Subscribe to The Webmaster        RSS Feed

Hardware Security

Icon 1 Comments
Back around 2001 (i.e. 9/11) there was a federal mandate that all government computer systems must be accessed using hardware based authentication. The time has come when all DoD organizations must begin requiring users to authenticate using CAC (Common Access Cards). These are cards with a chip in them that contain information about the card holder. The card holder is required to enter a PIN to access various systems. From logging in to windows, to accessing certain web sites, the CAC is now everyones best (or worst) friend.

My job requires me to configure and program systems that are compatible with this new hardware based authentication. Today, I was configure IIS to match a users CAC with their Active Directory user account. In IIS there is a setting on the "Web Sites" folder under "Directory Security" to enable the Windows Directory service mapper. Here's the help file excerpt:


Enable the Windows directory service mapper

Select to use Directory Service client-certificate mapping rather than one-to-one or many-to-one mapping. To enable this service, the server must be a member of the Windows Server 2003 domain. This option is available only when editing properties for all Web sites.

What this does is allows certificates (the CAC contains signed certificates just like SSL certificates) to be mapped to members of the Active Directory. This is excellent news because I was beginning to fear I'd have to manually download and map over 1200 users accounts to their certificates.

The amount of security hardware authentication provides is amazing. No longer can someone just sit and guess passwords, they have to physically have the users card with them and the card has built in protection against brute force. Of course the technology to program them will undoubtedly fall in to the wrong hands and whoever will be able to program as many as they want, but I guess it's still better than good ole' username/password authentication.

I'm not 100% sold on this hardware based authentication, for a few reasons. If I have more than 1 account on my network, I must have a seperate CAC for each account. If I want to access a network resources with a different username, I can't just type the username/password, I have to log out and log back in with my other account's CAC. There are a lot of problems that will have to be addressed for this all to work. I do know one thing though... whoever is manufacturing the card readers is making a KILLING. Oh well, that's government for you :)

1 Comments On This Entry

Page 1 of 1


16 July 2006 - 01:54 PM
it's simlar to finger print readers and usb password keys.
A good idea, but just needs some fine tuning, as theft or manipulation can always be done even with these seemingly protected methods.

The software should run in an emulated state, thus allowing itself to be duplicated by account, and still access all files, etc attatched to each. Similar to the multi-desktop feature.
Page 1 of 1

Trackbacks for this entry [ Trackback URL ]

There are no Trackbacks for this entry

Recent Entries

July 2020

5678 9 1011