Monday, October 18, 2010

using smart card for standalone management station security

Dedicated standalone management workstation frequently used for control automated equipment (telco systems, smart devices, etc) and is a part of vendor's solution. Usually these stations run on Windows and vendor do not recommend to connect it to the domain or it couldn't be done (or not recommended) by some technical reasons.
Very often these management nodes control company's mission critical equipment, so, password protection not enough for real security. For better security you must use two-factor authentication. I prefer to use smart card. The problem is, that normally, windows does not support smart card authentication on standalone workstation. But,there is a trick: you can use smart card for store windows password on it. In this case your smart card vendor must provide custom logon GINA. In my case ActivIdentity provide me this GINA and all necessary software. So, what have been done:
1. Created a list of management nodes
2. Installed smart card drivers and software on each node.
3. Create account for each technician and store it on smart card. (Hint: password must be randomly generated or created manually by 2 persons who only know a part of whole password. )
4. Prohibit user from changing password manually.
5. If you would like to secure even physical network connection of this node - add 802.1x support based on smart card certificates (But it a bit more tricky)

More over, using this scheme you could create a high secure management node for emergency direct access to your mission critical systems (bypassing terminal servers, firewalls or switches)