|
Using Smart Cards for Administrative Tasks |
|
|
In a pure Windows 2000 network, it was not possible to use smart cards for all administrative tasks. Several tasks still required the input of user credentials and passwords, lessening the security gains accomplished through the issuance and usage of smart cards.
The Windows XP and Windows Server 2003 operating systems offer enhancements that enable additional usage of smart cards in administrative activities, including:
- The RunAs command. The RunAs command allows you to run a program in the security context other than that of the currently logged on user. For example, if administrators have day-to-day accounts and smart cards for administrative tasks, they can use the RunAs command to run administrative tasks with their smart cards, whether accessed via the graphical user interface (GUI) or from the command line. From the command line, you can add the /smartcard switch; from the GUI, you can select to use a smart card for authentication.
- The Net Use command. Like the RunAs command, you can choose to use a smart card to provide credentials for network drive mapping. From the command line, you must use the /smartcard switch to designate that the credentials are read from a smart card. Likewise, from the GUI, you can choose to connect with a different user name and then select the smart card from the list of available credentials.
- The DCPromo command. If the computer you are promoting to a domain controller is already a member of the forest, you can use a smart card to validate your identity in the DCPromo wizard. The computer must be a member of the forest before running DCPromo, otherwise the option is not available. This option is only available on Windows Server 2003 computers.
|
