Presentation is loading. Please wait.

Presentation is loading. Please wait.

Agenda 2 factor authentication Smart cards Virtual smart cards FIM CM

Similar presentations


Presentation on theme: "Agenda 2 factor authentication Smart cards Virtual smart cards FIM CM"— Presentation transcript:

1 Agenda 2 factor authentication Smart cards Virtual smart cards FIM CM
Build 2012 3/31/2017 Agenda 2 factor authentication Smart cards Virtual smart cards FIM CM Demo © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

2 2 factor authentication
Build 2012 3/31/2017 2 factor authentication What We know What we have 2 Factor Authentication What you know – e.g. PIN What you have – e.g. smart card, devices © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

3 Why 2 factor authentication
Build 2012 3/31/2017 Why 2 factor authentication “In 2013 more than 90% of user-generated passwords, even those considered strong by IT departments, will be vulnerable to hacking” – Deloitte “The age of the password is over. We just haven’t realized it yet.” – Wired “73% of users share the passwords which they use for online banking, with at least one nonfinancial website.” – Trusteer Inc. Reused Login Credentials 2010 2 Factor Authentication © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

4 Virtual smart cards Introduced in Windows 8
Build 2012 3/31/2017 Virtual smart cards Introduced in Windows 8 Uses TPM module on the PC for isolated crypto operations generation of non-exportable keys dictionary attack prevention (wrong PIN) Exposed as smart cards to applications and OS PIN is what you know, the device is what you have. © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

5 Where can virtual smart cards be used
Remote access using VPN or DirectAccess BYOD (Bring Your Own Device) Logon to PC SSL client authentication Secure Document protection (signing, encryption) BitLocker drive encryption for data volumes 2 factor authentication

6 Important aspects of a smart card
Build 2012 3/31/2017 Important aspects of a smart card User selected PIN Auto generated admin key for PIN reset or unblock (some cards have PUK) Unique ID (card ID, serial number, etc.) for inventory management Certificates and private keys © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

7 Deployment types Managed virtual smart cards
Build 2012 3/31/2017 Deployment types Managed virtual smart cards Unmanaged virtual smart cards Inventory management PIN reset and unblock PIN change Policy enforcement Certificate issuance and management © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

8 Deployment complexity
Managed virtual smart cards Unmanaged virtual smart cards Server side virtual smart card management Policy enforcement modules PIN management components Certificate server Browser plugin or client app

9 Certificate enrollment
Additional proofs Domain username and password Challenge questions OTP sent to mobile phone or Corpnet connection with user name and password Sign with a physical smart card Visit to an IT office/kiosk

10 FIM Synchronization Service FIM 2010 Certificate Management
FIM 2010 Components FIM Web Service Provides solutions for management of users, access, credentials, and policies Automates common identity lifecycle management tasks, including self-service solutions FIM Synchronization Service Provides identity synchronization services and user provisioning across multiple directories Includes many management agents (MAs) to allow communication between the FIM Synchronization Service and external databases and systems Allows development of custom management agents FIM CM Management Agent Extensible management agent that allows issuance/termination of certificates during account processing. Support scenarios: Initial enrollment during provisioning Disable/Retire/Revoke during deprovisioning Suspend/reinstated during account suspension FIM 2010 Certificate Management Single administration point for software and smart card certificates Configurable policy-based workflows for common tasks Detailed auditing and reporting Integration with existing infrastructure

11 Certification Authority
FIM CM Components FIM CM Server Server SQL Server Corporate Partner Corporate User Customer Certification Authority Active Directory

12 FIM CM Architecture Physical Architecture Logical Architecture
Other Services Certification Authority FIM CM Policy Module FIM CM Exit Module Enterprise CA or Third Party CA Server FIM CM AD Integration FIM CM ASP.NET Web App IIS 7.0 or 7.1 (64-bit) Active Directory FIM CM Server IE 6.x or IE 7.x or IE 8.x FIM CM Client Smart Card Middleware / Smart Card Base CSP SQL Server End User

13 FIM 2010 Licensing FIM 2010 licensing requires two separate license purchases: Server license Client Access license Server licensing One license per physical FIM 2010 server Server can run FIM Web Service, FIM Synchronization Service, or FIM CM Service, Can run each on separate server, or any combination of the three services Client access license for every person that receives a certificate managed by FIM 2010 Software certificates Smart card certificates Includes ability to do user self-service password reset and self-service group management Can consider purchasing an External Connector license if certificate are issued to subscribers outside of the organization Licensing Server License FIM 2010 Server CALs If a person has two accounts in Active Directory, only a single CAL is required to manage certificates issued to the two accounts

14 Introducing Profile Templates
Certificate Templates Management Policies . . . Enrollment Enroll Recover Revoke Profile Template Profile Details

15 Introducing FIM CM Roles
Description Certificate Subscriber Can perform a limited number of functions against their own certificates or smart cards Has access to the FIM CM Subscriber Portal Certificate Manager Performs management functions for a group of subscribers Has access to the FIM CM Manager Portal

16 Demo – use virtual smart card

17 Resources Virtual smart card white paper MSDN links for WinRT APIs
MSDN links for WinRT APIs Samples link


Download ppt "Agenda 2 factor authentication Smart cards Virtual smart cards FIM CM"

Similar presentations


Ads by Google