It is possible to use a plastic card (smart card) to login instead of using a keyboard to type username if having a smart card reader.
This service manages and controls access to a smart card inserted into a smart card reader attached to the computer.
There is registry entry that can enable additional protection from PKINIT-related vulnerabilities:
[HKEY_LOCAL_MACHINE \System \CurrentControlSet \Control \Lsa \Kerberos]
RequireAsChecksum = 1 (Default WinXP = 0)
[HKEY_LOCAL_MACHINE \System \CurrentControlSet \Control \Lsa \Kerberos \Parameters]
RequireAsChecksum = 1 (Default Win2k/Win2k3 = 0)
Note before enabling this setting on the client-machines, one should make sure that MS KB899587 is installed on the domain controller or else the smart card login will fail. More info MS KB904766
- Win7 - svchost.exe -k LocalServiceAndNoImpersonation (SCardSvr)
- Vista - svchost.exe -k LocalService (SCardSvr)
- Win2k/WinXP/Win2k3 - SCardSvr.exe (SCardSvr)