RSA SecurID provides two-factor authentication for accessing Microsoft Windows using a username and passcode. It works by hashing the passcode on the RSA ACE/Server and storing the hashed passcodes, emergency access passwords, and encrypted Windows passwords. This allows users to authenticate both online by supplying the username and passcode to the ACE/Server, and offline using cached credentials on the laptop. RSA SecurID for Windows offers a simple, consistent, and secure authentication method with centralized logging and reporting across VPN, wireless, web portals, and applications.
Intze Overhead Water Tank Design by Working Stress - IS Method.pdf
RSA Secur id for windows
1. RSA SecurID®
for Microsoft®
Windows®
Gary Lau
CISSP, CISA
Principal Consultant
North Asia
2. Agenda
• RSA SecurID – the standard for
Strong 2 Factors Authentication
• Authentication in the Enterprise
• Authentication to Microsoft Windows
• How It Works
• Other MS Solutions that are RSA Ready
3. Need to access
information
Need to protect
corporate resources
The Business Problem
4. The Business Problem
• Low security of static password
• Difficult to remember
• Inconsistent user experience
• Users write them down
• Help desk costs
• Unproductive users
• Frustration
5. Passwords Are a Big Problem
Problems with passwords were mentioned spontaneously in 2
2003 focus groups:
• “You have to log in and have complicated, long passwords with
numbers and digits”
• “I just see my friends trying to use (their passwords) and
forgetting them all the time”
• Many consumer applications force multiple logons with different
user names, passwords, account numbers
7. The Fastest Growing Crime
almost $53 billion in the previous year. $53 Billion
In September 2003, the Federal Trade Commission (FTC) reported
that identity theft had affected nearly 10 million Americans and cost
by 2005. $2 Trillion
Worldwide, identity theft and related crimes are projected to cost an
estimated $221 billion in 2003. If the current 300% compound annual
growth rate continues, annual losses worldwide could top $2 trillion
9. Methods of Authentication
• Something you know
—Password, PIN, “mother’s maiden
name”
• Something you have
—magnetic card, smart card, token,
Physical key
• Something unique about you
—Finger print, voice, retina, iris
“1059”
Bank
1234 5678 9010
10. Solving the Password Problem
• Combine something you have ...
— your ATM card, for example
++ PPIINN
• ... with something you know ...
— your PIN
== TTwwoo--ffaaccttoorr aauutthheennttiiccaattiioonn!!
11. Grant access:
Y/N?
User enters
Passcode
(PIN + token code)
Security
• Proven security
• 15 million users
• 14,000 customers
12. RSA SecurID Product Family
Components
ACE / Server
ACE / Agents
SecurID Authenticators
14. How Customers Use RSA SecurID
E-Business
Enterprise Web Server or
Portal Server
Intranet
AApppplliiccaattiioonnss
&&
RReessoouurrcceess
RAS
RSA
Agent
Remote Access
RSA
ACE/Server
Internet
RSA
Agent
Internet
Access
VPN or
Firewall
Enterprise
Access
Others
WLAN
15. Authentication in the Enterprise
Past: Strong Authentication for Remote Access
RSA SecurID users
Sysadmins
Mobile
workforce
~20%
RAS/VPN
Enterprise
Mobile workforce
required to strongly
authenticate
Everyone else uses
passwords. Why?
•Assumption that
because a person is
in the building, I can
better trust them
•No real alternative
16. Authentication in the Enterprise
Present: Network is opening up, getting more porous
Mobile
workforce
Enterprise
Customers
& Partners
WLAN
Web Sysadmins
~30%
RAS/VPN
Strong authentication
being required to use
• WLAN
• Web
• SSL VPN
But passwords still the
way to authenticate to
Windows
•No real alternative
RSA SecurID users
17. Authentication to Microsoft Windows
Today: Username and password
Today a user types
in his Username
and Windows
password to
authenticate to the
network.
18. Authentication to Microsoft Windows
Tomorrow: Username and passcode
Supports:
•Local
•Domain
•Terminal Services
•Password Integration
•Online and Offline
22. RSA SecurID for Microsoft Windows
Configuration Requirements
Desktop/Laptop Domain Controller RSA ACE Server
RSA ACE/Agent 6.0 Client RSA ACE/Agent 6.0 RSA ACE/Server 6.0
Window: 2000, XP, 2003 Microsoft: 2000 & 2003 Microsoft Server: 2000 & 2003
GINA Replacement AD userid and RSA ACE/Server
userid must be the same
Auto Install via MSI
24. How It Works
User on-line (Network Connected)
Domain
Controller
RSA
hashed
Passcode
store
RSA
ACE/Server
1. Username and passcode
2. Username and passcode provided
to ACE/Server along with date/time of
last available passcode
5. Username, Windows
password supplied to AD
3 and 4. Agent is told Authentication
was successful and is provided:
- Windows password
- Ticket for hashed passcode retrieval
7. ACE/Server provides to passcode
store:
- Hashed passcodes
- Emergency access password
- Encrypted Windows password (for
use when offline)
6. Kerberos Ticket
supplied to desktop
25. RSA
hashed
Passcode
store
How It Works
User off-line (Network disconnected)
Microsoft’s
cached
credentials
5. Username, Windows password
RSA ACE/Server
1. Username and passcode,
or emergency access code
2. Username and Passcode
(or emergency access code)
6. Offline
Kerberos ticket
3 and 4. Authentication successful
- Decrypted Windows password
Laptop
26. RSA SecurID for Microsoft Windows
Windows Password
• Windows Password Security Policy Options
— Make the password long, complicated and static since its of no
use without Strong Authentication
— Continue forced MS password change:
• Admin forces a password change or it expires
• Old password automatically filled in by RSA ACE/Server
• New password typed by end user and stored in RSA
ACE/Server
• Handled gracefully in online and offline mode
27. RSA SecurID for Microsoft Windows
Administrative Configuration Options
• System-wide Settings
— Allow/deny – offline use
— # of days users can be offline
— Warn user of limited offline days
— # of bad passcodes before locking user’s token
— Accept an offline authentication or require re-authentication upon
reconnect
— Bring log of offline events from clients into A/S log database
• Emergency Access
— Help desk can provide end user emergency access code for
when end user forgets PIN, forgets token, or runs out of offline
days
29. Already Certified MS Solutions
• MS Active Directory Application
Mode
• MS Active Directory
• MS Certificate Services
• MS Crypto API
• MS Exchange ActiveSync
• MS Exchange Server
• MS Internet Explorer
• MS IIS
• MS ISA Server
• MS Mobile Information Server
• MS Office XP
• MS OWA
• MS Outlook/Outlook Express
• MS Routing and Remote
Access
• MS Windows 2000
• MS Windows NT
• MS Windows XP
Sources: www.rsasecured.com
30. RSA SecurID with Microsoft Exchange
ActiveSync
Start -> ActivEenStyenrc UsernaEmnteer Username and
Success and start
synchronization!
PASSCODE
36. Thank you!!
Please visit www.rsasecured.com for other RSA certified products.
khlau@rsasecurity.com
www.rsasecurity.com
Editor's Notes
<number>
<number>
<number>
<number>
<number>
<number>
Now I’m going to present one more problem to you. Auditing. Many companies are required to protect access to private information and to prove who has accessed the data. The problem is, with so many access methods and applications there are multiple access logs. And, how do you prove who has logged on and accessed the information? If you can’t trust the authentication method, how can you trust the audit logs?
<number>
Slide Title: Authentication Methods
Key Message:
There are three primary ways to authenticate an individual, something you know, something you have or something you are
Speaker Points:
Notes:
<number>
<number>
<number>
<number>
<number>
<number>
<number>
<number>
<number>
<number>
<number>
<number>
<number>
<number>
<number>
<number>
So now you can see why we’re so excited about this announcement, it’s secure, simple for the users, and auditable.