Defining Smart Card Service Level Requirements

  • Article

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Before you deploy smart cards, establish service level agreements to help your IT organization align smart card performance with the objectives of the organization in areas such as reliability, response times, and support procedures.

For example, you need to define smart card service level standards for:

  • The types of identification required to obtain a smart card. You might choose to require a specific type of personal identification, such as a driver’s license or other photo ID, in order for a user to obtain a smart card.

  • Unique service guarantees for special classes of employees, such as executives or roaming employees. Define whether certain classes of employees are permitted to operate under support agreements that differ from those of other users.

  • Acceptable time needed for users to log on. It is best to ensure that the different steps and time needed for smart card logon time are comparable to the steps and time needed for conventional password logons.

  • Acceptable logon times for remote access users. Remote access logon times are more vulnerable to slowdowns than local network connections, especially if users have slow dial-up access connections. You might need to upgrade your remote access configuration in order ensure acceptable logon times for remote users.

  • Remote access exceptions. The computer configurations of some users might not be compatible with smart cards, and remote users might lose or forget their smart cards. Identify the circumstances, if any, in which remote users are allowed to use remote access without using a smart card.

  • Number of unsuccessful PIN entries allowed. Do not allow an unlimited number of attempts to enter a PIN. Allowing three or four attempts is generally adequate.

  • PIN reset requirements. Decide whether users are allowed to reset their own PINs, or whether they need to provide personal identification to security or help desk personnel to have their PINs reset. If you decide that users need to provide positive identification, decide whether the user must present the identification in person, such as a photo ID, or demonstrate knowledge of a predefined secret, such as a mother’s maiden name.

  • Service guarantees to users who cannot use their smart cards because of loss, damage, or blocking. This includes:

    • Establishing when and how users can regain access to the network.

    • Determining whether to restrict these users’ access to the network to certain areas, or to allow them access to any areas of the network that were previously accessible to them.

    Defining these limits helps you to establish user expectations and support procedures.

Document your service level standards. You will need to apply these standards in your smart card operations plan, test them in your lab and pilot deployments, communicate them to help desk personnel and to your users, and include them in your support and maintenance plan.

For a worksheet to assist you in documenting your service level agreement, see "Smart Card Service Level Agreement" (DSSSMC_2 .doc) on the Windows Server 2003 Deployment Kit companion CD (or see "Smart Card Service Level Agreement" on the Web at https://www.microsoft.com/reskit).

Important

  • Incorporate your smart card service level agreements in the Certificate Practice and Policy Statements for your public key infrastructure. For more information about creating Certificate Practice and Policy Statements, see "Designing a Public Key Infrastructure" in this book.