Hi,
this is a tricky one:
I am using an 2003 Enterprise CA and Sub CA to issue User Certificates.
I use CLM 2003 to manage the Smart Cards. (Axalto .NET v2 in USB Shell Tokens)
The clients have Windows XP SP2 with KB 909520 (Microsoft SmartCard BaseCSP)
The KB comes with the SmartCard Minidriver, the only external driver used is a Gemalto CCID driver for the USB Shell Token which holds the SmartCard.
The pintool.exe from the KB is used to manage the PIN. However you can set 0000 as a valid PIN.
Also, I did not find a way to control the number of PIN attempts until the card blocks the PIN.
And this is where internal audit started to seriously b*tch.
I have tried MS Support, so far with limited success. The Windows Smart Card Minidriver Specification reveals that there is a handle pdwcAttemptsRemaining to control PIN attempts. But not where it comes from. A quick test showed the SmartCard locks after 4 failed attempts. But where did that come from? Account lockout policy from the machine? That could be circumvened. Is is hardcoded in the axaltocm.dll?
Also if I can set the PIN with any pintool.exe on any machine, how in the world do I enforce PINs stronger than 0000? Not with a GPO for sure. But can I put in the certificate template PIN rules? Or can I enforce that the PIN can only be changed when the client has a connect to the CLM to ensure policies?
So my questions:
1. How do you control the initial value of pdwcAttemptsRemaining, or rather where does it come from and where is it stored?
2. Can you in this environment reliably enforce PIN rules, and how?
Start Free Trial
