RSA Secur id for windows
-
Upload
arpit06055 -
Category
Engineering
-
view
156 -
download
6
description
Transcript of RSA Secur id for windows
![Page 1: RSA Secur id for windows](https://reader030.fdocuments.in/reader030/viewer/2022020123/5575b09dd8b42a3b498b4cb6/html5/thumbnails/1.jpg)
RSA SecurID®
for Microsoft® Windows®
Gary LauCISSP, CISA
Principal ConsultantNorth Asia
![Page 2: RSA Secur id for windows](https://reader030.fdocuments.in/reader030/viewer/2022020123/5575b09dd8b42a3b498b4cb6/html5/thumbnails/2.jpg)
Agenda
• RSA SecurID – the standard for
Strong 2 Factors Authentication
• Authentication in the Enterprise
• Authentication to Microsoft Windows
• How It Works
• Other MS Solutions that are RSA Ready
![Page 3: RSA Secur id for windows](https://reader030.fdocuments.in/reader030/viewer/2022020123/5575b09dd8b42a3b498b4cb6/html5/thumbnails/3.jpg)
Need to accessinformation
Need to protectcorporate resources
The Business Problem
![Page 4: RSA Secur id for windows](https://reader030.fdocuments.in/reader030/viewer/2022020123/5575b09dd8b42a3b498b4cb6/html5/thumbnails/4.jpg)
The Business Problem
• Low security of static password
• Difficult to remember
• Inconsistent user experience
• Users write them down
• Help desk costs
• Unproductive users
• Frustration
![Page 5: RSA Secur id for windows](https://reader030.fdocuments.in/reader030/viewer/2022020123/5575b09dd8b42a3b498b4cb6/html5/thumbnails/5.jpg)
Passwords Are a Big Problem
Problems with passwords were mentioned spontaneously in 2
2003 focus groups:
• “You have to log in and have complicated, long passwords with numbers and digits”
• “I just see my friends trying to use (their passwords) and forgetting them all the time”
• Many consumer applications force multiple logons with different user names, passwords, account numbers
![Page 6: RSA Secur id for windows](https://reader030.fdocuments.in/reader030/viewer/2022020123/5575b09dd8b42a3b498b4cb6/html5/thumbnails/6.jpg)
Consumer fraud complaints for 2003
• Identity theft 43%
• Internet auctions 13%
• Internet services, computer complaints 6%
• Shop-at-home, catalog offers 5%
• Advance fee loans, credit protection 5%
• Prizes/sweepstakes/gifts 4%
Source: Federal Trade Commission
• Foreign money offers 4%
• Business opportunities, work-at-home plans 3%
• Magazines, buyers clubs 2%
• Telephone services 2%
• Healthcare 2%
![Page 7: RSA Secur id for windows](https://reader030.fdocuments.in/reader030/viewer/2022020123/5575b09dd8b42a3b498b4cb6/html5/thumbnails/7.jpg)
The Fastest Growing Crime
In September 2003, the Federal Trade Commission (FTC) reported
that identity theft had affected nearly 10 million Americans and cost
almost $53 billion in the previous year.$53 Billion$53 BillionWorldwide, identity theft and related crimes are projected to cost an
estimated $221 billion in 2003. If the current 300% compound annual
growth rate continues, annual losses worldwide could top $2 trillion
by 2005.$2 Trillion$2 Trillion
![Page 8: RSA Secur id for windows](https://reader030.fdocuments.in/reader030/viewer/2022020123/5575b09dd8b42a3b498b4cb6/html5/thumbnails/8.jpg)
Auditing
• Multiple access points
• Multiple logs
• Compliance requirements
![Page 9: RSA Secur id for windows](https://reader030.fdocuments.in/reader030/viewer/2022020123/5575b09dd8b42a3b498b4cb6/html5/thumbnails/9.jpg)
Methods of Authentication
• Something you know
—Password, PIN, “mother’s maiden
name”
• Something you have
—magnetic card, smart card, token,
Physical key
• Something unique about you
—Finger print, voice, retina, iris
“1059”
Bank 1234 5678 9010
![Page 10: RSA Secur id for windows](https://reader030.fdocuments.in/reader030/viewer/2022020123/5575b09dd8b42a3b498b4cb6/html5/thumbnails/10.jpg)
Solving the Password Problem• Combine something you have ...
— your ATM card, for example
• ... with something you know ...
— your PIN
• ... with something you know ...
— your PIN
+ PIN+ PIN
= Two-factor authentication!= Two-factor authentication!
![Page 11: RSA Secur id for windows](https://reader030.fdocuments.in/reader030/viewer/2022020123/5575b09dd8b42a3b498b4cb6/html5/thumbnails/11.jpg)
Grant access:Y/N?
User enters Passcode
(PIN + token code)
Security
• Proven security
• 15 million users
• 14,000 customers
![Page 12: RSA Secur id for windows](https://reader030.fdocuments.in/reader030/viewer/2022020123/5575b09dd8b42a3b498b4cb6/html5/thumbnails/12.jpg)
ACE / Server
ACE / AgentsSecurID Authenticators
RSA SecurID Product Family Components
![Page 13: RSA Secur id for windows](https://reader030.fdocuments.in/reader030/viewer/2022020123/5575b09dd8b42a3b498b4cb6/html5/thumbnails/13.jpg)
PASSCODE = +PIN TOKENCODE
Two-factor Authenticationwith RSA SecurID
PIN TOKENCODE
Login: GLAUPasscode: 2468234836
Token code: Changes every 60
seconds
Unique seedInternal battery
Clock synchronized to UCT / GMT
![Page 14: RSA Secur id for windows](https://reader030.fdocuments.in/reader030/viewer/2022020123/5575b09dd8b42a3b498b4cb6/html5/thumbnails/14.jpg)
Intranet
EnterpriseWeb Server or Portal Server
ApplicationsApplications&&
ResourcesResources
How Customers Use RSA SecurID
RAS
RSA Agent
Remote Access
RSA ACE/Server
Internet
RSA Agent
Internet Access
VPN or Firewall
E-Business
Enterprise Access
WLAN
Others
![Page 15: RSA Secur id for windows](https://reader030.fdocuments.in/reader030/viewer/2022020123/5575b09dd8b42a3b498b4cb6/html5/thumbnails/15.jpg)
Authentication in the Enterprise Past: Strong Authentication for Remote Access
RSA SecurID users
Sysadmins
~20%~20%RAS/VPN
Mobile
workforce
EnterpriseEnterprise
Mobile workforce required to strongly authenticate
Everyone else uses passwords. Why?
•Assumption that because a person is in the building, I can better trust them•No real alternative
![Page 16: RSA Secur id for windows](https://reader030.fdocuments.in/reader030/viewer/2022020123/5575b09dd8b42a3b498b4cb6/html5/thumbnails/16.jpg)
Authentication in the EnterprisePresent: Network is opening up, getting more porous
EnterpriseEnterprise
Customers & Partners
WLAN
Web Sysadmins
~30%~30%
RAS/VPN
Mobile
workforce
RSA SecurID users
Strong authentication being required to use• WLAN• Web• SSL VPN
But passwords still the way to authenticate to Windows
•No real alternative
![Page 17: RSA Secur id for windows](https://reader030.fdocuments.in/reader030/viewer/2022020123/5575b09dd8b42a3b498b4cb6/html5/thumbnails/17.jpg)
Authentication to Microsoft Windows Today: Username and password
Today a user types in his Username
and Windows password to
authenticate to the network.
![Page 18: RSA Secur id for windows](https://reader030.fdocuments.in/reader030/viewer/2022020123/5575b09dd8b42a3b498b4cb6/html5/thumbnails/18.jpg)
Authentication to Microsoft Windows Tomorrow: Username and passcode
Supports:•Local•Domain•Terminal Services•Password Integration•Online and Offline
![Page 19: RSA Secur id for windows](https://reader030.fdocuments.in/reader030/viewer/2022020123/5575b09dd8b42a3b498b4cb6/html5/thumbnails/19.jpg)
RSA SecurID Login
![Page 20: RSA Secur id for windows](https://reader030.fdocuments.in/reader030/viewer/2022020123/5575b09dd8b42a3b498b4cb6/html5/thumbnails/20.jpg)
Simplicity
• Simple
• Consistent
• Secure
VPN
Windows
Wireless
Web portal
Applications
![Page 21: RSA Secur id for windows](https://reader030.fdocuments.in/reader030/viewer/2022020123/5575b09dd8b42a3b498b4cb6/html5/thumbnails/21.jpg)
Auditability
• Centralized logging
• Robust reporting
VPN
Windows
Wireless
Web portal
Applications
![Page 22: RSA Secur id for windows](https://reader030.fdocuments.in/reader030/viewer/2022020123/5575b09dd8b42a3b498b4cb6/html5/thumbnails/22.jpg)
RSA SecurID for Microsoft WindowsConfiguration Requirements
Desktop/Laptop Domain Controller RSA ACE Server
RSA ACE/Agent 6.0 Client RSA ACE/Agent 6.0 RSA ACE/Server 6.0
Window: 2000, XP, 2003 Microsoft: 2000 & 2003 Microsoft Server: 2000 & 2003
GINA Replacement AD userid and RSA ACE/Server userid must be the same
Auto Install via MSI
![Page 23: RSA Secur id for windows](https://reader030.fdocuments.in/reader030/viewer/2022020123/5575b09dd8b42a3b498b4cb6/html5/thumbnails/23.jpg)
RSA SecurID Architecture
RSA ACE/Agents
Web Server
RSA ACE/AgentFirewall
VPN
DMZDMZRSA
ACE/Server (primary)
RSA ACE/Agents
PDC
IntranetIntranetFirewall
RSA ACE/Server
(replica)
RAS
![Page 24: RSA Secur id for windows](https://reader030.fdocuments.in/reader030/viewer/2022020123/5575b09dd8b42a3b498b4cb6/html5/thumbnails/24.jpg)
RSA hashed
Passcode store
How It WorksUser on-line (Network Connected)
RSA ACE/Server
1. Username and passcode
2. Username and passcode provided to ACE/Server along with date/time of last available passcode
5. Username, Windows password supplied to AD
Domain Controller
3 and 4. Agent is told Authentication was successful and is provided:- Windows password- Ticket for hashed passcode retrieval
7. ACE/Server provides to passcode store:- Hashed passcodes- Emergency access password- Encrypted Windows password (for use when offline)
6. Kerberos Ticket supplied to desktop
![Page 25: RSA Secur id for windows](https://reader030.fdocuments.in/reader030/viewer/2022020123/5575b09dd8b42a3b498b4cb6/html5/thumbnails/25.jpg)
RSA hashed
Passcode store
How It WorksUser off-line (Network disconnected)
RSA ACE/Server
1. Username and passcode, or emergency access code
2. Username and Passcode(or emergency access code)
5. Username, Windows password6. Offline
Kerberos ticket
Microsoft’scached
credentials
3 and 4. Authentication successful- Decrypted Windows password
Laptop
![Page 26: RSA Secur id for windows](https://reader030.fdocuments.in/reader030/viewer/2022020123/5575b09dd8b42a3b498b4cb6/html5/thumbnails/26.jpg)
RSA SecurID for Microsoft Windows Windows Password
• Windows Password Security Policy Options
— Make the password long, complicated and static since its of no use without Strong Authentication
— Continue forced MS password change:
• Admin forces a password change or it expires
• Old password automatically filled in by RSA ACE/Server
• New password typed by end user and stored in RSA ACE/Server
• Handled gracefully in online and offline mode
![Page 27: RSA Secur id for windows](https://reader030.fdocuments.in/reader030/viewer/2022020123/5575b09dd8b42a3b498b4cb6/html5/thumbnails/27.jpg)
RSA SecurID for Microsoft Windows Administrative Configuration Options
• System-wide Settings
— Allow/deny – offline use
— # of days users can be offline
— Warn user of limited offline days
— # of bad passcodes before locking user’s token
— Accept an offline authentication or require re-authentication upon reconnect
— Bring log of offline events from clients into A/S log database
• Emergency Access
— Help desk can provide end user emergency access code for when end user forgets PIN, forgets token, or runs out of offline days
![Page 28: RSA Secur id for windows](https://reader030.fdocuments.in/reader030/viewer/2022020123/5575b09dd8b42a3b498b4cb6/html5/thumbnails/28.jpg)
Other Microsoft Solutions that are RSA Ready
![Page 29: RSA Secur id for windows](https://reader030.fdocuments.in/reader030/viewer/2022020123/5575b09dd8b42a3b498b4cb6/html5/thumbnails/29.jpg)
Already Certified MS Solutions
• MS Active Directory Application Mode
• MS Active Directory
• MS Certificate Services
• MS Crypto API
• MS Exchange ActiveSync
• MS Exchange Server
• MS Internet Explorer
• MS IIS
• MS ISA Server
• MS Mobile Information Server
• MS Office XP
• MS OWA
• MS Outlook/Outlook Express
• MS Routing and Remote Access
• MS Windows 2000
• MS Windows NT
• MS Windows XP
Sources: www.rsasecured.com
![Page 30: RSA Secur id for windows](https://reader030.fdocuments.in/reader030/viewer/2022020123/5575b09dd8b42a3b498b4cb6/html5/thumbnails/30.jpg)
RSA SecurID with Microsoft Exchange ActiveSync
Start -> ActiveSyncEnter UsernameEnter Username and PASSCODE
Success and start synchronization!
![Page 31: RSA Secur id for windows](https://reader030.fdocuments.in/reader030/viewer/2022020123/5575b09dd8b42a3b498b4cb6/html5/thumbnails/31.jpg)
RSA SecurID with Microsoft ISA Server (VPN)
![Page 32: RSA Secur id for windows](https://reader030.fdocuments.in/reader030/viewer/2022020123/5575b09dd8b42a3b498b4cb6/html5/thumbnails/32.jpg)
RSA SecurID with Microsoft OWA
![Page 33: RSA Secur id for windows](https://reader030.fdocuments.in/reader030/viewer/2022020123/5575b09dd8b42a3b498b4cb6/html5/thumbnails/33.jpg)
RSA SecurID with Microsoft Mobile Information Server
![Page 34: RSA Secur id for windows](https://reader030.fdocuments.in/reader030/viewer/2022020123/5575b09dd8b42a3b498b4cb6/html5/thumbnails/34.jpg)
Summary
RSA SecurID for Microsoft Windows
• Secure
• Simple
• Auditable
![Page 35: RSA Secur id for windows](https://reader030.fdocuments.in/reader030/viewer/2022020123/5575b09dd8b42a3b498b4cb6/html5/thumbnails/35.jpg)
RSA SecurID for Microsoft Windows
![Page 36: RSA Secur id for windows](https://reader030.fdocuments.in/reader030/viewer/2022020123/5575b09dd8b42a3b498b4cb6/html5/thumbnails/36.jpg)
Thank you!!
Please visit www.rsasecured.com for other RSA certified products.
www.rsasecurity.com