Smart Card Deployment Considerations

Smart card logon is supported for Windows 2000 and Windows Server 2003. To implement smart cards, you must deploy an enterprise certification authority rather than a stand-alone or third-party certification authority to support smart card logon to Windows Server 2003 domains. Windows Server 2003 supports industry standard Personal Computer/Smart Card (PC/SO-compliant smart cards and readers and provides drivers for CCNA certification commercially available plug and play smart card readers. Windows Server 2003 does not support non-PC/SC-compliant or non-plug and play smart card readers. Some manufacturers might provide drivers for non-plug and play smart card readers that work with Windows Server 2003; however, it is recommended that you purchase only plug and play PC/SC-compliant smart card readers.

The cost of administering a smart card program depends on several factors, including:

• The number of users enrolled in the smart card program and their location.

• Your organization's practices for MCSE exams issuing smart cards to users, including the

requirements for verifying user identities. For example, "will you require users to

simply present a valid personal identification card or will you require a back¬

ground investigation? Your policies affect the level of security provided as well as

the actual cost.

• Your organization's practices for users who lose or misplace their smart cards. For

example, will you issue temporary smart cards, authorize temporary alternate

logon to the network, or make users go home to retrieve their smart cards? Your

policies affect how much worker time is lost and how much help desk support is

needed.

Your smart card authentication strategy must describe the network logon and authentication methods you use, including(http://www.certtopper.com):

• Identify network logon and authentication strategies you want to deploy.

• Describe smart card deployment considerations and issues.

• Describe PKI certificate services required to support smart cards.

In addition to smart cards, third-party vendors offer a variety of security products to provide two-factor authentication, such as MCITP Enterprise Administrator "security tokens" and biometric accessories. These accessories use extensible features of the Windows Server 2003 graphical logon user interface to provide alternate methods of user authentication.

Exam Tip Know what you must do to deploy smart cards.