Selecting Group Policy Settings to Manage Smart Card Use
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
Several Group Policy settings are specific to smart card management. You can use these Group Policy settings to manage smart cards in your organization.
- Other security policy settings, such as lockout policy or restricted logon times, can also impact smart card users if they use their cards for account logon.
Smart card required for interactive logon
When you set this policy on a user account, the user cannot log on to the account by using a password. They can only log on by using a smart card.
The advantage of using this policy setting is that it enforces strict security. However, if users are unable to log on by using conventional passwords, you must provide an alternate solution in the event that smart cards become unusable.
- This policy setting applies to interactive and network logons only. It does not apply to remote access logons, which are managed by policy settings that are configured on the remote access server.
The Smart card required for interactive logon policy is not recommended for users who need to:
Join a computer to a domain.
Perform administrative tasks such as installing Active Directory on a member server.
Configure a network connection for remote access.
If you choose not to use this security policy setting, users can revert to their standard network passwords if their smart cards are damaged or unavailable. However, this weakens security. In addition, users who use their passwords infrequently might forget them, and either write them down, or call the help desk for a password reset, increasing help desk costs to the organization.
On smart card removal
Users who walk away from computers that are running an active logon session create a security risk. To enforce the security of your system, it is best if users either log off or lock their computers when they leave. The On smart card removal policy allows you to force users to log off or lock their computers when they remove their smart cards.
- If you select the forced logoff option, users need to make sure they have saved changes to documents and other files before they remove their smart cards. Otherwise, they lose any changes they have made.
Whether or not you set the On smart card removal policy depends on how your users interact with their computers. For example, this policy is a good choice if using computers in an open floor or kiosk environment. This policy might not be necessary when users have dedicated computers or exclusive use of multiple computers. You can use a password-protected screensaver or other means to lock the computers of these users.
- The On smart card removal policy is a local computer policy that is administered on a per computer basis. Set the On smart card removal policy on a per user account basis, along with other domain security policy settings.
Do not allow smart card device redirection
Use the Do not allow smart card device redirection policy if you do not want to use smart cards in conjunction with Terminal Services sessions. Restrict this use of smart cards if you are concerned about the network resources required for Terminal Services sessions in your environment.
Account lockout threshold
Use the Account lockout threshold policy to disable accounts after a set number of failed logon attempts. An account that is locked out cannot be used until an administrator resets it, or until the account lockout duration expires. You can specify a value of between 1 and 999 failed logon attempts, or you can specify that the account is never locked out by setting the value to 0.
To thwart unauthorized attempts to use a smart card and PIN, establish account lockout thresholds to a low value, such as four or five attempts.
For more information about creating a strategy for unlocking smart cards, see "Defining Administrative and Support Processes" later in this chapter.