Defining Administrative and Support Processes

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Many smart card–related problems cannot be addressed by means of Group Policy. In some cases, such as with account lockout policy, Group Policy settings can create support issues for smart card users. You must create a support plan to address potential contingencies related to smart card use. Use the following steps to create your plan:

  • Identify the person in your support organization who is authorized to perform security-related smart card administrative tasks, such as resetting PINs, distributing temporary smart cards, or enabling temporary passwords.

  • Define and document your plan for escalating and resolving smart card logon problems.

  • Define and document any special policies and procedures that you want to establish for specific types of employees, such as senior executives, support personnel, or traveling users.

  • Define and document the processes for handling name changes.

  • Define and document processes for handling changes in employee status, such as when employees change from contract to full-time employment, or from full-time to part-time employment.

  • Define and document the level of smart card support that users can expect to receive outside of regular business hours.

Creating a Plan for Forgotten Smart Cards

Before you deploy smart cards, you must establish a contingency plan in the event that users forget their smart cards. You can choose to do one of the following:

  • Allow users to maintain passwords that they use for interactive logons when their smart cards are not available. This is the simplest, but least secure option.

  • Issue temporary smart cards with certificates that have short lifetimes, such as one day. This solution is useful if your organization has someone on site who is authorized to distribute alternate smart card credentials. However, if an authorized agent is unavailable when the user needs assistance, the user cannot access the network.

  • Enable help desk or security personnel to issue users limited-time passwords that are valid for the day. This solution is helpful when no one at the location is authorized to distribute temporary or replacement smart cards, or when you need to provide assistance to traveling users. If you use this option, you must identify how the identity of the user can be validated. Make sure your plan requires the help desk or security administrator to reset the limited-time password after the allotted time has expired.

Tip

  • When you issue temporary smart cards or passwords to users, you can place those users in a security group that is only able to access a subset of the network resources of your organization. In this way, they can perform their job tasks without compromising the security of your resources.

Managing PINs

Using smart cards in combination with PINs simplifies the credential management process for your network. However, you need to create a plan for use in the event that a PIN is forgotten or the account lockout policy causes contingencies related to PIN management. Specifically, you need to define:

  • How locked smart cards can be unlocked. Decide whether you want the help desk to unlock smart cards or enable users to unlock their own smart cards.

  • How to enable the help desk to unlock locked smart cards. If you determine that the help desk is responsible for unlocking smart cards, you need to use some form of secret information to verify that the user is who he or she claims to be.For example, you could have every user complete a set of predefined questions and answers, which are then stored in a secure database. Help desk personnel cannot view the answers to questions. Instead they type in user-provided answers to the questions. The database reports back to the help desk staff member whether the answers match the predefined answers in the database.

    Tip

    • Allow users only one attempt to answer the questions correctly, so that an impersonator does not have multiple opportunities to guess the correct responses to the questions.
  • How to enable users to unlock their own smart cards. You can enable users to unlock their own smart cards by using a secure Web page linked to a database. The user answers a list of personal questions, the correct answers to which are stored in the secure database. When users need to reset their PINs, they must answer the questions correctly. If they do so, they are allowed to reset their PINs.

    This solution does not require help desk support. However, it exposes the PIN reset user interface to a larger audience, which is a potential security risk. In addition, it requires the user to have Internet access, which might not be possible if the user’s smart card is locked.