|
 |  |  |  |  |  |  |
| Welcome to Windows Vista Forums. Our forum is dedicated to helping you find solutions with any problems, errors or issues you are experiencing with Windows Vista. The Vista forum also covers news and updates and has an extensive Windows Vista tutorial section that covers a wide range of tips and tricks. |
| |||||||
 |
| |
06-05-2008
| #1 (permalink) |
| | Vista logon with smart card on local pc My aim is clear, i want to use the enhanced security of the smart card for accessing to a local pc instead of using the usual weak username and password. I know well that to perform this task is easy if you are connected to a domain. When you are connected to a domain you can request a certificate for Vista logon and once obtained you can use the group policy that require smart card for logging on to pc. And after that even if you are not connected anymore to the domain you can use the smart card to securely access to pc at logon since the smart card credentials are cached into the local pc.( I think you can use the smart card always to logon to pc without the need to reconnect to the domain, is it right?? ) For further enhancing the security you can disable the option to use username and password in the safe mode. All that is clear. I have two questions: First of all, are there any windows server 2003 CA or windows server 2008 CA you can connect to freely or not (Configuring the VPN parameters or whatever method to add the computer temporarly to the domain) and request a certificate to use it as windows logon on local pc, and after that use always the smart card credentials cached locally on the pc without reconnecting to the domain that released the certificate and if so where can i find them? Second: If it's not possible to connect to domains that give such services, is it possible someway to "manually" create these cached smart card credentials ( Connected in some way to the certificate stored in the smart card) on the local pc so that enabling the group policy that require smart card to logon to pc make it possible to perform smart card logon? Assumed that one of the above two things is possible is it safe to always use the cached smart card credentials to perform logon or are there any limits in that? ( Clearly i should make a backup of the smart card certificate to access windows if i loose smart card or if it becomes corrupted) Thanks a lot for any help Best regards Michele |
My System Specs |
|
06-05-2008
| #2 (permalink) |
| | Re: Vista logon with smart card on local pc I'm assuming this is NOT a domain-joined PC. What threats do you envision that local smart card logon will mitigate? Smart card logon is typically used in a domain environment to mitigate the threat of stolen or compromised credentials -- without the smart card, an attacker can't log onto the domain remotely. It appears that you're thinking you can get the same kind of protection on a standalone computer. But you really don't need to do this, since the threat doesn't exist here. Smart cards are useless if an attacker steals your laptop -- he can remove the hard drive or boot with an alternate operating system. -- Steve Riley steve.riley@xxxxxx http://blogs.technet.com/steriley http://www.protectyourwindowsnetwork.com "Michele" <Michele@xxxxxx> wrote in message news:BB8126F3-787B-4B12-A7FE-25EA353090ED@xxxxxx Quote: > My aim is clear, i want to use the enhanced security of the smart card for > accessing to a local pc instead of using the usual weak username and > password. > I know well that to perform this task is easy if you are connected to a > domain. > When you are connected to a domain you can request a certificate for Vista > logon and once obtained you can use the group policy that require smart > card > for logging on to pc. And after that even if you are not connected anymore > to > the domain you can use the smart card to securely access to pc at logon > since > the smart card credentials are cached into the local pc.( I think you can > use > the smart card always to logon to pc without the need to reconnect to the > domain, is it right?? ) > For further enhancing the security you can disable the option to use > username and password in the safe mode. All that is clear. > > I have two questions: First of all, are there any windows server 2003 CA > or > windows server 2008 CA you can connect to freely or not (Configuring the > VPN > parameters or whatever method to add the computer temporarly to the > domain) > and request a certificate to use it as windows logon on local pc, and > after > that use always the smart card credentials cached locally on the pc > without > reconnecting to the domain that released the certificate and if so where > can > i find them? > > Second: If it's not possible to connect to domains that give such > services, > is it possible someway to "manually" create these cached smart card > credentials ( Connected in some way to the certificate stored in the smart > card) on the local pc so that enabling the group policy that require smart > card to logon to pc make it possible to perform smart card logon? > > Assumed that one of the above two things is possible is it safe to always > use the cached smart card credentials to perform logon or are there any > limits in that? ( Clearly i should make a backup of the smart card > certificate to access windows if i loose smart card or if it becomes > corrupted) > > Thanks a lot for any help > Best regards > Michele |
| My System Specs |
|
| Thread Tools | |
| |
Similar Threads | ||||
| Thread | Forum | |||
| Smart card Logon | System Security | |||
| Smart Card - DOD CAC not working in VISTA | Vista hardware & devices | |||
| Vista logon with smart card | Vista security | |||
| Windows Vista smart card logon on stand alone machine | Vista security | |||
| Smart card logon | Vista security | |||
