use in a production environment.
|
||||
|
||||
## Prerequisites
|
||||
|
||||
You will need:
|
||||
|
||||
- A computer running Windows 10 with an installed and fully functional TPM (version 1.2 or version 2.0).
|
||||
|
||||
- A test domain to which the computer listed above can be joined.
|
||||
|
||||
- Access to a server in that domain with a fully installed and running certification authority (CA).
|
||||
- A computer running Windows 10 with an installed and fully functional TPM (version 1.2 or version 2.0)
|
||||
- A test domain to which the computer listed above can be joined
|
||||
- Access to a server in that domain with a fully installed and running certification authority (CA)
|
||||
|
||||
## Step 1: Create the certificate template
|
||||
|
||||
@ -47,13 +43,12 @@ On your domain server, you need to create a template for the certificate that yo
|
||||
|
||||
### To create the certificate template
|
||||
|
||||
1. On your server, open the Microsoft Management Console (MMC). One way to do this is to type **mmc.exe** from the **Start** menu, right-click **mmc.exe**, and click **Run as administrator**.
|
||||
|
||||
2. Click **File**, and then click **Add/Remove Snap-in**.
|
||||
1. On your server, open the Microsoft Management Console (MMC). One way to do this is to type **mmc.exe** from the **Start** menu, right-click **mmc.exe**, and click **Run as administrator**
|
||||
2. Select **File** > **Add/Remove Snap-in**
|
||||
|
||||
|
||||
|
||||
3. In the available snap-ins list, click **Certificate Templates**, and then click **Add**.
|
||||
3. In the available snap-ins list, click **Certificate Templates**, and then click **Add**
|
||||
|
||||
|
||||
|
||||
@ -70,19 +65,16 @@ On your domain server, you need to create a template for the certificate that yo
|
||||
7. On the **General** tab:
|
||||
|
||||
1. Specify a name, such as **TPM Virtual Smart Card Logon**.
|
||||
|
||||
2. Set the validity period to the desired value.
|
||||
|
||||
8. On the **Request Handling** tab:
|
||||
|
||||
1. Set the **Purpose** to **Signature and smartcard logon**.
|
||||
|
||||
2. Click **Prompt the user during enrollment**.
|
||||
|
||||
9. On the **Cryptography** tab:
|
||||
|
||||
1. Set the minimum key size to 2048.
|
||||
|
||||
2. Click **Requests must use one of the following providers**, and then select **Microsoft Base Smart Card Crypto Provider**.
|
||||
|
||||
10. On the **Security** tab, add the security group that you want to give **Enroll** access to. For example, if you want to give access to all users, select the **Authenticated users** group, and then select **Enroll** permissions for them.
|
||||
@ -155,8 +147,6 @@ The virtual smart card can now be used as an alternative credential to sign in t
|
||||
|
||||
## See also
|
||||
|
||||
- [Understanding and Evaluating Virtual Smart Cards](virtual-smart-card-understanding-and-evaluating.md)
|
||||
|
||||
- [Use Virtual Smart Cards](virtual-smart-card-use-virtual-smart-cards.md)
|
||||
|
||||
- [Deploy Virtual Smart Cards](virtual-smart-card-deploy-virtual-smart-cards.md)
|
||||
- [Understanding and Evaluating Virtual Smart Cards](virtual-smart-card-understanding-and-evaluating.md)
|
||||
- [Use Virtual Smart Cards](virtual-smart-card-use-virtual-smart-cards.md)
|
||||
- [Deploy Virtual Smart Cards](virtual-smart-card-deploy-virtual-smart-cards.md)
|
||||
|
||||
@ -2,7 +2,7 @@
|
||||
title: Virtual Smart Card Overview
|
||||
description: Learn about virtual smart card technology for Windows.
|
||||
ms.topic: conceptual
|
||||
ms.date: 02/22/2023
|
||||
ms.date: 11/06/2023
|
||||
---
|
||||
|
||||
# Virtual Smart Card Overview
|
||||
|
||||
@ -2,7 +2,7 @@
|
||||
title: Tpmvscmgr
|
||||
description: Learn about the Tpmvscmgr command-line tool, through which an administrator can create and delete TPM virtual smart cards on a computer.
|
||||
ms.topic: conceptual
|
||||
ms.date: 02/22/2023
|
||||
ms.date: 11/06/2023
|
||||
---
|
||||
|
||||
# Tpmvscmgr
|
||||
|
||||
@ -3,7 +3,7 @@ title: Understanding and Evaluating Virtual Smart Cards
|
||||
description: Learn how smart card technology can fit into your authentication design.
|
||||
ms.prod: windows-client
|
||||
ms.topic: conceptual
|
||||
ms.date: 02/22/2023
|
||||
ms.date: 11/06/2023
|
||||
---
|
||||
|
||||
# Understand and Evaluate Virtual Smart Cards
|
||||
|
||||
@ -2,7 +2,7 @@
|
||||
title: Use Virtual Smart Cards
|
||||
description: Learn about the requirements for virtual smart cards, how to use and manage them.
|
||||
ms.topic: conceptual
|
||||
ms.date: 02/22/2023
|
||||
ms.date: 11/06/2023
|
||||
---
|
||||
|
||||
# Use Virtual Smart Cards
|
||||
@ -13,13 +13,13 @@ Learn about the requirements for virtual smart cards, how to use and manage them
|
||||
|
||||
## Requirements, restrictions, and limitations
|
||||
|
||||
| Area | Requirements and details |
|
||||
|-------------|---------------------------|
|
||||
| Supported operating systems | Windows Server 2016 <br>Windows Server 2012 R2 <br>Windows Server 2012 <br>Windows 10 <br>Windows 8.1 <br>Windows 8 |
|
||||
| Supported Trusted Platform Module (TPM) | Any TPM that adheres to the TPM main specifications for version 1.2 or version 2.0 (as set by the Trusted Computing Group) is supported for use as a virtual smart card. For more information, see the [TPM Main Specification](http://www.trustedcomputinggroup.org/resources/tpm_main_specification). |
|
||||
| Supported virtual smart cards per computer | Ten smart cards can be connected to a computer or device at one time. This includes physical and virtual smart cards combined. <br><br>**Note**<br>You can create more than one virtual smart card; however, after creating more than four virtual smart cards, you may start to notice performance degradation. Because all smart cards appear as if they're always inserted, if more than one person shares a computer or device, each person can see all the virtual smart cards that are created on that computer or device. If the user knows the PIN values for all the virtual smart cards, the user will also be able to use them.<br> |
|
||||
| Supported number of certificates on a virtual smart card | A single TPM virtual smart card can contain 30 distinct certificates with the corresponding private keys. Users can continue to renew certificates on the card until the total number of certificates on a card exceeds 90. The reason that the total number of certificates is different from the total number of private keys is that sometimes the renewal can be done with the same private key—in which case a new private key isn't generated. |
|
||||
| PIN, PIN Unlock Key (PUK), and Administrative key requirements | The PIN and the PUK must be a minimum of eight characters that can include numerals, alphabetic characters, and special characters.<br>The Administrative key must be entered as 48 hexadecimal characters. It's a 3-key triple DES with ISO/IEC 9797 padding method 2 in CBC chaining mode. |
|
||||
| Area | Requirements and details |
|
||||
|--|--|
|
||||
| Supported operating systems | Windows Server 2016 <br>Windows Server 2012 R2 <br>Windows Server 2012 <br>Windows 10 <br>Windows 8.1 <br>Windows 8 |
|
||||
| Supported Trusted Platform Module (TPM) | Any TPM that adheres to the TPM main specifications for version 1.2 or version 2.0 (as set by the Trusted Computing Group) is supported for use as a virtual smart card. For more information, see the [TPM Main Specification](http://www.trustedcomputinggroup.org/resources/tpm_main_specification). |
|
||||
| Supported virtual smart cards per computer | Ten smart cards can be connected to a computer or device at one time. This includes physical and virtual smart cards combined. <br><br>**Note**<br>You can create more than one virtual smart card; however, after creating more than four virtual smart cards, you may start to notice performance degradation. Because all smart cards appear as if they're always inserted, if more than one person shares a computer or device, each person can see all the virtual smart cards that are created on that computer or device. If the user knows the PIN values for all the virtual smart cards, the user will also be able to use them.<br> |
|
||||
| Supported number of certificates on a virtual smart card | A single TPM virtual smart card can contain 30 distinct certificates with the corresponding private keys. Users can continue to renew certificates on the card until the total number of certificates on a card exceeds 90. The reason that the total number of certificates is different from the total number of private keys is that sometimes the renewal can be done with the same private key—in which case a new private key isn't generated. |
|
||||
| PIN, PIN Unlock Key (PUK), and Administrative key requirements | The PIN and the PUK must be a minimum of eight characters that can include numerals, alphabetic characters, and special characters.<br>The Administrative key must be entered as 48 hexadecimal characters. It's a 3-key triple DES with ISO/IEC 9797 padding method 2 in CBC chaining mode. |
|
||||
|
||||
## Using Tpmvscmgr.exe
|
||||
|
||||
|
||||
Reference in New Issue
Block a user