Ever since moving over to Windows 7, I was looking forward to joining our internal DirectAccess pilot, because I simply loved the idea of having access to all internal network resources without the need of a VPN connection. Now that I am included in this pilot, I can say that DirectAccess is all I ever wanted it to be and more. For instance, having NAP take care of your current security state instead of a cumbersome VPN connection script is bliss :)
Before you ask what this has to do with Smart Cards – we have an internal policy that ties DirectAccess to a multifactor logon policy, for all the good reasons outlined here: http://technet.microsoft.com/en-us/library/dd637823.aspx
Now, our Smart Cards also double up as access cards for our building, which has now come to be a double-edged sword. It’s great not having to log around too many different access cards. On the other hand, it’s also not so great forgetting the card inside the computer’s reader, going downstairs for a coffee and then ending up locked out of the office :)
However, that’s quite a good educational experience, since what good is multifactor authentication if you keep one of the 2 factors lodged into your computer at all times?
But I’m getting better at it – taking the card out of the reader straight after logging in works well for me, I just hope that nobody in our IT department thinks about rolling our a policy that locks the screen when the SC is pulled…