PSE Posted February 24, 2021 Share Posted February 24, 2021 Hi Guys... Just expanded into larger premises and setting up new office & computers. I’m looking to add a smart card style logon system to all computers. Don’t want mag stripe as it’s easily copied. Ideally want the smart card inserted into a reader to logon to pc and if card is removed then the user is logged off. To comply with GDPR I’ve already got full drive encryption sorted, I’m just looking at an advanced logon solution,, Anyone got any thoughts on this or can recommend a product.. thanks Quote Link to comment Share on other sites More sharing options...
MrHappy Posted February 24, 2021 Share Posted February 24, 2021 Don't use 'em.... However I'd a assume a keyboard with a smartcard reader was the norm ? Dell rings a bell? Quote Mr Veritas God Link to comment Share on other sites More sharing options...
PSE Posted February 24, 2021 Author Share Posted February 24, 2021 Hi mate, I’ve seen the keyboards, and separate desktop smartcard readers, just not sure on what type of cards or programming them. I’ve seen some that are already programmed with security keys etc... just don’t know enough about them yet. Quote Link to comment Share on other sites More sharing options...
Nova-Security Posted February 24, 2021 Share Posted February 24, 2021 Got prox reader builtin to our laptops (dell) keyboard with builtin reader https://www.dell.com/en-uk/work/shop/dell-kb813-smartcard-keyboard-uk-irish-qwerty/apd/580-18365/pc-accessories Quote www.nova-security.co.uk www.nsiapproved.co.uk No PMs please unless i know you or you are using this board with your proper name. Link to comment Share on other sites More sharing options...
MrHappy Posted February 24, 2021 Share Posted February 24, 2021 I'm just googling- https://pivkey.zendesk.com/hc/en-us/articles/115002505111-Setting-up-a-Smart-Card-Template-for-Self-Enrollment-Server-2012-R2-2016- Quote Mr Veritas God Link to comment Share on other sites More sharing options...
al-yeti Posted February 24, 2021 Share Posted February 24, 2021 47 minutes ago, MrHappy said: Don't use 'em.... However I'd a assume a keyboard with a smartcard reader was the norm ? Dell rings a bell? NHS standard Quote Link to comment Share on other sites More sharing options...
sixwheeledbeast Posted February 24, 2021 Share Posted February 24, 2021 Don't use Windows but Yubikey login must be a thing? Which wouldn't be possible to clone at all with just the key. If webcam they have Windows hello built in, not that I am found of that. Smartcards systems I have seen where separate USB reader and printable HID cards, not sure if that's same as NHS? Quote Link to comment Share on other sites More sharing options...
PSE Posted February 24, 2021 Author Share Posted February 24, 2021 I’ve seen this, not sure on cards though, still researching now, wanted to get a solution working for weekend.. https://www.amazon.co.uk/dp/B06XY2XLWF/ref=cm_sw_r_cp_awdb_imm_AP4Z06DC8K0GP5SQ5032 Quote Link to comment Share on other sites More sharing options...
al-yeti Posted February 25, 2021 Share Posted February 25, 2021 2 hours ago, PSE said: Hi Guys... Just expanded into larger premises and setting up new office & computers. I’m looking to add a smart card style logon system to all computers. Don’t want mag stripe as it’s easily copied. Ideally want the smart card inserted into a reader to logon to pc and if card is removed then the user is logged off. To comply with GDPR I’ve already got full drive encryption sorted, I’m just looking at an advanced logon solution,, Anyone got any thoughts on this or can recommend a product.. thanks I don't know anyone who does it that way Smart card would allow you to access the pc then you have finger print reader card reader token or whatever you want after that Would be to insecure otherwise Quote Link to comment Share on other sites More sharing options...
PSE Posted February 25, 2021 Author Share Posted February 25, 2021 How can it be insecure if access is controlled by smart card, Quote Link to comment Share on other sites More sharing options...
al-yeti Posted February 25, 2021 Share Posted February 25, 2021 6 hours ago, PSE said: How can it be insecure if access is controlled by smart card, If I have your smart card? And no additional pin ? Quote Link to comment Share on other sites More sharing options...
norman Posted February 25, 2021 Share Posted February 25, 2021 7 hours ago, PSE said: How can it be insecure if access is controlled by smart card, When people forget to remove the card, or become complacent and leave it in the reader/keyboard. Excuse my ignorance I'm not up on this, but why do you need 2 level authority? I use my fingerprint and a pin for my laptop, wouldn't that be enough? Quote Nothing is foolproof to a sufficiently talented fool. Link to comment Share on other sites More sharing options...
PSE Posted February 25, 2021 Author Share Posted February 25, 2021 Windows 10 is so easy to create a back door access from boot level, you can get in within 5 minutes regardless of logon password or fingerprint and access pretty much anything you want, I’ve done it many times. That’s why I’ve gone down the full disk encryption with card access to boot and to logon. Remove the card and you’re logged off. Full disk encryption with secure boot is working perfectly, just wanted to add the smartcard as opposed to mag stripe, I believe it’s got to be more secure Quote Link to comment Share on other sites More sharing options...
sixwheeledbeast Posted February 25, 2021 Share Posted February 25, 2021 Do you have much sensitive data on individual machines? As al says it's about the layers, smartcard would be to use the machine/terminal as a login password replacement but sensitive data wouldn't be stored on that machine you'd have it on a server protected by something else. All you need is the machine and the card and you have the FDE broken, whereas your unlikely to have physical access to server, machine and card at the same time. I don't know how much more secure a smartcard would be to magstripe, I suppose they both could be copied. You could argue if you swipe and keep the card on you, your less likely to have someone leave an access card in the dock? You could make the machine lock with inactivity but would be pointless if you left the card so will always be down to the user to some degree. Quote Link to comment Share on other sites More sharing options...
norman Posted February 25, 2021 Share Posted February 25, 2021 8 hours ago, PSE said: Windows 10 is so easy to create a back door access from boot level, you can get in within 5 minutes regardless of logon password or fingerprint and access pretty much anything you want, I’ve done it many times. Ah, OK, thanks for the explanation. Quote Nothing is foolproof to a sufficiently talented fool. Link to comment Share on other sites More sharing options...
al-yeti Posted February 25, 2021 Share Posted February 25, 2021 6 hours ago, sixwheeledbeast said: Do you have much sensitive data on individual machines? As al says it's about the layers, smartcard would be to use the machine/terminal as a login password replacement but sensitive data wouldn't be stored on that machine you'd have it on a server protected by something else. All you need is the machine and the card and you have the FDE broken, whereas your unlikely to have physical access to server, machine and card at the same time. I don't know how much more secure a smartcard would be to magstripe, I suppose they both could be copied. You could argue if you swipe and keep the card on you, your less likely to have someone leave an access card in the dock? You could make the machine lock with inactivity but would be pointless if you left the card so will always be down to the user to some degree. Swipe requires you to stay logged in I assume screen saver login if you leave desk But best way is on ID card you always carry it , so less likely to be left around , but if you remove it from reader your locked out until you insert and use login ID Finger prints to long winded for large organisations, not very manageable Quote Link to comment Share on other sites More sharing options...
PSE Posted February 25, 2021 Author Share Posted February 25, 2021 Using Eset Deslock totally encrypts the drive, it can’t be bypassed in any way, I’ve learnt this the hard way. Once the system is powered up, it locks the boot up and requires typed credentials to be entered only. Once credentials are entered then windows will boot normal way to the login screen. At this stage, I am attempting to have the smartcard inserted into a reader and this will logon, however once it’s removed it boots you out. If computers are ever stolen, FDE is already active and impossible to penetrate. ive done more research on it and it seems possible, but not easily achieved. Maybe I’m looking at this a bit too much, what are you lot doing your end to achieve max security Quote Link to comment Share on other sites More sharing options...
al-yeti Posted February 25, 2021 Share Posted February 25, 2021 1 hour ago, PSE said: Using Eset Deslock totally encrypts the drive, it can’t be bypassed in any way, I’ve learnt this the hard way. Once the system is powered up, it locks the boot up and requires typed credentials to be entered only. Once credentials are entered then windows will boot normal way to the login screen. At this stage, I am attempting to have the smartcard inserted into a reader and this will logon, however once it’s removed it boots you out. If computers are ever stolen, FDE is already active and impossible to penetrate. ive done more research on it and it seems possible, but not easily achieved. Maybe I’m looking at this a bit too much, what are you lot doing your end to achieve max security I think these small time guys keep server in boot of car incase house gets broken into Quote Link to comment Share on other sites More sharing options...
sixwheeledbeast Posted February 25, 2021 Share Posted February 25, 2021 I see so password only for FDE and you'll leave them on, wasn't aware that was an option for Win was thinking of BitLocker. I use LUKS for all data storage but not WIndows systems so unlikely helpful. Quote Link to comment Share on other sites More sharing options...
james.wilson Posted February 26, 2021 Share Posted February 26, 2021 No data on the windows machines everything is on the servers which are Linux based Quote securitywarehouse Security Supplies from Security Warehouse Trade Members please contact us for your TSI vetted trade discount. Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.