RSA SecurID®

for Microsoft® Windows®

Gary LauCISSP, CISA

Principal ConsultantNorth Asia

Agenda

• RSA SecurID – the standard for

Strong 2 Factors Authentication

• Authentication in the Enterprise

• Authentication to Microsoft Windows

• How It Works

• Other MS Solutions that are RSA Ready

Need to accessinformation

Need to protectcorporate resources

The Business Problem

The Business Problem

• Low security of static password

• Difficult to remember

• Inconsistent user experience

• Users write them down

• Help desk costs

• Unproductive users

• Frustration

Passwords Are a Big Problem

Problems with passwords were mentioned spontaneously in 2

2003 focus groups:

• “You have to log in and have complicated, long passwords with numbers and digits”

• “I just see my friends trying to use (their passwords) and forgetting them all the time”

• Many consumer applications force multiple logons with different user names, passwords, account numbers

Consumer fraud complaints for 2003

• Identity theft 43%

• Internet auctions 13%

• Internet services, computer complaints 6%

• Shop-at-home, catalog offers 5%

• Advance fee loans, credit protection 5%

• Prizes/sweepstakes/gifts 4%

Source: Federal Trade Commission

• Foreign money offers 4%

• Business opportunities, work-at-home plans 3%

• Magazines, buyers clubs 2%

• Telephone services 2%

• Healthcare 2%

The Fastest Growing Crime

In September 2003, the Federal Trade Commission (FTC) reported

that identity theft had affected nearly 10 million Americans and cost

almost $53 billion in the previous year.$53 Billion$53 BillionWorldwide, identity theft and related crimes are projected to cost an

estimated $221 billion in 2003. If the current 300% compound annual

growth rate continues, annual losses worldwide could top $2 trillion

by 2005.$2 Trillion$2 Trillion

Auditing

• Multiple access points

• Multiple logs

• Compliance requirements

Methods of Authentication

• Something you know

—Password, PIN, “mother’s maiden

name”

• Something you have

—magnetic card, smart card, token,

Physical key

• Something unique about you

—Finger print, voice, retina, iris

“1059”

Bank 1234 5678 9010

Solving the Password Problem• Combine something you have ...

— your ATM card, for example

• ... with something you know ...

— your PIN

• ... with something you know ...

— your PIN

+ PIN+ PIN

= Two-factor authentication!= Two-factor authentication!

Grant access:Y/N?

User enters Passcode

(PIN + token code)

Security

• Proven security

• 15 million users

• 14,000 customers

ACE / Server

ACE / AgentsSecurID Authenticators

RSA SecurID Product Family Components

PASSCODE = +PIN TOKENCODE

Two-factor Authenticationwith RSA SecurID

PIN TOKENCODE

Login: GLAUPasscode: 2468234836

Token code: Changes every 60

seconds

Unique seedInternal battery

Clock synchronized to UCT / GMT

Intranet

EnterpriseWeb Server or Portal Server

ApplicationsApplications&&

ResourcesResources

How Customers Use RSA SecurID

RAS

RSA Agent

Remote Access

RSA ACE/Server

Internet

RSA Agent

Internet Access

VPN or Firewall

E-Business

Enterprise Access

WLAN

Others

Authentication in the Enterprise Past: Strong Authentication for Remote Access

RSA SecurID users

Sysadmins

~20%~20%RAS/VPN

Mobile

workforce

EnterpriseEnterprise

Mobile workforce required to strongly authenticate

Everyone else uses passwords. Why?

•Assumption that because a person is in the building, I can better trust them•No real alternative

Authentication in the EnterprisePresent: Network is opening up, getting more porous

EnterpriseEnterprise

Customers & Partners

WLAN

Web Sysadmins

~30%~30%

RAS/VPN

Mobile

workforce

RSA SecurID users

Strong authentication being required to use• WLAN• Web• SSL VPN

But passwords still the way to authenticate to Windows

•No real alternative

Authentication to Microsoft Windows Today: Username and password

Today a user types in his Username

and Windows password to

authenticate to the network.

Authentication to Microsoft Windows Tomorrow: Username and passcode

Supports:•Local•Domain•Terminal Services•Password Integration•Online and Offline

RSA SecurID Login

Simplicity

• Simple

• Consistent

• Secure

VPN

Windows

Wireless

Web portal

Applications

Auditability

• Centralized logging

• Robust reporting

VPN

Windows

Wireless

Web portal

Applications

RSA SecurID for Microsoft WindowsConfiguration Requirements

Desktop/Laptop Domain Controller RSA ACE Server

RSA ACE/Agent 6.0 Client RSA ACE/Agent 6.0 RSA ACE/Server 6.0

Window: 2000, XP, 2003 Microsoft: 2000 & 2003 Microsoft Server: 2000 & 2003

GINA Replacement AD userid and RSA ACE/Server userid must be the same

Auto Install via MSI

RSA SecurID Architecture

RSA ACE/Agents

Web Server

RSA ACE/AgentFirewall

VPN

DMZDMZRSA

ACE/Server (primary)

RSA ACE/Agents

PDC

IntranetIntranetFirewall

RSA ACE/Server

(replica)

RAS

RSA hashed

Passcode store

How It WorksUser on-line (Network Connected)

RSA ACE/Server

1. Username and passcode

2. Username and passcode provided to ACE/Server along with date/time of last available passcode

5. Username, Windows password supplied to AD

Domain Controller

3 and 4. Agent is told Authentication was successful and is provided:- Windows password- Ticket for hashed passcode retrieval

7. ACE/Server provides to passcode store:- Hashed passcodes- Emergency access password- Encrypted Windows password (for use when offline)

6. Kerberos Ticket supplied to desktop

RSA hashed

Passcode store

How It WorksUser off-line (Network disconnected)

RSA ACE/Server

1. Username and passcode, or emergency access code

2. Username and Passcode(or emergency access code)

5. Username, Windows password6. Offline

Kerberos ticket

Microsoft’scached

credentials

3 and 4. Authentication successful- Decrypted Windows password

Laptop

RSA SecurID for Microsoft Windows Windows Password

• Windows Password Security Policy Options

— Make the password long, complicated and static since its of no use without Strong Authentication

— Continue forced MS password change:

• Admin forces a password change or it expires

• Old password automatically filled in by RSA ACE/Server

• New password typed by end user and stored in RSA ACE/Server

• Handled gracefully in online and offline mode

RSA SecurID for Microsoft Windows Administrative Configuration Options

• System-wide Settings

— Allow/deny – offline use

— # of days users can be offline

— Warn user of limited offline days

— # of bad passcodes before locking user’s token

— Accept an offline authentication or require re-authentication upon reconnect

— Bring log of offline events from clients into A/S log database

• Emergency Access

— Help desk can provide end user emergency access code for when end user forgets PIN, forgets token, or runs out of offline days

Other Microsoft Solutions that are RSA Ready

Already Certified MS Solutions

• MS Active Directory Application Mode

• MS Active Directory

• MS Certificate Services

• MS Crypto API

• MS Exchange ActiveSync

• MS Exchange Server

• MS Internet Explorer

• MS IIS

• MS ISA Server

• MS Mobile Information Server

• MS Office XP

• MS OWA

• MS Outlook/Outlook Express

• MS Routing and Remote Access

• MS Windows 2000

• MS Windows NT

• MS Windows XP

Sources: www.rsasecured.com

RSA SecurID with Microsoft Exchange ActiveSync

Start -> ActiveSyncEnter UsernameEnter Username and PASSCODE

Success and start synchronization!

RSA SecurID with Microsoft ISA Server (VPN)

RSA SecurID with Microsoft OWA

RSA SecurID with Microsoft Mobile Information Server

Summary

RSA SecurID for Microsoft Windows

• Secure

• Simple

• Auditable

RSA SecurID for Microsoft Windows

Thank you!!

Please visit www.rsasecured.com for other RSA certified products.

khlau@rsasecurity.com

www.rsasecurity.com