1 / 36

RSA SecurID ® for Microsoft ® Windows ®

Gary Lau CISSP, CISA Principal Consultant North Asia. RSA SecurID ® for Microsoft ® Windows ®. Agenda. RSA SecurID – the standard for Strong 2 Factors Authentication Authentication in the Enterprise Authentication to Microsoft Windows How It Works Other MS Solutions that are RSA Ready.

johana
Download Presentation

RSA SecurID ® for Microsoft ® Windows ®

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Gary LauCISSP, CISAPrincipal ConsultantNorth Asia RSA SecurID®for Microsoft® Windows®

  2. Agenda • RSA SecurID – the standard for Strong 2 Factors Authentication • Authentication in the Enterprise • Authentication to Microsoft Windows • How It Works • Other MS Solutions that are RSA Ready

  3. The Business Problem Need to accessinformation Need to protectcorporate resources

  4. The Business Problem • Low security of static password • Difficult to remember • Inconsistent user experience • Users write them down • Help desk costs • Unproductive users • Frustration

  5. Passwords Are a Big Problem Problems with passwords were mentioned spontaneously in 2 2003 focus groups: • “You have to log in and have complicated, long passwords with numbers and digits” • “I just see my friends trying to use (their passwords) and forgetting them all the time” • Many consumer applications force multiple logons with different user names, passwords, account numbers

  6. Consumer fraud complaints for 2003 • Identity theft 43% • Internet auctions 13% • Internet services, computer complaints 6% • Shop-at-home, catalog offers 5% • Advance fee loans, credit protection 5% • Prizes/sweepstakes/gifts 4% • Foreign money offers 4% • Business opportunities, work-at-home plans 3% • Magazines, buyers clubs 2% • Telephone services 2% • Healthcare 2% Source: Federal Trade Commission

  7. The Fastest Growing Crime $53 Billion In September 2003, the Federal Trade Commission (FTC) reported that identity theft had affected nearly 10 million Americans and cost almost $53 billion in the previous year. Worldwide, identity theft and related crimes are projected to cost an estimated $221 billion in 2003. If the current 300% compound annual growth rate continues, annual losses worldwide could top $2 trillion by 2005. $2 Trillion

  8. Auditing • Multiple access points • Multiple logs • Compliance requirements

  9. Bank 1234 5678 9010 Methods of Authentication • Something you know • Password, PIN, “mother’s maiden name” • Something you have • magnetic card, smart card, token, Physical key • Something unique about you • Finger print, voice, retina, iris “1059”

  10. Solving the Password Problem • Combine something you have ... • your ATM card, for example + PIN • ... with something you know ... • your PIN = Two-factor authentication!

  11. Security • Proven security • 15 million users • 14,000 customers User enters Passcode(PIN + token code) Grant access:Y/N?

  12. ACE / Server ACE / Agents SecurID Authenticators RSA SecurID Product Family Components

  13. Login: GLAU Passcode: 2468234836 PASSCODE = PIN + TOKENCODE Token code: Changes every 60 seconds Two-factor Authenticationwith RSA SecurID PIN TOKENCODE Clock synchronized to UCT / GMT Internal battery Unique seed

  14. E-Business RSA ACE/Server RAS RSA Agent RemoteAccess Enterprise Access How Customers Use RSA SecurID Internet Access Enterprise Web Server or Portal Server RSA Agent VPN or Firewall Internet Others Intranet WLAN Applications & Resources

  15. Sysadmins RSA SecurID users Authentication in the Enterprise Past: Strong Authentication for Remote Access • Mobile workforce required to strongly authenticate • Everyone else uses passwords. Why? • Assumption that because a person is in the building, I can better trust them • No real alternative Mobile workforce ~20% RAS/VPN Enterprise

  16. Sysadmins RSA SecurID users Authentication in the EnterprisePresent: Network is opening up, getting more porous Web • Strong authentication being required to use • WLAN • Web • SSL VPN • But passwords still the way to authenticate to Windows • No real alternative Mobile workforce ~30% RAS/VPN Customers & Partners WLAN Enterprise

  17. Authentication to Microsoft Windows Today: Username and password Today a user types in his Username and Windows password to authenticate to the network.

  18. Authentication to Microsoft WindowsTomorrow: Username and passcode • Supports: • Local • Domain • Terminal Services • Password Integration • Online and Offline

  19. RSA SecurID Login

  20. Simplicity • Simple • Consistent • Secure VPN Windows Wireless Web portal Applications

  21. Auditability • Centralized logging • Robust reporting VPN Windows Wireless Web portal Applications

  22. RSA SecurID for Microsoft WindowsConfiguration Requirements

  23. DMZ Web Server RSA ACE/Agent Firewall RSA ACE/Agents VPN PDC RSA SecurID Architecture RSA ACE/Server (replica) RSA ACE/Server (primary) Intranet Firewall RSA ACE/Agents RAS

  24. How It WorksUser on-line (Network Connected) Domain Controller 2. Username and passcode provided to ACE/Server along with date/time of last available passcode 3 and 4. Agent is told Authentication was successful and is provided: - Windows password - Ticket for hashed passcode retrieval 5. Username, Windows password supplied to AD RSA ACE/Server 6. Kerberos Ticket supplied to desktop 7. ACE/Server provides to passcode store: - Hashed passcodes - Emergency access password - Encrypted Windows password (for use when offline) 1. Username and passcode RSA hashed Passcode store

  25. How It WorksUser off-line (Network disconnected) Microsoft’s cached credentials Laptop 5. Username, Windows password 6. Offline Kerberos ticket 2. Username and Passcode (or emergency access code) RSA hashed Passcode store 1. Username and passcode, or emergency access code 3 and 4. Authentication successful - Decrypted Windows password RSA ACE/Server

  26. RSA SecurID for Microsoft WindowsWindows Password • Windows Password Security Policy Options • Make the password long, complicated and static since its of no use without Strong Authentication • Continue forced MS password change: • Admin forces a password change or it expires • Old password automatically filled in by RSA ACE/Server • New password typed by end user and stored in RSA ACE/Server • Handled gracefully in online and offline mode

  27. RSA SecurID for Microsoft WindowsAdministrative Configuration Options • System-wide Settings • Allow/deny – offline use • # of days users can be offline • Warn user of limited offline days • # of bad passcodes before locking user’s token • Accept an offline authentication or require re-authentication upon reconnect • Bring log of offline events from clients into A/S log database • Emergency Access • Help desk can provide end user emergency access code for when end user forgets PIN, forgets token, or runs out of offline days

  28. Other Microsoft Solutions that are RSA Ready

  29. MS Active Directory Application Mode MS Active Directory MS Certificate Services MS Crypto API MS Exchange ActiveSync MS Exchange Server MS Internet Explorer MS IIS MS ISA Server MS Mobile Information Server MS Office XP MS OWA MS Outlook/Outlook Express MS Routing and Remote Access MS Windows 2000 MS Windows NT MS Windows XP Already Certified MS Solutions Sources: www.rsasecured.com

  30. Start -> ActiveSync Enter Username Success and start synchronization! Enter Username and PASSCODE RSA SecurID with Microsoft Exchange ActiveSync

  31. RSA SecurID with Microsoft ISA Server (VPN)

  32. RSA SecurID with Microsoft OWA

  33. RSA SecurID with Microsoft Mobile Information Server

  34. Summary RSA SecurID for Microsoft Windows • Secure • Simple • Auditable

  35. RSA SecurID for Microsoft Windows

  36. Thank you!! Please visit www.rsasecured.com for other RSA certified products. khlau@rsasecurity.com www.rsasecurity.com

More Related