This policy setting determines what happens when the smart card for a logged-on user is removed from the smart card reader. Vulnerability: Users sometimes forget to lock their workstations when they are away from them, allowing the possibility for malicious users to access their computers. If smart cards are used for authentication, the computer should automatically lock itself when the card is removed to ensure that only the user with the smart card is accessing resources using those credentials. Counter Measure: Configure the Smart card removal behavior setting to Lock Workstation. If you select Lock Workstation in the Properties dialog box for this policy setting, the workstation locks when the smart card is removed. Users can leave the area, take their smart card with them, and still maintain a protected session. If you select Force Logoff in the Properties dialog box for this policy setting, the user is automatically logged off when the smart card is removed. Potential Impact: If you select Force Logoff, users will have to re-insert their smart cards and re-enter their PINs when they return to their workstations. Enforcing this setting on computers used by people who must log onto multiple computers in order to perform their duties could be frustrating and lower productivity. For example, if network administrators are limited to a single account but need to log into several computers simultaneously in order to effectively manage the network enforcing this setting will limit them to logging onto one computer at a time. For these reasons Microsoft recommends that this setting only be enforced on workstations used for purposes commonly associated with typical users such as document creation and email. Fix: (1) GPO: Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsInteractive logon: Smart card removal behavior (2) REG: HKEY_LOCAL_MACHINESoftwareMicrosoftWindows NTCurrentVersionWinlogon!scremoveoption

[no_action/lock_workstation/force_logoff]

(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Interactive logon: Smart card removal behavior (2) REG: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon!scremoveoption