[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Full-disclosure] Re: SecurID with Active Directory ?

To: full-disclosure@xxxxxxxxxxxxxxxxx
Subject: [Full-disclosure] Re: SecurID with Active Directory ?
From: vin@xxxxxxxxxxxx
Date: Tue, 10 Jan 2006 23:20:27 -0500 (EST)

Steven <steven at lovebug.org> wrote:

> RSA  for Windows authenticates against the RSA Authentication Manager
> and if successful allows the client to then send the Windows password to
> the Domain Controller.  This kind of defeats the purpose of two-factor as
> they could just login with their normal Windows password from a machine
> that doesn't have the RSA software on it.

Hi Steven,

You might want to review your assumptions here.

RSA's SecurID for Windows solution in Authentication Manager  v6.x will
enforce a two-factor authentication policy for domain resources -
including logon to domain accounts. If you're not using the RSA
Authentication Agent for Windows (or RSA's SSO option, SOM 4.5), you will
not be able to log in to a PC as a domain user in the protected group.

All resources protected by a "SecurID for Windows" (S4W) protected domain
require a "session certificate" for access. Just providing a windows
password satisfies windows domain authentication, but the
"sub-authentication" filters installed as a part of the S4W Domain
Controller (DC) component will deny access until a two-factor
authentication has occurred.

There are, of course, some environment for which RSA does not have a
S4W-enabled agent. In these environments the user will need to perform a
SecurID authentication from an agent that creates "verifiable
authentications," and then provide their domain password (to OWA for
example). Even here, direct access -- without having performed a
verifiable authentication -- will be denied by the 'subauth' components on
the DC.

Courtney's First Law reminds us that it is impossible to say anything
meaningful about the security of any system without a clear
understanding of the context: the environment in which it is used, and the
specific application.

If you need something the standard S4W doesn't provide, you really should
sort through the implications of your application and your
environment with your RSA SSE or the gurus at RSA Customer Support. They
may even have suggestions if you really need tighter integration between
the SecurID authentication and AD.

[If, for instance, you really need to completely eliminate access via
passwords, you could use some programmatic method (i.e., Visual Basic) to
set your users' Windows passwords to very long, random passwords that
never expire. The password change would be captured on the DC and sent to
the ACE/Server. The long, random passwords would then be
provided with each authentication (and recovered when offline), but the
users will never know their Windows password. Since the passwords would
never expire, the users are also never allowed to select a smaller, less
secure passwords.

[These "shadow passwords" can be "manually expired" using the same process
executed on a regular basis (e.g., yearly), but that process is maybe a
little touchy for a production environment. The users would have make sure
their ACE/Server is up (and the connection is
operational) before running the process (or else they will have to run the
process again when the connection is available). The DC services will
queue these changes if a large number occur at once, so you would also
want to make sure all the password changes have been processed before
shutting down either the ACE/Server or DC.]

As always, the world is simpler if you stay with the standard product, but
customization is possible, sometimes with RSA support.

I hope this is helpful. I've been a consultant to RSA for many years, and
I figure that any authentication problem can have a SecurID
solution. YMMV. ;-)

Suerte,
         _Vin

References:

RSA SecurID for Windows (S4W) Infrastructure:
<http://www.rsasecurity.com/node.asp?id=1173>
RSA's Sign-On Manager:
<http://www.rsasecurity.com/node.asp?id=2541>

RSA's Security Vulnerability Reporting Policy:
<http://www.rsasecurity.com/node.asp?id=2928>

----------- * * * * ---------------

On 1/10/06, Steven <at lovebug.org> queried the Listocracy:

> Does anyone know of a product that will tie-in RSA's SecurID with
> Microsoft Windows Active Directory?  I want to require certain users to
> use their pin+current token in order to authenticate to the Domain.
> However, the main solution from RSA does not appear to provide a very good
> solution at all. RSA for Windows authenticates against the RSA
> Authentication Manager and if successful allows the client to then send
> the Windows password to the Domain Controller.  This kind of defeats the
> purpose of two-factor as they could just login with their normal Windows
> password from a machine that doesn't have the RSA software on it.
> Additionally, what if they want two-factor across the board.. to include
> NetBIOS/SMB Shares/Webmail?  Is there a product that will tie into Active
> Directory and *only* and *always* accept RSA SecurID pin+tokens for
> authentication?
>
> This can easily be done *nix boxes, but I am having some trouble finding
> something that will work on Windows.
>
> Any ideas?
>
> Thanks,
>
> Steven

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Follow-Ups:
- Re: [Full-disclosure] Re: SecurID with Active Directory ?
  - From: Morning Wood

Prev by Date: [Full-disclosure] MDKSA-2006:011 - Updated tetex packages fix several vulnerabilities
Next by Date: Re: [Full-disclosure] should have been..' How to Determine My System Vulnerabilities'
Previous by thread: [Full-disclosure] MDKSA-2006:011 - Updated tetex packages fix several vulnerabilities
Next by thread: Re: [Full-disclosure] Re: SecurID with Active Directory ?
Index(es):
- Date
- Thread