Steven steven at lovebug.org wrote:
RSA for Windows authenticates against the RSA Authentication Manager
and if successful allows the client to then send the Windows password to
the Domain Controller. This kind of defeats the purpose of two-factor as
they could just login with their normal Windows password from a machine
that doesn't have the RSA software on it.
Hi Steven,
You might want to review your assumptions here.
RSA's SecurID for Windows solution in Authentication Manager v6.x will
enforce a two-factor authentication policy for domain resources -
including logon to domain accounts. If you're not using the RSA
Authentication Agent for Windows (or RSA's SSO option, SOM 4.5), you will
not be able to log in to a PC as a domain user in the protected group.
All resources protected by a SecurID for Windows (S4W) protected domain
require a session certificate for access. Just providing a windows
password satisfies windows domain authentication, but the
sub-authentication filters installed as a part of the S4W Domain
Controller (DC) component will deny access until a two-factor
authentication has occurred.
There are, of course, some environment for which RSA does not have a
S4W-enabled agent. In these environments the user will need to perform a
SecurID authentication from an agent that creates verifiable
authentications, and then provide their domain password (to OWA for
example). Even here, direct access -- without having performed a
verifiable authentication -- will be denied by the 'subauth' components on
the DC.
Courtney's First Law reminds us that it is impossible to say anything
meaningful about the security of any system without a clear
understanding of the context: the environment in which it is used, and the
specific application.
If you need something the standard S4W doesn't provide, you really should
sort through the implications of your application and your
environment with your RSA SSE or the gurus at RSA Customer Support. They
may even have suggestions if you really need tighter integration between
the SecurID authentication and AD.
[If, for instance, you really need to completely eliminate access via
passwords, you could use some programmatic method (i.e., Visual Basic) to
set your users' Windows passwords to very long, random passwords that
never expire. The password change would be captured on the DC and sent to
the ACE/Server. The long, random passwords would then be
provided with each authentication (and recovered when offline), but the
users will never know their Windows password. Since the passwords would
never expire, the users are also never allowed to select a smaller, less
secure passwords.
[These shadow passwords can be manually expired using the same process
executed on a regular basis (e.g., yearly), but that process is maybe a
little touchy for a production environment. The users would have make sure
their ACE/Server is up (and the connection is
operational) before running the process (or else they will have to run the
process again when the connection is available). The DC services will
queue these changes if a large number occur at once, so you would also
want to make sure all the password changes have been processed before
shutting down either the ACE/Server or DC.]
As always, the world is simpler if you stay with the standard product, but
customization is possible, sometimes with RSA support.
I hope this is helpful. I've been a consultant to RSA for many years, and
I figure that any authentication problem can have a SecurID
solution. YMMV. ;-)
Suerte,
_Vin
References:
RSA SecurID for Windows (S4W) Infrastructure:
http://www.rsasecurity.com/node.asp?id=1173
RSA's Sign-On Manager:
http://www.rsasecurity.com/node.asp?id=2541
RSA's Security Vulnerability Reporting Policy:
http://www.rsasecurity.com/node.asp?id=2928
--- * * * * ---
On 1/10/06, Steven at lovebug.org queried the Listocracy:
Does anyone know of a product that will tie-in RSA's SecurID with
Microsoft Windows Active Directory? I want to require certain users to
use their pin+current token in order to authenticate to the Domain.
However, the main solution from RSA does not appear to provide a very good
solution at all. RSA for Windows authenticates against the RSA
Authentication Manager and if successful allows the client to then send
the Windows password to the Domain Controller. This kind of defeats the
purpose of two-factor as they could just login with their normal Windows
password from a machine that doesn't have the RSA software on it.
Additionally, what if they want two-factor across the board.. to include
NetBIOS/SMB Shares/Webmail? Is there a product that will tie into Active
Directory and *only* and *always* accept RSA SecurID pin+tokens for
authentication?
This can easily be done *nix boxes, but I am having some trouble finding
something that will work on Windows.
Any ideas?
Thanks,
Steven
