Authentication is the process of having an
authentication system validate a user’s identity. First, a user provides
some sort of proof of identity and then requests an authentication
system to validate that identity information is accurate. This confirms
that the user is a known, trusted user on the computer system or
network.
Authentication can be based on
the following mechanisms:
Something You
Know—Like a password or a PIN
Something You Have—Like
a SmartCard or token device
Something You Are—Like
a fingerprint or voice print, a biometric
Someplace You Are—Like a room (physical), an IP subnet (logical), or a
time
Windows Vista can use the
authentication protocols listed in Table 1.
Table 1. Authentication Protocols Supported by Windows Vista
Authentication
Protocol | Description | When to Use |
---|
PAP—Password
Authentication Protocol | Clear text usernames and passwords.
Not recommended. | Use when clients on third-party operating systems
need to authenticate. |
SPAP—Shiva Password
Authentication Protocol | Weak encryption.
Considered clear text.
Not recommended. | Use when clients on third-party operating systems
using SPAP need to authenticate. |
CHAP—Challenge
Handshake Authentication
Protocol | Encrypted usernames and passwords.
Stored using reversible encryption. | Use
when clients on third-party operating systems have authentication
encryption enabled.
MAC, Unix, Linux. |
MS-CHAPv1—Microsoft
Challenge Handshake
Authentication Protocol version 1 | Encrypted usernames
and passwords.
Stored using one-way encryption. | Use on Microsoft
Windows 95, NT 4 (pre-SP4), and 98 (pre-SE) clients. |
MS-CHAPv2—Microsoft
Challenge Handshake
Authentication Protocol version 2 | Encrypted usernames and
passwords. Stronger than MS-CHAPv1. | Use on Microsoft Windows NT
4-SP4, 98SE, 2000, XP, 2003, and Vista clients. |
EAP—Extensible
Authentication Protocol | Allows additional
authentication mechanisms to be used, including digital certificates,
PKI.
Typically stronger than password-based authentication. | Use with all
certificate-based authentication, including
SmartCards, Biometrics, and so on. |
These are all
password-based authentication mechanisms, except for EAP.
In Windows Vista, the
default logon authentication protocol is MS-CHAPv2. This is
Microsoft’s second version of the open standard Challenge Handshake
Authentication Protocol. This is the strongest one-factor authentication
protocol available to Windows Vista. One-factor authentication utilizes
only one of the authentication mechanisms (like something you know,
have, or are).
SmartCards
To strengthen authentication
beyond MS-CHAPv2, you can require more than one authentication mechanism
and move to multifactor authentication. One of the most common
multifactor authentication mechanisms is the use of SmartCards, along
with a password or Personal Identification Number (PIN). This is
referred to as two-factor authentication—something
you have and something you know.
Microsoft has built in
many controls to strengthen the two-factor authentication processes with
the use of SmartCards. These controls are configured in the Local
Security Policy (LSP) for the Vista computer or by GPO in an Active
Directory environment.
To configure Vista for
SmartCards, you principally need two settings. These are located in the
Security Options section of the LSP and GPO, as shown in Figure 1.
They are:
Interactive
logon—Require smartcard. This can either
be enabled or disabled.
Interactive logon—Smart card removal behavior.
The
settings are
No Action
Lock
Workstation
Force Logoff
Disconnect if a remote Terminal Services
session