Smart card keyboards? (and implementation thereof)

GrimReaper

I'm currently playing with the idea of adding some better security at work.

Has anyone used/set-up a bunch of computers using these type of keyboards? What are your experiences?

For example this HP keyboard.

Do the smart cards allow for multiple users? If I allow it for example can user 1 log in to user 2's computer as user 2 or will it limit it that when user 1 uses their smart card at user 2's computer it will log them in as user 1 without any prompt? (it's a whole people want to check others emails when out of the office for a few hours thing)

I'd like it so that a smart card will allow a user to log in as more than just one user. Or am I buggered in that regard? (like for example a universal smart card that could login as any user for myself as admin, then smart cards that allow say 4 people to login as each other and so on)

PeregrineFalcon

You might need to be on Vista for some of what you're asking. See article here: http://technet.microsoft.com/en-us/library/cc721959.aspx

Smart card logon of a single user with one certificate into multiple accounts
In Windows Vista, a single user certificate can be mapped to multiple accounts. For example, a user can log on to his or her user account or can log on as domain administrator.

Smart card logon of multiple users into a single account
Windows Vista supports the ability for multiple users with unique smart card certificates to log on to a single account, such as an administrator's account.

That covers the different accounts/permissions, etc ... but this whole "User 1 has a card that logs in as User 2" stuff just looks like a clusterfuck of SOX violations to me.

Dunadan019

GrimReaper wrote: »

I'm currently playing with the idea of adding some better security at work.

Has anyone used/set-up a bunch of computers using these type of keyboards? What are your experiences?

For example this HP keyboard.

Do the smart cards allow for multiple users? If I allow it for example can user 1 log in to user 2's computer as user 2 or will it limit it that when user 1 uses their smart card at user 2's computer it will log them in as user 1 without any prompt? (it's a whole people want to check others emails when out of the office for a few hours thing)

I'd like it so that a smart card will allow a user to log in as more than just one user. Or am I buggered in that regard? (like for example a universal smart card that could login as any user for myself as admin, then smart cards that allow say 4 people to login as each other and so on)

the cards ive had experience with are imprinted with your login information and email information making it possible for people to log on to different computers with their cards but having to set up the mail server and have no personal files. you can have an admin card that logs you into the admin account to all the computers you want to have access to and have everyone else have access to only their account and not the admin (you can give them admin privledges if you want though). you might be able to set up more than one email information per card but i have no clue how you would do it.

it really doesnt add much security btw since people will try to leave their computer logged in all the time regardless and it adds problems where people cant get onto their computer to work since the reader is broken which happens alot.

saggio

I'm curious what kind of smart card you will be using. I've been looking into this myself for the past couple of weeks, but I've yet to find something that is open, UNIX-compatible, and uses AES.

GrimReaper

saggio wrote: »

I'm curious what kind of smart card you will be using. I've been looking into this myself for the past couple of weeks, but I've yet to find something that is open, UNIX-compatible, and uses AES.

At the moment I'm only checking stuff out, not yet purchasing. I've got a bunch of more important projects to sort out like poe external security cameras and so on.

Currently the password policy for users is a bit of a joke (inherited from my predecessor), so I'm looking at having random character passwords and/or an implementation of smart cards.

PeregrineFalcon

GrimReaper wrote: »

saggio wrote: »

I'm curious what kind of smart card you will be using. I've been looking into this myself for the past couple of weeks, but I've yet to find something that is open, UNIX-compatible, and uses AES.

At the moment I'm only checking stuff out, not yet purchasing. I've got a bunch of more important projects to sort out like poe external security cameras and so on.

Currently the password policy for users is a bit of a joke (inherited from my predecessor), so I'm looking at having random character passwords and/or an implementation of smart cards.

I'd just start with a strong-password policy - trying to push them into smartcards, PINs, and multiple accounts seems like a problem waiting to happen.

Dunadan019

GrimReaper wrote: »

saggio wrote: »

I'm curious what kind of smart card you will be using. I've been looking into this myself for the past couple of weeks, but I've yet to find something that is open, UNIX-compatible, and uses AES.

At the moment I'm only checking stuff out, not yet purchasing. I've got a bunch of more important projects to sort out like poe external security cameras and so on.

Currently the password policy for users is a bit of a joke (inherited from my predecessor), so I'm looking at having random character passwords and/or an implementation of smart cards.

log people out after 30 minutes of non-use.

make people have atleast 2 numbers and 2 capital letters in their password minimum 8 characters.

the cards are really more of a pain than they are usefull.

PeregrineFalcon

Dunadan019 wrote: »

log people out after 30 minutes of non-use.

make people have atleast 2 numbers and 2 capital letters in their password minimum 8 characters.

the cards are really more of a pain than they are usefull.

Businesses spend $Texas to ensure the safety of their data; setting a policy that will cause more of it to be lost is just moronic.

GPO-enforced screensaver on a 10-minute timer, password required to unlock.

Dunadan019

PeregrineFalcon wrote: »

Dunadan019 wrote: »

log people out after 30 minutes of non-use.

make people have atleast 2 numbers and 2 capital letters in their password minimum 8 characters.

the cards are really more of a pain than they are usefull.

Businesses spend $Texas to ensure the safety of their data; setting a policy that will cause more of it to be lost is just moronic.

GPO-enforced screensaver on a 10-minute timer, password required to unlock.

sorry i didnt mean log out i meant lock, im trying to follow too many threads at once

GrimReaper

The policy is more meant to prevent out of office hours people logging on to users computers.

For example guys who come in on a weekend or night shifts from walking into the office and doing something they shouldn't. By giving a user a physical item which allows them to log in to a computer and perhaps disabling password login then those guys won't be able to do anything on the computers. (at least without being fairly knowledgeable with boot cd's)

Dunadan019

GrimReaper wrote: »

The policy is more meant to prevent out of office hours people logging on to users computers.

For example guys who come in on a weekend or night shifts from walking into the office and doing something they shouldn't. By giving a user a physical item which allows them to log in to a computer and perhaps disabling password login then those guys won't be able to do anything on the computers. (at least without being fairly knowledgeable with boot cd's)

so you are trying to prevent workers coming in and doing work on off hours?

or someone else coming in and logging on that shouldnt be?

cause the second should be taken care of by passwords and the first just seems odd.

PeregrineFalcon

GrimReaper wrote: »

The policy is more meant to prevent out of office hours people logging on to users computers.

For example guys who come in on a weekend or night shifts from walking into the office and doing something they shouldn't. By giving a user a physical item which allows them to log in to a computer and perhaps disabling password login then those guys won't be able to do anything on the computers. (at least without being fairly knowledgeable with boot cd's)

You could just disable logins outside working hours - but smartcard or not, physical access always trumps everything.

Thomamelas

GrimReaper wrote: »

saggio wrote: »

I'm curious what kind of smart card you will be using. I've been looking into this myself for the past couple of weeks, but I've yet to find something that is open, UNIX-compatible, and uses AES.

At the moment I'm only checking stuff out, not yet purchasing. I've got a bunch of more important projects to sort out like poe external security cameras and so on.

Currently the password policy for users is a bit of a joke (inherited from my predecessor), so I'm looking at having random character passwords and/or an implementation of smart cards.

How much experience with CCTV do you have? And what software/cameras are you looking at?