Setting up Windows laptops to require a smartcard for unlocking

I am looking for details on how to secure a windows laptop using smart cards. The scenario is that we have laptops in vehicles, which remotely connect (via https) to an application server over the internet. Scheduling and payment applications run on the laptop. The operator is often away from the vehicle when performing work at a customer's location. To use the system, the operator should insert their smart card into the reader on the laptop. This should unlock the laptop. I want the application server to have client-side certificates which somehow are stored (or activated) using the smart card. Thus if the vehicle/laptop get stolen or compromised the thief cannot access the server without the smart card. Certainly we can deactivate the user account/revoke certificate after we discover the laptop has been stolen, but its the time in between where unauthorized access may be possible. In an ideal world, I would love wireless (bluetooth?) smart cards, so the operator does not actually have to insert any card, just be close. (like this: Blackberry + RIM Bluetooth-based Smart Card Reader)

asked Mar 23, 2013 at 1:32 153 1 1 gold badge 1 1 silver badge 5 5 bronze badges

1 Answer 1

Assuming the laptops to run under Windows, you would need the following:

a PKI solution to initialize and manage smart cards; each smart card will contain a private key and the associated certificate;
to enable smart card logon so that users open a session on the laptop with the smart card, instead of a password (the smart card itself will require entry of a PIN code);
to set a local policy which locks the laptop when the card is removed (that one is easy);
to activate certificate-based client authentication on the HTTPS server (see this if the server is IIS).

I have done all of this with that kind of cards; they come in several form factors, including as "USB keys" (actually USB-based smart card readers with an embedded smart card), which are convenient since all laptops have USB ports. The biggest cost is the PKI; not really the software, especially since there are free PKI (and you will want to have a look at this, by the way). 95% of PKI is procedures, i.e. people who spend some time doing things and checking that they did it right and auditing that other people did things right.

answered Mar 23, 2013 at 2:10 Thomas Pornin Thomas Pornin 328k 60 60 gold badges 795 795 silver badges 965 965 bronze badges

I like one time passwords personally. Have you seen the RSA securID keyfobs that are digital cert USB sticks as well? Does that make them 3FA?

Commented Mar 23, 2013 at 4:32

@NULLZ - no. The three main factors of auth are something you have (fob, USB, card, etc.), something you know (PIN or password), and something you are (biometrics). A keyfob that generates OTP and also contains certs is still only one factor - something you have.