Managing Biometrics Windows Server 2008 R2

Introduction

We’ve known for a long time that the traditional user name and password authentication method, alone, doesn’t provide the best security. It can be made better by instituting length and complexity requirements and setting expiration periods, and Windows domain administrators have been able to do this through Group Policy settings since Windows NT. But multi-factor authentication will always be better, and arguably the best method of positively authenticating a person is via fingerprints and other unique physical characteristics. Yes, it is possibly to spoof biometric information, but it’s difficult. You can’t share a biometric identifier as you can a password or make a copy of it as you can with a card or token. Another advantage is that it’s always with you; you can’t lose it or leave it behind when you need it.
The problem with using biometrics for system or domain logon is that until recently, there was no built-in support in either Windows Server or the Windows client operating systems for using or managing biometrics. You had to use third party software, and there was little consistency or interoperability across biometrics programs. Every device vendor provided its own proprietary drivers, client software, SDK, management tools, etc. The good news is that that’s changed. Windows 7 and Windows Server 2008 R2 include the Windows Biometric Framework (WBF), which provides native support for biometric technologies, specifically fingerprint devices.

WBF Components

WBF consists of several components:

• Driver interface definition, Windows Biometric Driver Interface (WBDI), through which user applications can interact with biometric devices.
• Windows Biometric Service (WBS), for managing fingerprint devices and operating between the software application and the biometric device to keep the biometric data separate from the client application.
• Pluggable expansion platform.
• Client API, through which applications enroll, identify and verify user identities.
• User experience components.
• Management components for local configuration or centralized domain-wide configuration, including the Biometrics Devices Control Panel and the Biometrics category in Device Manager, Group Policy.
• Distribution component, including ability of vendors to distribute WBF drivers and components through Windows Update.

Developers can find out more about the Windows Biometric Framework API and how to use it here .

Biometric Scenarios

The two standard supported scenarios for Windows 7 client computers include biometric logon (to local computer or domain) and elevation of privileges through UAC by biometrics.
For the extra security of strong multi-factor authentication, the fingerprint template can even be stored on a smart card and used to authenticate the owner of the card, integrating with third party solutions such as Protiva .NET Bio’s “Match-on-Card” technology where the fingerprint verification is performed on the card. Read more about that here.

Enabling Biometric Logon in Windows 7

To set up biometric (fingerprint) logon to a Windows 7 computer, you first need a fingerprint reader. This can be an add-on device, or a reader that comes built-in (as is the case with many modern laptops). The proper drivers for the device must be installed. Windows 7 comes with drivers for a number of biometric devices. If yours isn’t one of them, Windows will attempt to find the correct drivers on the Windows Update site. If that doesn’t work, check the web site of the device vendor (or the computer vendor for built-in devices).
Once the drivers are installed, the next step is to set up the biometric software with your fingerprint data. Follow these steps:

1. Log on to the user account with which you want to use biometric logon.
2. Click Start | Control Panel.
3. In Classic View, click the Biometric Devices applet. If you don’t see this applet, check Device Manager to ensure that your biometric device is listed.
4. In the dialog box, click “Use your fingerprint with Windows.”
5. Next, you’ll be asked to provide your password. Do so and click OK.
6. The Fingerprint Reader enrollment dialog box requests that you click the finger you want to set up. You can set up one, some or all of your fingers. It’s usually a good idea to set up more than one, as sometimes the reader may not recognize one of your fingers (perhaps because it’s dirty or oily or injured) but will recognize a different finger.
7. Next you’ll be asked to swipe the finger on the reader so the reader can get a good reading. A successful swipe will result in a green checkmark; an unsuccessful swipe will result in a red X. You’ll need three successful swipes to proceed.
8. After three successful swipes, you’re notified that the finger is set up for logon and access functions and you can click Finish.
9. You can repeat the process to enroll other fingers.

Now you need to test and ensure that the fingerprint logon works. Log off (or lock the computer). Instead of your photo and a credentials box for entering your password, you’ll now see a fingerprint icon, as fingerprint logon has been set as the default logon method. Don’t worry; if it doesn’t work, you can click the “Other credentials” button and log on with your username and password as usual.
Swipe one of the fingers that you set up and the system should log you on.

Managing Biometrics in a Windows Server 2008 R2 Domain

Administrators can enable, limit or block the use of biometric devices in a Windows Domain by using Group Policy. In the Group Policy Management Editor on Windows Server 2008 R2, in the left pane right click the Group Policy Object (GPO) you want to configure (for example, the default domain policy) and select “Edit,” as shown in Figure 1.

Figure 1
In the left pane, expand Policies, then Administrative Templates: Policy definitions, then Windows Components, and click Biometrics as shown in Figure 2.

Figure 2
In the right pane, you’ll see four choices:

• Allow the use of biometrics
• Allow users to log on using biometrics
• Allow domain users to log on using biometrics
• Timeout for fast user switching events

Note that this same Group Policy settings are available in the Local Group Policy Editor on Windows 7 and Windows Server 2008 R2 computers. The permissions and behaviors of biometrics can be configured in the local policy; however, domain policy will override local policy.

Allow the Use of Biometrics

If you enable the “Allow the use of biometrics” policy setting, this makes the Windows Biometric Service available to user applications. This means users will be able to run biometric applications on their Windows 7 clients or on Windows Server 2008 R2 servers. This setting does not enable users to log on with biometric data; it only allows them to run the biometric-enabled applications.
If the policy is not configured, WBS will still be available, as that is the default. If you don’t want it to be available (thus prohibiting users from running biometric applications), you need to explicitly disable this policy setting. This prevents users from using any of the biometric features in Windows 7 and Windows Server 2008 R2. To enable or disable the policy setting, double click it or right click it and select “Edit.” There you have three option buttons: Not Configured, Enabled and Disabled. Click the one you want and then click Apply and OK.

Allow users to log on using biometrics

If you enable the “Allow users to log on using biometrics” policy setting, users will be able to log onto their computers by swiping a finger. They will also be able to elevate User Account Control (UAC) permissions with a finger swipe (if they are logged on with an administrative account). This only allows users to log onto the local computer; it does not enable them to log onto the Windows domain.
As with the previous policy, the default of Not Configured has the same effect as selecting Enabled, so if you don’t want users to be able to log onto their computers or elevate privileges using biometrics, you’ll need to explicitly disable the policy setting. This is done in the same way we edited the policy setting above.

Allow domain users to log on using biometric

The purpose of this policy setting is self evident; if you enable it, users who have domain accounts will be able to log onto the Windows domain, or elevate privileges with a logged on domain account, by swiping a finger. The default here is different from those above. Because in a domain, the principle of least privilege applies, domain users can not use biometrics to log on by default. Thus the “Not Configured” selection in this case has the same effect as the “Disabled” selection, and you will need to explicitly enable the policy setting if you want domain users to be able to log onto the domain using biometrics.

Timeout for fast user switching events

You can use this policy setting to set a specified time period (in seconds) for which a fast user switch event stays active before the switch happens. The default time period is 10 seconds. The maximum time period you can configure is 60 seconds. You need to enable the policy setting to change the specified time period.