Overview
Typically, a cookbook is a collection of recipes, or instructions, that explain how to do something and what you need to do it. This "cookbook" is a set of "recipes" for deploying smart cards in an enterprise that is deploying Microsoft Windows 2000 Active Directory. The white papers in this series will help you understand the principal smart card concepts and guide you through the planning tasks.
The cookbook is divided into three sections:
On This Page
About This Cookbook
Who Should Read This Series
Section 1: Smart Card Backgrounder
Section 2: Smart Card Deployment Planning Considerations
Section 3: Smart Card Deployment Scenario
Related Materials
About This Cookbook
Section 1: Smart Card Backgrounder
The papers in this section are designed to provide you with a foundation for your understanding of smart cards. It covers such topics as how smart cards have been used in organizations, smart card architecture in Microsoft Windows 2000, smart card application development, and public key infrastructure (PKI) requirements for deploying smart cards, for example, for smart card logon. By the end of this section you will be able to build a case for deploying smart cards in your organization based on:
An understanding of the ways in which the initial investment in deploying cards and readers can be leveraged to deploy a range of useful smart card applications.
An understanding of the smart card features shipped "in the box" with Windows 2000.
An understanding of the infrastructure components necessary to deploy smart cards for smart card logon.
Section 2: Smart Card Deployment Planning Considerations.
The papers in this section provide you with the building blocks that allow you to start planning your smart card deployment, by setting out the kind of considerations to bear in mind. This includes factors such as:
Your network infrastructure and administration model
The basic considerations for planning a PKI
The details of planning the actual deployment
Section 3: Smart Card Deployment Scenarios.
The papers in this section describe a detailed deployment scenario that uses a fictitious company, Hay Buv Toys, as an example of an organization planning smart card deployment. The section begins with a description of Hay Buv's current environment and its smart card deployment goals, then sets out their desired deployment environment. This section takes you through processes such as:
Deploying the PKI
Deploying smart cards
Deploying PKI-enabled applications for smart cards
Developing applications for Windows for Smart Cards
Who Should Read This Series
This deployment cookbook addresses the concepts behind deploying smart cards, the steps that are necessary to plan a successful deployment, and some of the tools that deployment requires. Therefore, it will be of use to the following people:
Network engineers
System architects
Consultants
Section 1: Smart Card Backgrounder
Introduction to Windows for Smart Cards
This white paper covers the add-on value of using smart cards in the enterprise.
Business opportunities
Higher level of security
Legal aspects and how smart cards will adopt digital signature laws
This white paper covers basic smart card information, such as the following:
What is a smart card? This covers the different form factors, etc.
What can you do with a smart card? This covers some examples of uses for smart cards, i.e., stored value, credential storage, etc.
Windows Smart Card Subsystem:
PC/SC v1.0: what it is and why it's relevant.
ISO 7816: what it is and why it's relevant.
Why do cards differ from each other, e.g., GemPlus, Schlumberger?
Descriptions of the components in the architecture, i.e., readers, drivers, resource manager.
Support in Windows platforms, i.e., the files shipped in the box or downloaded, driver and card coverage in all Windows platforms.
Smart Cards and the Windows 2000 PKI
This white paper begins tying the concepts together.
What are the requirements for using smart cards to log on, sign e-mail, etc.?This includes discussion of the need to deploy a CA infrastructure.
What is enrollment? This covers what is involved in enrollment from a software perspective, i.e., the necessary templates, the enrollment station, how it interacts with the CSP, etc.
What is smart card logon? This covers what is involved in logging on to the domain, how Winlogon and GINA interact, how Kerberos authentication fits in, UPNs, etc.
What is e-mail signing/encryption? This covers what is involved in signing/encrypting e-mail.
Section 2: Smart Card Deployment Planning Considerations
Running a Windows 2000 PKI Project
This white paper covers the typical considerations involved in planning a PKI:
Hierarchy
External root CA or self-signed
What's online and what's off-line
Enterprise CAs
Interoperability with non-Microsoft CAs
The kinds of tools you might use
Logistics of Smart Card Deployment
This white paper covers the typical considerations involved in planning a smart card deployment.
The kinds of card management tools you might need
Logistical processes, i.e., the kinds of steps you might want to have in place to verify identity for enrolment
The enrollment station vs. other approaches
Tracking cards throughout their lifecycle
Multi-application cards, i.e., logo n plus an application
Escrow issues
Smart card-related issues wrt interop, i.e., non-Microsoft CAs
Section 3: Smart Card Deployment Scenario
This white paper outlines the existing Hay Buv Toys Windows NT infrastructure and describes some of the issues being faced by this fictitious company in this scenario.
This white paper describes the PKI that is planned, based on the factors described in thefirst white paper in this section, together with an outline of the procedures that will be adopted to deploy smart cards. This paper covers the stages of the project and what is involved at each stage:
Pilot
Early adopter deployment
Phased mass deployment
This white paper is a walkthrough that describs deploying the PKI step-by-step, describing the test requirements at each stage.
This white paper is a walkthrough that describes the steps and highlevel processes that are necessary for deploying smart cards, starting with a pilot, etc., and describing the test requirements at each stage.
Deploying PKI-Enabled Applications for Smart Cards
This white paper is a walkthrough that describes the steps for developing PKI applications such as S/MIME, VPN, SSL, or Windows Logon and how to enforce them with smart cards.
Developing Applications for Windows for Smart Cards
This white paper is a walkthrough that describes the steps for developing applications that are based on Windows for Smart Cards by using Visual Basic. Sample Visual Basic source code is provided for the Hay Buv Toys scenario.
Related Materials
The following document provides additional information about migration:
- Microsoft Windows 2000 Deployment Planning Guide (available at
https://www.microsoft.com/windows2000/techinfo/reskit/dpg/default.asp)