Smart Card

Description:

It is possible to use a plastic card (smart card) to login instead of using a keyboard to type username if having a smart card reader.
This service manages and controls access to a smart card inserted into a smart card reader attached to the computer.

There is registry entry that can enable additional protection from PKINIT-related vulnerabilities:

[HKEY_LOCAL_MACHINE \System \CurrentControlSet \Control \Lsa \Kerberos]
RequireAsChecksum = 1 (Default WinXP = 0)

[HKEY_LOCAL_MACHINE \System \CurrentControlSet \Control \Lsa \Kerberos \Parameters]
RequireAsChecksum = 1 (Default Win2k/Win2k3 = 0)

Note before enabling this setting on the client-machines, one should make sure that MS KB899587 is installed on the domain controller or else the smart card login will fail. More info MS KB904766

Recommended State:

• Manual.

Default State:

• Manual

Process Name:

• Win7 - svchost.exe -k LocalServiceAndNoImpersonation (SCardSvr)
• Vista - svchost.exe -k LocalService (SCardSvr)
• Win2k/WinXP/Win2k3 - SCardSvr.exe (SCardSvr)

Supports:

• None

Depends:

• Plug and Play