Home page logo

pauldotcom logo PaulDotCom mailing list archives

Re: Requiring smart card use in a Windows domain
From: Herndon Elliott <alabamatoy () gmail com>
Date: Fri, 21 Jun 2013 06:42:10 -0500

Date: Thu, 20 Jun 2013 15:04:18 -0600
From: Terri Shuey <mathair.jedi () gmail com>
To: "pauldotcom () mail pauldotcom com" <pauldotcom () mail pauldotcom com>
Subject: [Pauldotcom] Requiring smart card use in a Windows domain

When testing the 2 different configuration options to require smart card
use for interactive logins (computer vs user account setting) we found
options broke access to other applications that were linked to AD.  For
example corporate mail delivery to iDevices when the user account was
required to use a smart card.  Or RunAs Admin when computer account was
to require it.

Since corporate mail delivery to an iDevice is normally considered mission
critical (heaven forbid if email is down) has anyone found a way to bypass
or limit either of these account configurations to just normal user
accounts on specific devices?  For example require the computer account to
use smart card but allow RDP or RunAs for admins without smart card

See http://militarycac.com - solution is "Middleware" tools.  What you
describe is widely deployed and solved in DoD.  Also, there are now
certificate solutions which implement solution on iThings and Androids.
Some are better and more secure (and therefore less convenient) than
others.  Softcerts look to be where we will wind up.

Good luck....

Herndon Elliott
Madison, Al
https://keyserver.pgp.com key ID: 24B60B6150130832
ΜΟΛΩΝ ΛΑΒΕ "molon labe"
Pauldotcom mailing list
Pauldotcom () mail pauldotcom com
Main Web Site: http://pauldotcom.com

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]