I don't believe ISA server can enforce that on his own! In fact, if such a restriction could be enforced, I think it should be done at the Active Directory level.
That is correct! This is a Win2k issue, not an ISA Server issue. You can limit users to log on from one machine, or better, use smart cards to log in and require that the smart card be left in the reader for the entirety of the session
Unfortunately, I haven't implemented the "what I am" part yet. Still looking for someone who is interested in that level of security. I suspect only govt's would be interested.
BTW --- have you already heard good or bad things about ArcotID? It seems to be the best software SmartCard available. In any case, it sounds to be a very big step forward comparing to the default certificate store on Windows.
Sounds interesting, but they don't explain how the "something I have" differs from a SmarCard. They say its stronger than a SmartCard but what is the "thing you have"?
this is my problem too! As I understand the product, there isn't really "something I have" at least not physical. So, I think you should rather compare the software SmartCard with a software Token.
However, compared to the default certificate store on Windows, I think it has some real benefits. The problem with a hardware SmartCard is the implementation and ongoing support cost. Especially if you don't have control over the environment. So, a lot of people try to simplify the implementation by *not* installing the certificate on a SmartCard but on the PC itself.
The problem now is that storing the certificate on the PC itself is *not* very secure because at best the certificate is only protected by a password and only that password enables the use of the certificate. So, it is very susceptible to offline attacks because there is no method to disable the certificate after a number of bad passwords. This is major drawback.
That problem seems to be solved with the software SmartCard solution from Arcot. To the user (or attacker) a great number of passwords *seems* to give you a valid certificate. The only way to find it out is to try it out. So, the central authentication service will see those tryouts and have now a method to detect the bad tryouts and lock out the certificate and corresponding account after a number of bad attempts. I think this is a major step forward!
I think its better than a software certificate from traditional certificate servers, but I still don't think its better than a "what I have" solution. However, there is no perfect security solution except for turning off the computer