rsa secur id for windows
DESCRIPTION
RSA SecureID PresestationTRANSCRIPT
RSA SecurID®
for Microsoft® Windows®
Gary LauCISSP, CISA
Principal ConsultantNorth Asia
Agenda
• RSA SecurID – the standard for
Strong 2 Factors Authentication
• Authentication in the Enterprise
• Authentication to Microsoft Windows
• How It Works
• Other MS Solutions that are RSA Ready
Need to accessinformation
Need to protectcorporate resources
The Business Problem
The Business Problem
• Low security of static password
• Difficult to remember
• Inconsistent user experience
• Users write them down
• Help desk costs
• Unproductive users
• Frustration
Passwords Are a Big Problem
Problems with passwords were mentioned spontaneously in 2
2003 focus groups:
• “You have to log in and have complicated, long passwords with numbers and digits”
• “I just see my friends trying to use (their passwords) and forgetting them all the time”
• Many consumer applications force multiple logons with different user names, passwords, account numbers
Consumer fraud complaints for 2003
• Identity theft 43%
• Internet auctions 13%
• Internet services, computer complaints 6%
• Shop-at-home, catalog offers 5%
• Advance fee loans, credit protection 5%
• Prizes/sweepstakes/gifts 4%
Source: Federal Trade Commission
• Foreign money offers 4%
• Business opportunities, work-at-home plans 3%
• Magazines, buyers clubs 2%
• Telephone services 2%
• Healthcare 2%
The Fastest Growing Crime
In September 2003, the Federal Trade Commission (FTC) reported
that identity theft had affected nearly 10 million Americans and cost
almost $53 billion in the previous year.$53 Billion$53 BillionWorldwide, identity theft and related crimes are projected to cost an
estimated $221 billion in 2003. If the current 300% compound annual
growth rate continues, annual losses worldwide could top $2 trillion
by 2005.$2 Trillion$2 Trillion
Auditing
• Multiple access points
• Multiple logs
• Compliance requirements
Methods of Authentication
• Something you know
—Password, PIN, “mother’s maiden
name”
• Something you have
—magnetic card, smart card, token,
Physical key
• Something unique about you
—Finger print, voice, retina, iris
“1059”
Bank 1234 5678 9010
Solving the Password Problem• Combine something you have ...
— your ATM card, for example
• ... with something you know ...
— your PIN
• ... with something you know ...
— your PIN
+ PIN+ PIN
= Two-factor authentication!= Two-factor authentication!
Grant access:Y/N?
User enters Passcode
(PIN + token code)
Security
• Proven security
• 15 million users
• 14,000 customers
ACE / Server
ACE / AgentsSecurID Authenticators
RSA SecurID Product Family Components
PASSCODE = +PIN TOKENCODE
Two-factor Authenticationwith RSA SecurID
PIN TOKENCODE
Login: GLAUPasscode: 2468234836
Token code: Changes every 60
seconds
Unique seedInternal battery
Clock synchronized to UCT / GMT
Intranet
EnterpriseWeb Server or Portal Server
ApplicationsApplications&&
ResourcesResources
How Customers Use RSA SecurID
RAS
RSA Agent
Remote Access
RSA ACE/Server
Internet
RSA Agent
Internet Access
VPN or Firewall
E-Business
Enterprise Access
WLAN
Others
Authentication in the Enterprise Past: Strong Authentication for Remote Access
RSA SecurID users
Sysadmins
~20%~20%RAS/VPN
Mobile
workforce
EnterpriseEnterprise
Mobile workforce required to strongly authenticate
Everyone else uses passwords. Why?
•Assumption that because a person is in the building, I can better trust them•No real alternative
Authentication in the EnterprisePresent: Network is opening up, getting more porous
EnterpriseEnterprise
Customers & Partners
WLAN
Web Sysadmins
~30%~30%
RAS/VPN
Mobile
workforce
RSA SecurID users
Strong authentication being required to use• WLAN• Web• SSL VPN
But passwords still the way to authenticate to Windows
•No real alternative
Authentication to Microsoft Windows Today: Username and password
Today a user types in his Username
and Windows password to
authenticate to the network.
Authentication to Microsoft Windows Tomorrow: Username and passcode
Supports:•Local•Domain•Terminal Services•Password Integration•Online and Offline
RSA SecurID Login
Simplicity
• Simple
• Consistent
• Secure
VPN
Windows
Wireless
Web portal
Applications
Auditability
• Centralized logging
• Robust reporting
VPN
Windows
Wireless
Web portal
Applications
RSA SecurID for Microsoft WindowsConfiguration Requirements
Desktop/Laptop Domain Controller RSA ACE Server
RSA ACE/Agent 6.0 Client RSA ACE/Agent 6.0 RSA ACE/Server 6.0
Window: 2000, XP, 2003 Microsoft: 2000 & 2003 Microsoft Server: 2000 & 2003
GINA Replacement AD userid and RSA ACE/Server userid must be the same
Auto Install via MSI
RSA SecurID Architecture
RSA ACE/Agents
Web Server
RSA ACE/AgentFirewall
VPN
DMZDMZRSA
ACE/Server (primary)
RSA ACE/Agents
PDC
IntranetIntranetFirewall
RSA ACE/Server
(replica)
RAS
RSA hashed
Passcode store
How It WorksUser on-line (Network Connected)
RSA ACE/Server
1. Username and passcode
2. Username and passcode provided to ACE/Server along with date/time of last available passcode
5. Username, Windows password supplied to AD
Domain Controller
3 and 4. Agent is told Authentication was successful and is provided:- Windows password- Ticket for hashed passcode retrieval
7. ACE/Server provides to passcode store:- Hashed passcodes- Emergency access password- Encrypted Windows password (for use when offline)
6. Kerberos Ticket supplied to desktop
RSA hashed
Passcode store
How It WorksUser off-line (Network disconnected)
RSA ACE/Server
1. Username and passcode, or emergency access code
2. Username and Passcode(or emergency access code)
5. Username, Windows password6. Offline
Kerberos ticket
Microsoft’scached
credentials
3 and 4. Authentication successful- Decrypted Windows password
Laptop
RSA SecurID for Microsoft Windows Windows Password
• Windows Password Security Policy Options
— Make the password long, complicated and static since its of no use without Strong Authentication
— Continue forced MS password change:
• Admin forces a password change or it expires
• Old password automatically filled in by RSA ACE/Server
• New password typed by end user and stored in RSA ACE/Server
• Handled gracefully in online and offline mode
RSA SecurID for Microsoft Windows Administrative Configuration Options
• System-wide Settings
— Allow/deny – offline use
— # of days users can be offline
— Warn user of limited offline days
— # of bad passcodes before locking user’s token
— Accept an offline authentication or require re-authentication upon reconnect
— Bring log of offline events from clients into A/S log database
• Emergency Access
— Help desk can provide end user emergency access code for when end user forgets PIN, forgets token, or runs out of offline days
Other Microsoft Solutions that are RSA Ready
Already Certified MS Solutions
• MS Active Directory Application Mode
• MS Active Directory
• MS Certificate Services
• MS Crypto API
• MS Exchange ActiveSync
• MS Exchange Server
• MS Internet Explorer
• MS IIS
• MS ISA Server
• MS Mobile Information Server
• MS Office XP
• MS OWA
• MS Outlook/Outlook Express
• MS Routing and Remote Access
• MS Windows 2000
• MS Windows NT
• MS Windows XP
Sources: www.rsasecured.com
RSA SecurID with Microsoft Exchange ActiveSync
Start -> ActiveSyncEnter UsernameEnter Username and PASSCODE
Success and start synchronization!
RSA SecurID with Microsoft ISA Server (VPN)
RSA SecurID with Microsoft OWA
RSA SecurID with Microsoft Mobile Information Server
Summary
RSA SecurID for Microsoft Windows
• Secure
• Simple
• Auditable
RSA SecurID for Microsoft Windows
Thank you!!
Please visit www.rsasecured.com for other RSA certified products.
www.rsasecurity.com