I guess there isn't much of a standard for implementing smart cards in any environment.

Does anybody have a success/failure story about implementing smart cards?

you can integrate smartcards into AD but  i dont think it is as simple installing one application.  there are card readers/software, certificate management, getting the certificates/tokens on the smart cards. its been done though. i think microsoft has some documentation on it.

I have seen some installed at the military recruiters office.

As far as using smart cards for Two-Factor Authentication(TFA), unless the smart cards are being used for things like code-signing, X of Y authentication where a certain number of people have to be present to do something,  or encryption, I prefer the key-fob method.  RSA and a number of others implement token based authentication where you are required to enter both your pin and a token value which changes periodically in order to authenticate.    These types of technologies are implementable cross platform and can tie into things like VPN's and radius fairly easily. 

For things like file encryption, smart cards/USB Keys are really neat.  Combining with two factor authentication with certificates allows for the encryption/decryption keys for files/file systems to live with you.  I like the USB token idea better because if your company is devoted to the solution it's less likely to be left at the office because it's required to check email from home.  The only caveat is, make sure that your PKI implements a key recovery agent for EFS/Bitlocker if you use a solution like that because people will lose these things. 

ChrisC, thank you very much for your reply.  My organization is a bit on the 'slow' side on many things.  We are going to have to impliment the cards due to mandates from Wash DC though eventually.  The cards/system from Gemalto, do you know off hand if it meets with HSPD-12 compliance?

Hi Guys,

I've been lurking for a while, and this thread prompted me to sign up.
I know this is an old post, but I figured id put my 2c worth in anyways.

I am the IT / Manager for a health clinic and have recently implemented Sun's SunRay Server with Sun Ray thin clients. The security side of the system has its benefits for us, but the technology really fits our working model.

The reason for the change is because all the staff move around between workstations during the day. Not only was this a security issue, the main problem I had was that at the end of the day come balancing time, I could never pin down the "problem" entries on the balance sheet to any one particular person.

"oh, that wasn’t me, I wasn’t here then, someone else was using my profile"

*ugh*

In the morning, the staff would come in and log onto a workstation and then move around with all the rest of the staff between workstations. This is something that is part of the job and the staff do actually need to do, but logging in and out upon moving was too much of a hassle, so they didn’t bother.

So the application of the smart cards and SRSS was to enable my staff the ability to continue moving between workstations, but have their session follow them with their smart card. Although I know its possible, I don't use the Smart Cards for authentication to the TS box, each user still needs to input a valid password to access the terminal server.

So now at the end of the day when it comes time to balance, I know that each user entry on the balance sheet is correct, and have identified staff who need more training.

Additional benefits have been:

1. Increased privacy as workstations are no longer left logged in and unattended.
2. Increased security as you can only access the TS box from a Sun Workstation if you have a card.
3. Reduction of power consumption as the thin clients really are very thin!

The biggest hassle I had to begin with was making sure the staff actually DID take their damn card with them when they left a workstation. Being so used to just moving between workstations made it hard to break this habit. Although a few unannounced trips around the office collecting cards from unattended workstations fixed the problem fairly quickly. Staff felt rather stupid having to come to me to get their card back after a number of times.

If anyone is interested in more detail about the setup, please let me know. I'm more than happy to share exp / thoughts.

How did everyone go with their smart card implementations?

Xiv

Xiv,

How did you get management buy in on this? My group has been arguing for thing clients for the 3 years I've been here. It'd save on money, and would make more since, since we have the same problem of people moving around / multiple people using the same work station. Problem is, we keep getting push back from management saying no.

eth3real:
Where / how did you acquire those? From my experience the vendor / var that gives me things to play with usually have no problems answering my questions and helping me out (they see it as good marketing and more likely to make a sale to me).