One of the commonly recommended solutions to increase the security of user accounts in the on-premise Active Directory is to require two-factor authentication using Smart Cards. Not everyone knows that Windows Smart Card implementation has undergone a significant change years ago that has not been clearly reflected in the publicly available documentation. Since Public Key Infrastructure (PKI) security is not a typical piece of knowledge, therefore many enterprises may be at risk.

It’s your friendly neighborhood Microsoft Security Advisor, back with more tricks to keep your network safe. Despite your best efforts to protect your data, unencrypted network protocols might still be used. We show you how to use IPsec and SMB protection to create a web of protection around your information.

Let’s start with some theoretical background about public key role separation. An important step in designing and implementing our public infrastructure is that reminding the groups or users who will manage it, and here, I would like to point out that we should always use active director groups when we are talking about security managing certification authorities that are member of active director, because it is much easier from management perspective. This design step determines the security of your public infrastructure, so please don’t treat it lightly.