Lately we have seen more interest in certificate based authentication with Exchange 2007 Outlook Web Access. Using certificates for authentication can be considered more secure because a user cannot ...
Updated Jul 01, 2019
Version 2.0
Blog Post
I have used MS and non-MS certificate servers with this and it works. WS2008/Longhorn issued certificates work just fine. ...whether or not they have been tested and supported is up to the Microsoft Exchantge Team to reply.
Users in public places can still utilize their user credentials with password and risk having keystroke loggers capture those credentials. In many cases companies have Windows Mobile users and That's the risk. The other option is to have the kiosk in the public location install the smartcard reader and the software. Some actually will as long as you are paying the time on the machine.
This solution still does not mitigate any analog attacks or prevent digital attacks such as screen scrapers or keystroke loggers, from capturing screenshots or prevent keystroke loggers from capturing and assembling keystrokes. In all honesty if most companies require two-factor auth they may have policies against using public systems to access their network. I don't know of many companies that force smart card authentication but there may be some in healthcare and banking that require it. The US government does require it with the published HSPD-12 directives signed into law a few years back.
It would be a perfect world if Outlook and OCS could support SC logons like IE could, would it not? Granted the paranoid admin in me really likes having VPN solutions for home users that sequester a machine until after it passes NAC checks allowing them access to only required servers (such as E-mail, and NAC/NAP remediation servers) as well as requiring anything downloaded to their home machine be rights protected (lots of people are getting laid off nowadays...)
/soapbox
Have a great afternoon!,
Chris
Users in public places can still utilize their user credentials with password and risk having keystroke loggers capture those credentials. In many cases companies have Windows Mobile users and That's the risk. The other option is to have the kiosk in the public location install the smartcard reader and the software. Some actually will as long as you are paying the time on the machine.
This solution still does not mitigate any analog attacks or prevent digital attacks such as screen scrapers or keystroke loggers, from capturing screenshots or prevent keystroke loggers from capturing and assembling keystrokes. In all honesty if most companies require two-factor auth they may have policies against using public systems to access their network. I don't know of many companies that force smart card authentication but there may be some in healthcare and banking that require it. The US government does require it with the published HSPD-12 directives signed into law a few years back.
It would be a perfect world if Outlook and OCS could support SC logons like IE could, would it not? Granted the paranoid admin in me really likes having VPN solutions for home users that sequester a machine until after it passes NAC checks allowing them access to only required servers (such as E-mail, and NAC/NAP remediation servers) as well as requiring anything downloaded to their home machine be rights protected (lots of people are getting laid off nowadays...)
/soapbox
Have a great afternoon!,
Chris