Initial Import

.gitignore

@@ -0,0 +1,3 @@
+_site/
+Gemfile.lock
+*~

CONTRIBUTING.md

@@ -0,0 +1,43 @@
+## Welcome
+
+Thank you for considering contributing to our development of open and transparent playbook.  If you're unsure or afraid of anything, just ask or submit the issue or pull request. We appreciate any sort of contribution and are committed to transparency and collaboration.
+
+Before contributing, we encourage you to read our CONTRIBUTING policy (you are here), our LICENSE, and our README, all of which are in this repository.
+
+The idea for open sourcing this content, the contributing framework, and the licensing framework are based on repositories from [18F](https://github.com/18f)
+
+## Public domain
+
+This project is in the public domain within the United States, and
+copyright and related rights in the work worldwide are waived through
+the [CC0 1.0 Universal public domain dedication](https://creativecommons.org/publicdomain/zero/1.0/).
+
+All contributions to this project will be released under the CC0
+dedication. By submitting a pull request, you are agreeing to comply
+with this waiver of copyright interest.
+
+## How to Contribute
+We welcome contributions in the form of requests, issues and pages.  
+
+* _Requests:_ You've identified a useful addition to the playbook which benefits USG Agencies
+  * Open an Issue on this repository
+  * State the recommendation
+  * Include any links or other information
+  * Discuss the request with other contributors  
+
+* _Issues:_ You've identified an issue with the information
+  * Open an Issue on this repository
+  * Discuss the Issue with other contributors
+  * Follow the progress of the updates
+
+* _Pages:_ You'd like to contribute a Page and content
+  * Open an Issue on this repository, identifying the content you would like to contribute
+  * Limit each Issue to one content topic
+  * Fork the repository
+  * Add a new Page or modify an existing Page with your suggested content
+  * Submit a Pull Request, referencing the Issue Number
+
+## General Practices
+This content is Vendor neutral.  Marketing materials for Commercial Products should not be submitted.  If you would like to contribute a page or content which includes Commercial Products and a specific references for development and engineering, please review the Commercial Product trademark or copyright guides from the Product Vendor and reference those guides in your Pull Request.
+
+Contributors should consider the audience when submitting content.  Plain language benefits a broad audience.  Review your proposed content for use of acronyms and specialized jargon before submitting.  

Gemfile

@@ -0,0 +1,2 @@
+source 'https://rubygems.org'
+gem 'github-pages'

LICENSE.md

@@ -0,0 +1,31 @@
+This project is in the
+public domain within the United States.
+
+We waive copyright and related rights in the work
+worldwide through the CC0 1.0 Universal public domain dedication.
+
+## CC0 1.0 Universal Summary
+
+This is a human-readable summary of the [Legal Code (read the full text)](https://creativecommons.org/publicdomain/zero/1.0/legalcode).
+
+### No Copyright
+
+The person who associated a work with this deed has dedicated the work to
+the public domain by waiving all of his or her rights to the work worldwide
+under copyright law, including all related and neighboring rights, to the
+extent allowed by law.
+
+You can copy, modify, distribute and perform the work, even for commercial
+purposes, all without asking permission.
+
+### Other Information
+
+In no way are the patent or trademark rights of any person affected by CC0,
+nor are the rights that other persons may have in the work or in how the
+work is used, such as publicity or privacy rights.
+
+Unless expressly stated otherwise, the person who associated a work with
+this deed makes no warranties about the work, and disclaims liability for
+all uses of the work, to the fullest extent permitted by applicable law.
+When using or citing the work, you should not imply endorsement by the
+author or the affirmer.

README.md

@@ -0,0 +1,40 @@
+---
+layout: default
+permalink: /
+---
+
+## How to Contribute
+We welcome contributions in the form of requests, issues and pages.  
+
+* _Requests:_ You've identified a useful addition to the playbook which benefits USG Agencies
+  * Open an Issue on this repository
+  * State the recommendation
+  * Include any links or other information
+  * Discuss the request with other contributors  
+
+* _Issues:_ You've identified an issue with the information
+  * Open an Issue on this repository
+  * Discuss the Issue with other contributors
+  * Follow the progress of the updates
+
+* _Pages:_ You'd like to contribute a Page and content
+  * Open an Issue on this repository, identifying the content you would like to contribute
+  * Limit each Issue to one content topic
+  * Fork the repository
+  * Add a new Page or modify an existing Page with your suggested content
+  * Submit a Pull Request, referencing the Issue Number
+
+### Public domain
+
+This project is in the worldwide [public domain](LICENSE.md). As stated in [CONTRIBUTING](CONTRIBUTING.md):
+
+> This project is in the public domain within the United States, and copyright and related rights in the work worldwide are waived through the [CC0 1.0 Universal public domain dedication](https://creativecommons.org/publicdomain/zero/1.0/).
+>
+> All contributions to this project will be released under the CC0 dedication. By submitting a pull request, you are agreeing to comply with this waiver of copyright interest.
+
+### Special Thanks
+This site is based on GitHub Pages and Jekyll templates.  The templates are based on [DOCter](https://github.com/cfpb/docter/) from [CFPB](http://cfpb.github.io/).  
+
+The README, LICENSING and CONTRIBUTING are based on [18F Pages](https://pages.18f.gov/).  
+
+Special thanks to the teams at [18F](https://18f.gsa.gov/), [18F Pages](https://pages.18f.gov/), and [US Digital Services Playbooks](https://playbook.cio.gov/) for their open and transparent model which benefits citizens, government and technology.

_config.yml

@@ -0,0 +1,131 @@
+# Site settings
+title: PIV Enablement Guides
+name: PIV Enablement Guides
+email: [email protected]
+author:
+    name: FICAM
+description: PIV Guidance
+baseurl: '/piv-guides'
+#url: "http://yourdomain.com" # the base hostname & protocol for your site
+#twitter_username: jekyllrb
+github_username:  lachellel
+highlighter: pygments
+
+# Point the logo URL at a file in your repo or hosted elsewhere by your organization
+logourl:
+logoalt: Federal Identity Credential and Access Management
+
+# Repo list
+# List repos that you would like to appear on the homepage here
+repos:
+- name: playbook-piv
+  description: FICAM Playbook - PIV Guidance
+  url: https://github.com/gsa/piv-guides
+
+# Build settings
+markdown: kramdown
+
+exclude:
+- bin
+- config.rb
+- Gemfile
+- Gemfile.lock
+- gems
+- Procfile
+- Rakefile
+- README.md
+- script
+- vendor
+
+navigation:
+- text: Introduction
+  url: index.html
+  internal: true
+  coll: false
+- text: Elements of a PIV Card
+  url: elements
+  internal: true
+  coll: false
+#- text: PIV Infrastructure
+#  url: boxes
+#  internal: true
+#  coll: false
+#- text: PIV Authentication Mechanisms
+#  url: authen
+#  internal: true
+#  coll: false
+#- text: How do I enable Microsoft AD for Admin access?
+#  url: 4_adadmin
+#  internal: true
+#  coll: false
+#- text: How do I enable a domain to assert assurance in AD?
+#  url: 5_domainassert
+#  internal: true
+#  coll: false
+#- text: How do I enable Firefox to allow the use of PIV/CAC?
+#  url: 6_firefox
+#  internal: true
+#  coll: false
+#- text: How do I enable Internet Explorer to allow the use of PIV/CAC?
+#  url: 7_ie
+#  internal: true
+#  coll: false
+#- text: How do I enable Chrome to allow the use of PIV/CAC?
+#  url: 8_chrome
+#  internal: true
+#  coll: false
+#- text: How do I validate trust stores on a Windows platform?
+#  url: 9_trustwindows
+#  internal: true
+#  coll: false
+#- text: How do I validate trust stores on a Mac platform?
+#  url: 10_trustmac
+#  internal: true
+#  coll: false
+#- text: How do I enable PIV/CAC for SSH to a Unix-like system?
+#  url: 11_ssh
+#  internal: true
+#  coll: false
+#- text: How do I enable Remote Desktop Protocol (RDP) to allow PIV/CAC?
+#  url: 12_rdp
+#  internal: true
+#  coll: false
+#- text: How do I use PIV/CAC with a mainframe?
+#  url: 13_mainframe
+#  internal: true
+#  coll: false
+#- text: How do I enable a website to use PIV/CAC?
+#  url: 14_website
+#  internal: true
+#  coll: false
+- text: Developer Guides
+  url: devconfig/index/
+  internal: true
+  coll: true
+  collname: devconfig
+- text: User Guides
+  url: userconfig/index/
+  internal: true
+  coll: true
+  collname: userconfig
+
+
+collections:
+  userconfig:
+    label: "User Guides"
+    permalink: /userconfig/:path/
+    output: true
+  devconfig:
+    label: "Developer Guides"
+    permalink: /devconfig/:path/
+    output: true
+
+
+include:
+- _stylesheets
+- _javascript
+
+
+
+# Custom site configuration
+lang: en

_devconfig/15_network.md

@@ -0,0 +1,130 @@
+---
+layout: page_collection
+title: How do I PIV enable my network logon?
+collection: devconfig
+permalink: devconfig/15_network/
+---
+<script>
+$(function() {
+  $( "#accordion" ).accordion({
+    heightStyle: "content",
+    collapsible: "true",
+    active: "false"
+  });
+});
+</script>
+#### Overview
+This guide will take you through the steps necessary to configure your Windows based computer network to accept and potentially require PIV cards for authentication.
+
+##### Assumptions
+*  Your organization users are currently issued PIV cards
+*  Your organization is using Microsoft Active Directory to manage your Windows network users
+*  Your organization is using Microsoft Windows Server 2008 R2 or 2012
+    *  Concepts will likely remain applicable to other versions of Windows Server, however, specific instructions may require modification
+*  Your organization's systems are configured to automatically receive certificate updates via auto-enrollment or some other technique
+
+#### Before you get started
+The following reference information may be useful or required for configuring your systems depending on your architecture. Some information will need to be obtained from the appropriate organization.
+
+*  CA Certificate that signed the authentication certificates
+    *  The Federal PKI [Federal Common Policy CA Certificate](http://http.fpki.gov/fcpca/fcpca.crt) - the root CA Certificate created by the Federal PKI Management Authority (FPKIMA)
+    *  Subordinate CAs in the chain including the Certification Authority that issued the certificates - If your agency issues your certificates, it will be your agency's CA certificate. If your agency's certificates are generated by another organization, such as a managed service, you'll need to acquire it from them.
+*  Certificate Revocation Lists (CRL)
+    *  The FPKI
+        *  [CRL over HTTP](http://http.fpki.gov/fcpca/fcpca.crl)
+        *  [CRL over LDAP](ldap://ldap.fpki.gov/cn=Federal%20Common%20Policy%20CA,ou=FPKI,o=U.S. %20Government,c=US)
+    *  The CRL of the Certification Authority that issued your agency's certificates.
+
+<!-- *  Authority Information Access (AIA) Locations
+    *  The FPKI
+        *  [AIA over HTTP](http://http.fpki.gov/fcpca/caCertsIssuedTofcpca.p7c)
+        *  [AIA over LDAP](ldap://ldap.fpki.gov/cn=Federal%20Common%20Policy%20CA,ou=FPKI,o=U.S. %20Government,c=US)
+    *  The AIA of the Certification Authority that issued your agency's certificates. -->
+
+#### Complete the following tasks
+<div id="accordion" markdown="1">
+
+### Request and install Domain Controller certificates
+<div markdown="1">
+> TODO
+{:class="warning"}
+
+</div>
+
+### Add the CA Certificates to the Trusted Root Certification Authorities
+<div markdown="1">
+
+The root certificate and intermediate CA certs are required by the domain controller to establish a chain of trust between the parent CA and the end users and applications. This allows the domain controller to issue trusted certificates to PIV cards within the directory and confirm the validity of smart card certificates during an access attempt.
+
+Active Directory must be configured to trust a certification authority to authenticate users based on certificates from that CA. Both Smartcard workstations and domain controllers must be configured with correctly configured certificates.
+
+This task will configure Active Directory to trust the Certification Authority chain that signed the users' authentication certificates. To configure Active Directory with the signing CA Certificate chain:
+
+1.	On your Active Directory Domain Controller server, select **Active Directory Users and Computers**
+2.	In the **Management Console**, right click the **Domain** and click **Properties**
+3.	Once you're on the **Group Policy Tab**, click **Open** to open the **Group Policy Management Console plug-in**
+4.	Right Click **Default Domain Policy** and click **Edit**
+5.	Expand the **Computer Configuration** section and open **Windows Settings > Security Settings > Public Key**
+6.	Right click **Trusted Root Certification Authorities** and select **Import**
+7.	Follow the prompts in the Wizard to import the **Root Certificate** for the CA and click OK
+
+From here, follow these steps to import the intermediate certificate(s):
+
+1.	Right click **Intermediate Certification Authorities** and select **Import**
+2.	Follow the prompts in the Wizard to import the **Intermediate Certificate(s)** for the CA and click OK
+
+</div>
+
+### Publish the CA Certificates to the NTAuth Store
+<div markdown="1">
+
+By publishing the CA certificate to the enterprise NTAuth store, the system administrator indicates that the CA is trusted to issue certain certificates. This allows the correct certificates to be issued to smartcards and thus enables logon through PIV card authentication.
+
+This task will configure Active Directory to trust the CA chain that signed the users' authentication certificates. To configure Active Directory with the signing CA Certificate chain:
+
+1.	On the Active Directory Domain Controller, launch an **elevated command prompt** to use the **certutil** utility
+2.	To **Publish the Certificate** to the **Enterprise NTAuth store** type
+
+        certutil –dpublish –f "path_to_root_CA_cert" NTAuthCA
+
+3.	The CA is now trusted to issue certificates of this type
+
+</div>
+
+### Associate PIV Credentials with Active Directory Accounts (AltSecID)
+<div markdown="1">
+
+> TODO
+{:class="warning"}
+
+</div>
+
+### Configure group policies for PIV Authentication
+<div markdown="1">
+
+This task describes 2 common configurations related to domain Group Policy Objects (GPO).
+
+|  scforceoption  |  This security policy setting requires users to log on to a computer by using a smart card.  |  Enabled / Disabled  |
+|  scremoveoption  |  This setting determines what happens when the smart card for a logged-on user is removed from the smart card reader.  |  No Action / Lock Workstation / Force Logoff / Disconnect if a Remote Desktop Services session  |
+
+**scforceoption** directs client Windows computers to enforce PIV logon for users. It is important to understand the ramifications of executing this step.
+
+When you select the Smart Card is required for interactive logon check box in the Active Directory (AD) user account properties, Windows automatically resets the user password to a random complex password. In addition, Windows adds the SMARTCARD_REQUIRED flag to the UserAccountControl user account attribute and sets the DONT_EXPIRE_PASSWORD flag on the user account. The latter ensures that the user's password never expires after the Smart Card is required for interactive logon option is selected.
+
+When a user logs on to Windows either locally or remotely using a Remote Desktop session, the Windows client automatically checks for the presence of the SMARTCARD_REQUIRED flag. If the Smart Card is required for interactive logon option is set for the user, Windows rejects the logon attempt if it's not made with smart card credentials.
+
+Again, upon activation of scforceoption, users will **no longer know the password** to their account and will be **required** to use their PIV for authentication. Care should be used if enabling this option.
+
+To enable or disable either of these policies:
+
+1.  Open the Group Policy Management Console
+1.  In the GPMC console tree, double-click Group Policy Objects in the forest and domain containing the GPO that you want to edit.
+1.  Right-click the GPO, and then click Edit.
+1.  In the console tree, edit the settings as appropriate.
+
+</div>
+</div>
+
+#### References
+
+Elements of this guide were derived from a [Microsoft Knowledgebase Article](https://support.microsoft.com/en-us/kb/281245)