Using Smart Cards with Windows 7
In highly secure environments where Smart Cards are the preferred method for authentication, Windows 7 is the system that allows you to use Smart Cards without requiring any specific vendor software. In addition, Windows 7 allows you to fine tune the authentication mechanism through the use of policies. Why Smart Cards? Smart Cards are more secure than other means of authentication such as user names and passwords. They store digital certificates where an administrator can immediately revoke the certificate stored on a lost or stolen Smart Card from the system.
Windows 7 policies related to Smart Cards are located in Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options node:
Interactive logon: Require smart card – This security setting requires users to log on to a computer using a smart card. The default setting is Disabled where users can log on to the computer using any method.
Interactive logon: Require smart card – This security setting requires users to log on to a computer using a smart card. The default setting is Disabled which means that the system takes No action. However, the other available settings are:
- If you click Lock Workstation in the Properties dialog box for this policy, the workstation is locked when the smart card is removed, allowing users to leave the area, take their smart card with them, and still maintain a protected session.
- If you set Force Logoff in the Properties dialog box for this policy, the user is automatically logged off when the smart card is removed.
- If you set Disconnect if a Remote Desktop Services session, removal of the smart card disconnects the session without logging the user off. This allows the user to insert the smart card and resume the session later, or at another smart card reader-equipped computer, without having to log on again. If the session is local, this policy functions identically to Lock Workstation.
Smart Cards allow you to implement multifactor authentication which means that users are required to use two or more separate methods to authenticate. The most common form of multifactor authentication used with clients running Windows 7 in enterprise environments is smart card and password authentication.