Microsoft sold on smart cards

Software giant tightens up in-house security after hacker break-in.

With notable exceptions such as the U.S. Defense Department, smart cards that contain encryption-based digital certificates for signing e-mail or authenticating access to the network aren’t in widespread use in the corporate world even though they provide better security than simple passwords. Microsoft learned that lesson and is now a smart-card advocate, requiring every one of its 55,200 employees to use them to prevent hacker break-ins.

“A few years ago we had a break-in,” says Jared Pfost, Microsoft’s group manager for threat and risk assessment, who is part of Microsoft’s 55-member internal security team. He says the attack succeeded because the hacker got ahold of reusable simple passwords belonging to Microsoft employees.

After that incident – which Pfost couldn’t discuss further – Microsoft’s upper management, including Chairman Bill Gates, decided it was time for a radical overhaul in internal security practices to escape dependence on simple passwords. Microsoft switched to smart cards, the palm-sized computers that can store personal information and play a role in security in several ways.

Smart cards can be programmed to provide physical access to buildings and logic access to networks. That’s the dual-use approach that Microsoft has for smart cards: entry into Microsoft buildings via the physical access-control system supplied by security vendor Lenel; and to Microsoft’s intranets at about 400 locations around the world.

The main value of smart cards is that they provide “two-factor authentication” – something you have and something you know, says Pfost, who explains how public-key infrastructure (PKI) has emerged at Microsoft as a network-access method.

Microsoft’s smart-card approach (based on the Indala smart card) uses a digital certificate that binds PKI encryption to a user’s personal information.

How Microsoft does it

Each smart card given to a Microsoft employee contains X.509 digital certificates that have been issued by a Microsoft software-based root-certificate authority, a key element in how PKI works.

Digital certificates are used in different ways, including authenticating identity to the network and for signing and encrypting e-mail.

“For remote access, the user’s certificate on the smart card acts as the credential,” Pfost says. The PKI process works by having the user’s public- and private-key pairs matched up during the remote authentication process with the Microsoft ISA Server.

These public-key certificates are stored in Microsoft’s Active Directory, which is distributed across domain controllers. Microsoft employees are required to use smart cards and PKI authentication for remote access and for privileged access to servers for administrative purposes.

“We’re also piloting use of two-factor for all login using this smart card,” Pfost says. The program would move smart-card authentication to the desktop, which will have smart card readers, such as those from DataKey.

Microsoft also has started assigning digital certificates to wireless-enabled devices, such as 802.11b LAN-outfitted laptops, which would require a machine to authenticate using PKI as well as an individual. This is being done as an added security precaution for wireless LANs.

The second and third certificates on each smart card that Microsoft issues provide for secure e-mail through signing and encryption of mail using PKI encryption. Corporate e-mail sent over the Internet is required to be secured through PKI, Pfost says, adding that PKI-protected e-mail is encouraged for internal use.

With help from smart cards, Microsoft intends to gradually banish simple passwords – which have caused security problems because they can be easily shared or stolen – from use inside the company.