Deploying Smart Cards

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

If your organization requires a more secure form of authentication, you can use certificates and smart cards for user logon. Smart cards provide additional security because they require both a password and a physical smart card for a user to log on. The smart card contains a public key certificate, and to unlock the certificate, the user must supply a password, or PIN. It is much more difficult for an attacker to obtain both a physical smart card and the PIN number that is used to unlock it in order to gain access to network resources.

In order to decide whether smart card authentication is appropriate for your organizations, evaluate the potential benefits against the following consideration:

• Costs. Deploying smart cards entails initial equipment costs for the purchase of smart cards and smart card readers, as well as administrative costs for preparing and distributing smart cards.

• Infrastructure. A public key infrastructure (PKI) is required for smart card authentication. For more information about establishing a PKI, see "Designing a Public Key Infrastructure" in this book.

• Ongoing administration. Unlike card keys, smart cards cannot be replaced easily if lost or forgotten. This introduces the potential for lost productivity if a user forgets or loses his or her card.

Because of the potential costs and administrative burden, many organizations choose to deploy smart cards only to certain groups of users, such as administrators or users who have access to extremely sensitive data.

For more information about deploying smart cards, see "Planning a Smart Card Deployment" in this book.