Logging on to Windows provides access to local resources (including EFS-encrypted files) and, in AD DS environments, protected network resources. Many organizations require more than a user name and password to authenticate users. For example, they might require multifactor authentication using both a password and biometric identification or a one-time password token.
In Windows XP and earlier versions of Windows, implementing custom authentication methods required developers to completely rewrite the Graphical Identification and Authentication (GINA) interface. Often, the effort required did not justify the benefits provided by strong authentication, and the project was abandoned.
Windows XP supported only a single GINA. With Windows Vista and Windows 7, developers can now provide custom authentication methods by creating a new credential provider. This requires significantly less development effort, allowing more organizations to offer custom authentication methods.
The new architecture also enables credential providers to be event driven and integrated throughout the user experience. For example, the same code used to implement a fingerprint authentication scheme at the Windows logon screen can be used to prompt the user for a fingerprint when accessing a particular corporate resource. The same prompt also can be used by applications that use the new credential user interface API.
Additionally, the Windows logon user interface can use multiple credential providers simultaneously, providing greater flexibility for environments that might have different authentication requirements for different users.
Credential Manager Enhancements
Windows Vista and Windows 7 include new tools to enable administrators to better support credential management for roaming users, including the Digital Identity Management Services (DIMS) and a new certificate enrollment process. Among other improvements, users can now reset their own smart card PINs without calling the support center. Additionally, users can now back up and restore credentials stored in the Stored User Names And Passwords key ring.
To improve the security of Task Scheduler, Windows Vista and Windows 7 can use Servicefor- User (S4U) Kerberos extensions to store credentials for scheduled tasks instead of storing the credentials locally, where they might be compromised. This has the added benefit of preventing scheduled tasks from being affected by password expiration policies.
No comments:
Post a Comment