Agenda 2 factor authentication Smart cards Virtual smart cards FIM CM Build 2012 3/31/2017 Agenda 2 factor authentication Smart cards Virtual smart cards FIM CM Demo © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
2 factor authentication Build 2012 3/31/2017 2 factor authentication What We know What we have 2 Factor Authentication What you know – e.g. PIN What you have – e.g. smart card, devices © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Why 2 factor authentication Build 2012 3/31/2017 Why 2 factor authentication “In 2013 more than 90% of user-generated passwords, even those considered strong by IT departments, will be vulnerable to hacking” – Deloitte “The age of the password is over. We just haven’t realized it yet.” – Wired “73% of users share the passwords which they use for online banking, with at least one nonfinancial website.” – Trusteer Inc. Reused Login Credentials 2010 2 Factor Authentication © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Virtual smart cards Introduced in Windows 8 Build 2012 3/31/2017 Virtual smart cards Introduced in Windows 8 Uses TPM module on the PC for isolated crypto operations generation of non-exportable keys dictionary attack prevention (wrong PIN) Exposed as smart cards to applications and OS PIN is what you know, the device is what you have. © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Where can virtual smart cards be used Remote access using VPN or DirectAccess BYOD (Bring Your Own Device) Logon to PC SSL client authentication Secure email Document protection (signing, encryption) BitLocker drive encryption for data volumes 2 factor authentication
Important aspects of a smart card Build 2012 3/31/2017 Important aspects of a smart card User selected PIN Auto generated admin key for PIN reset or unblock (some cards have PUK) Unique ID (card ID, serial number, etc.) for inventory management Certificates and private keys © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Deployment types Managed virtual smart cards Build 2012 3/31/2017 Deployment types Managed virtual smart cards Unmanaged virtual smart cards Inventory management PIN reset and unblock PIN change Policy enforcement Certificate issuance and management © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Deployment complexity Managed virtual smart cards Unmanaged virtual smart cards Server side virtual smart card management Policy enforcement modules PIN management components Certificate server Browser plugin or client app
Certificate enrollment Additional proofs Domain username and password Challenge questions OTP sent to mobile phone or email Corpnet connection with user name and password Sign with a physical smart card Visit to an IT office/kiosk
FIM Synchronization Service FIM 2010 Certificate Management FIM 2010 Components FIM Web Service Provides solutions for management of users, access, credentials, and policies Automates common identity lifecycle management tasks, including self-service solutions FIM Synchronization Service Provides identity synchronization services and user provisioning across multiple directories Includes many management agents (MAs) to allow communication between the FIM Synchronization Service and external databases and systems Allows development of custom management agents FIM CM Management Agent Extensible management agent that allows issuance/termination of certificates during account processing. Support scenarios: Initial enrollment during provisioning Disable/Retire/Revoke during deprovisioning Suspend/reinstated during account suspension FIM 2010 Certificate Management Single administration point for software and smart card certificates Configurable policy-based workflows for common tasks Detailed auditing and reporting Integration with existing infrastructure
Certification Authority FIM CM Components FIM CM Server E-mail Server SQL Server Corporate Partner Corporate User Customer Certification Authority Active Directory
FIM CM Architecture Physical Architecture Logical Architecture Other Services Certification Authority FIM CM Policy Module FIM CM Exit Module Enterprise CA or Third Party CA E-mail Server FIM CM AD Integration FIM CM ASP.NET Web App IIS 7.0 or 7.1 (64-bit) Active Directory FIM CM Server IE 6.x or IE 7.x or IE 8.x FIM CM Client Smart Card Middleware / Smart Card Base CSP SQL Server End User
FIM 2010 Licensing FIM 2010 licensing requires two separate license purchases: Server license Client Access license Server licensing One license per physical FIM 2010 server Server can run FIM Web Service, FIM Synchronization Service, or FIM CM Service, Can run each on separate server, or any combination of the three services Client access license for every person that receives a certificate managed by FIM 2010 Software certificates Smart card certificates Includes ability to do user self-service password reset and self-service group management Can consider purchasing an External Connector license if certificate are issued to subscribers outside of the organization Licensing Server License FIM 2010 Server CALs If a person has two accounts in Active Directory, only a single CAL is required to manage certificates issued to the two accounts
Introducing Profile Templates Certificate Templates Management Policies . . . Enrollment Enroll Recover Revoke Profile Template Profile Details
Introducing FIM CM Roles Description Certificate Subscriber Can perform a limited number of functions against their own certificates or smart cards Has access to the FIM CM Subscriber Portal Certificate Manager Performs management functions for a group of subscribers Has access to the FIM CM Manager Portal
Demo – use virtual smart card
Resources Virtual smart card white paper MSDN links for WinRT APIs http://www.microsoft.com/download/details.aspx?id=29076 MSDN links for WinRT APIs http://msdn.microsoft.com/library/windows/apps/windows.devices.smartcards.aspx http://msdn.microsoft.com/library/windows/apps/windows.security.cryptography.certificates.aspx Samples link http://code.msdn.microsoft.com/windowsapps/Smart-card-sample-f9befda4 http://msdn.microsoft.com/library/windows/apps/br212099.aspx