RSA Authentication Manager 5.2 and 6.1 Security Best Practices Guide. Version5

RSA Authenticatin Manager 5.2 and 6.1 Security Best Practices Guide Versin5

Cntact Infrmatin G t the RSA crprate web site fr reginal Custmer Supprt telephne and fax numbers: www.rsa.cm. Trademarks RSA, the RSA Lg and EMC are either registered trademarks r trademarks f EMC Crpratin ( EMC ) in the United States and/r ther cuntries. All ther trademarks used herein are the prperty f their respective wners. Fr a list f RSA trademarks, g t www.rsa.cm/legal/trademarks_list.pdf. License Agreement The guide and any part theref is prprietary and cnfidential t EMC and is prvided nly fr internal use by licensee. Licensee may make cpies nly in accrdance with such use and with the inclusin f the cpyright ntice belw. The guide and any cpies theref may nt be prvided r therwise made available t any ther persn. N title t r wnership f the guide r any intellectual prperty rights theret is hereby transferred. Any unauthrized use r reprductin f the guide may be subject t civil and/r criminal liability. The guide is subject t update withut ntice and shuld nt be cnstrued as a cmmitment by EMC. Nte n Encryptin Technlgies The referenced prduct may cntain encryptin technlgy. Many cuntries prhibit r restrict the use, imprt, r exprt f encryptin technlgies, and current use, imprt, and exprt regulatins shuld be fllwed when using, imprting r exprting the referenced prduct. Distributin Use, cpying, and distributin f any EMC sftware described in this publicatin requires an applicable sftware license. Disclaimer EMC des nt make any cmmitment with respect t the sftware utside f the applicable license agreement. EMC believes the infrmatin in this publicatin is accurate as f its publicatin date. EMC disclaims any bligatin t update after the date heref. The infrmatin is subject t update withut ntice. THE INFORMATION IN THIS PUBLICATION IS PROVIDED TO SUGGEST BEST PRACTICES, IS PROVIDED AS IS, AND SHALL NOT BE CONSIDERED PRODUCT DOCUMENTATION OR SPECIFICATIONS UNDER THE TERMS OF ANY LICENSE OR SIMILAR AGREEMENT. EMC CORPORATION MAKES NO REPRESENTATIONS OR WARRANTIES OF ANY KIND WITH RESPECT TO THE INFORMATION IN THIS PUBLICATION, AND SPECIFICALLY DISCLAIMS IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. All references t EMC shall mean EMC and its direct and indirect whlly-wned subsidiaries, including RSA Security LLC. Cpyright 2011 EMC Crpratin. All Rights Reserved. Nvember 2011

Revisin Histry Revisin Number Date Sectin Revisin 1 March 17, 2011 2 March 21, 2011 Critical Sectins Immediately After Setup Prtecting Tkens System Hardening and Deplyment Cnsideratins Using a Firewall Preventing Scial Engineering Attacks PIN Management Custmer Supprt Infrmatin Versin 1 New sectin with links t imprtant areas f the dcument. New infrmatin n disabling lcal hst mde administratin. New sectin fr recmmendatins n passwrd plicies. Recmmendatins n PINless tkens. New recmmendatins n Authenticatin Manager self-service plicies and access. New recmmendatin n using sftware and hardware firewalls. New reminder that users shuld be familiar with the Help Desk phne number. Revised recmmendatins fr cnfiguring PIN plicies. Nte n issue when changing shrt PINs t 8-digit PINs and new PIN mde. New recmmendatin n using 4-character PINs. New descriptin f the ptential impact f changing PIN plicies. New recmmendatin n lckut plicy. New recmmendatin n using systemgenerated PINs with RADIUS PAP. New list f Custmer Supprt phne numbers. 3

3 April 8, 2011 4 July 28, 2011 5 Nvember 2011 Prtecting Tkens Mnitring Authenticatin Manager PIN Management Emergency Access and Static Passwrds PINless Tkens Distributing Sftware Tkens Prtecting Authenticatin Manager Envirnment Preventing Scial Engineering Attacks Cnfirming A User s Identity New links t Knwledgebase articles that prvide prcedures related t the recmmendatins. New sectin f recmmendatins fr using PINless tkens. Added infrmatin abut using default settings when issuing sftware tkens. Added a nte abut securing test envirnments. New recmmendatins abut Help Desk administratrs interacting with users. New sectin fr Help Desk administratrs describing methds f cnfirming a user s identity. PIN Management Repriritized the list f recmmendatins. New recmmendatins abut changing PIN plicy and the effect n Help Desk calls. Masking Tken Serial Numbers Displayed in Lg messages Preventing Scial Engineering Attacks PIN Management New recmmendatin and descriptin f the new functinality that allws administratrs t restrict the inclusin f tken serial numbers in lgs. Additinal infrmatin abut resynchrnizing tkens. New nte t restart the server after making changes t PIN plicies. 4

Critical Sectins Prtecting the Authenticatin Manager Envirnment: Page 10 Prtecting Sensitive Data: Page 14 Preventing Scial Engineering Attacks: Page 16 PIN Management: Page 17 Intrductin This guide is intended t help identify cnfiguratin ptins and best practices designed t help ensure crrect peratin f RSA Authenticatin Manager 5.2 and 6.1, and ffer maintenance recmmendatins. Hwever, it is up t yu t ensure the prducts are prperly mnitred and maintained when implemented n yur netwrk, and t develp apprpriate crprate plicies regarding administratr access and auditing. RSA peridically assesses and imprves all prduct dcumentatin. Please check RSA SecurCare Online (SCOL) fr the latest dcumentatin. When deplying sftware tkens, use this guide in cnjunctin with yur sftware tken dcumentatin and the RSA SecurID Sftware Tken Best Practices Guide. In additin t the recmmendatins in this best practices dcument, RSA strngly recmmends that yu fllw industry best practices fr hardening the netwrk infrastructure, such as keeping up with the latest perating system patches, segmenting yur netwrk and mnitring yur netwrk fr intrusins. Imprtant: All references t Authenticatin Manager als apply t RSA SecurID Appliance 2.0. 5

Immediately After Setup Lg n t Authenticatin Manager lcally, set up an RSA SecurID-prtected Administratr accunt that yu can use t perfrm the rest f the initial setup using Authenticatin Manager in remte mde. After cnfiguring the Authenticatin Manager fr remte administratin, disable lcal hst mde n the Authenticatin Manager system. Instead, manage the Authenticatin Manager frm a machine running the Remte Administratin applicatin. T disable lcal hst mde, add ne r mre administratrs in additin t the administratr wh installed Authenticatin Manager and enable them fr RSA SecurID tkens. Then delete the accunt f the administratr wh installed Authenticatin Manager. During installatin, a single Authenticatin Manager administratr accunt is created. By default, RSA Authenticatin Manager is cnfigured t allw remte administratin. Immediately after accessing the Database Administratin applicatin fr the first time, RSA strngly recmmends that yu d the fllwing: Create a user recrd fr yurself and assign administratr privileges and an RSA SecurID tken t it. Verify that the System Parameters require RSA SecurID Cards and Fbs fr authenticatin f remte administratr accunts. Install the remte database administratin sftware n a secure Windws-based machine. Prtecting Tkens Imprting new tkens and distributing tkens t users are sensitive peratins and if nt dne prperly culd expse an rganizatin t security risks. Belw is a list f recmmendatins designed t minimize risk during these sensitive peratins. Imprtant: RSA strngly recmmends that yu d nt assign mre than ne tken t a user as this may reduce the likelihd that users will reprt a lst r stlen tken. Fr infrmatin abut determining which users have PINless tkens, see the Knwledgebase article: a54307 - Identify all Tkencde-Only (PINless) tkens. 6

PINless Tkens If yu use PINless RSA SecurID tkens (als knwn as Tkencde Only), yu shuld immediately ensure that a secnd authenticatin factr, such as a Windws passwrd, is required t authenticate t prtected systems. Imprtant: If the system des nt have a secnd factr and ne cannt be implemented, RSA strngly recmmends switching yur RSA SecurID tkens t require a PIN immediately. If yu cannt switch all tkens t require a PIN, RSA strngly recmmends auditing agents n systems that d nt require a secnd authenticatin factr fr PINless tken users. Implement help desk prcedures that ensure that administratrs: allw a user t authenticate with a PINless tken nly when the user requires access t systems that enfrce an additinal authenticatin factr. allw a user t authenticate with a PINless tken nly when there is a secnd authenticatin factr required n every system the user may access. flag grups that cntain users with PINless tkens t ensure that these grups are enabled nly n agents that prtect systems that require a secnd authenticatin factr. flag users f PINless tkens t ensure that these users are enabled nly n agents that prtect systems that require a secnd authenticatin factr. If yu use PINless tkens, RSA strngly recmmends that the audit trails f the fllwing administrative activities be carefully mnitred: agent creatin grup creatin and assignment grup membership changes tken assignment PINless tken enablement 7

Prtecting Tken Files RSA Manufacturing r certified partners deliver tken files fr imprt int yur systems. These files enable the use f strng authenticatin, and they cntain sensitive infrmatin abut tkens. RSA strngly recmmends the fllwing best practices: Limit access t these files t individuals respnsible fr the imprt f tkens int Authenticatin Manager. Stre backup cpies f Tken XML files in a secure lcatin, preferably encrypted in a secure lcatin with n netwrk cnnectivity. Files used fr the imprt peratin shuld be permanently deleted frm the file system when the imprt peratin is cmplete. If yu use multiple systems as temprary strage lcatins, immediately delete the tken files frm the temprary lcatin as sn as yu cpy it. Secure any media used t deliver tken infrmatin t yu. Masking Tken Serial Numbers Displayed in Lg Messages Fr Authenticatin Manager 6.1 installatins, RSA strngly recmmends that yu install RSA Authenticatin Manager 6.1.2 Ht Fix 239 t enhance prtectin f yur tken serial numbers. The ht fix is designed t allw yu t mask part f the tken serial number in lg data that is sent ver the netwrk. This capability helps ensure that any lg data sent in the clear ver a nn-secured netwrk that has Windws Event Lgging r Autmated Lg Maintenance cnfigured fllws RSA Authenticatin Manager Best Practices. Yu can cnfigure hw many tken serial number digits t display in the lg message. Masked digits display as the 'x' character. The masked digits are always at the beginning f the serial number, while the expsed digits are always at the end. Fr example, if yu cnfigure tken serial number masking t include 4 digits, the number displays as xxxxxxxx7056. Fr infrmatin abut hw t cnfigure tken serial number masking, see the RSA Authenticatin Manager 6.1.2 Ht Fix 239 Readme. 8

Distributing Hardware Tkens RSA strngly recmmends that yu take the fllwing steps t prtect yur hardware tkens: Distribute Hardware Tkens in a disabled state. Befre enabling a tken, Help Desk administratrs shuld perfrm an actin t cnfirm the user s identity. Fr example, ask the user ne r mre questins t which nly he r she knws the answer. D nt recrd the user s serial number utside the Authenticatin Manager server. See Preventing Scial Engineering Attacks n page 16. Distributing Sftware Tkens RSA strngly recmmends that yu take the fllwing steps t prtect yur sftware tkens: When generating the tken files fr distributin, prtect the files with a passwrd, which encrypts the file. Use passwrds that cnfrm t industry best practices. Use the Authenticatin Manager Database Administratin applicatin t bind sftware tkens t device IDs when issuing sftware tkens. This limits the installatin f tkens t nly thse machines that match the binding infrmatin. See yur Authenticatin Manager dcumentatin. By default, the sftware tken seed is securely randmized when the tken is issued s that the previus seed is n lnger valid. T ensure the default setting is always used, make sure "Retain Tken Inf" is disabled befre issuing a sftware tken. Handling Lst Tkens When a user reprts a lst tken, RSA strngly recmmends that yu take the fllwing steps: Help Desk administratrs shuld perfrm an actin t cnfirm the user s identity. Fr example, ask the user ne r mre questins t which nly he r she knws the answer t verify their identity. Ask the user when they lst the tken. Disable the tken. Make nte f the date and audit yur lgs fr authenticatin attempts with the lst tken until the tken is recvered. Fllw yur rganizatin s security plicy t address any suspicius authenticatin attempts. 9

Prtecting the Authenticatin Manager Envirnment It is very imprtant t prtect all physical, lcal and remte access t the Authenticatin Manager envirnment, including the Authenticatin Manager server, the database server, and Agent hsts. It is als very imprtant t restrict all access methds t the bare minimum required t maintain Authenticatin Manager. Nte: RSA strngly recmmends that yur Authenticatin Manager test envirnments nt be exact cpies f yur full prductin envirnment. If they are, yu shuld take the same precautins t prtect the test envirnment as yu d yur prductin envirnment. Physical Security Cntrls Physical security cntrls enable the added prtectin f resurces against unauthrized physical access and physical tampering. Authenticatin Manager is designed t be a critical infrastructure cmpnent s it is very imprtant that physical access be restricted t authrized persnnel nly. After installatin, authrized users nly need limited access t Authenticatin Manager and its perating system instance. While fllwing yur rganizatin s security plicy, RSA strngly recmmends the fllwing physical security cntrls: Allw nly authrized users t physically access Authenticatin Manager. After installatin, authrized users nly need limited access t Authenticatin Manager systems and cmpnents. Access t systems hsting Authenticatin Manager r its cmpnents shuld be physically secured, fr example, in cabinets with tamper-evident physical lcks, audited n-site access. Secure the server rm such that it s nly accessible by authrized persnnel and audit that access. Use rm lcks that allw traceability and auditing. Minimize the number f peple wh have physical access t devices hsting Authenticatin Manager server, agents, and instances f the Administratin Tlkit (ATK). Emply strng access cntrl and intrusin detectin mechanisms where the prduct cabling, switches, servers, and strage hardware reside. Place tamper evident stickers n each server chassis and ther hardware. 10

Remte Access t Server Envirnments Remte access t server system cmpnents shuld be limited, at a minimum using the fllwing appraches: Disable remte access methds fr the perating system, fr example telnet r ftp, that cmmunicate ver unsecured channels. Disable any ther remte access methd fr the perating system, fr example SSH, unless abslutely required fr maintenance. Disable immediately when maintenance is cmplete. Remte access t any hst r system cnnected t r managed by Authenticatin Manager, fr example, hsts with Agents installed, shuld be limited as indicated abve. Prperly scpe administratrs t limit the sites and grups they can manage based n yur crprate plicies fr their rle and psitin. Minimize the use f realm administratrs. Change the administratr authenticatin methds t require RSA SecurID Cards and Fbs fr authenticatin f remte administratr accunts. System Hardening and Deplyment Cnsideratins T help ensure the highest level f security and reduce the risk f intrusin r malicius system r data access, RSA strngly recmmends that yu fllw industry best practices fr hardening the netwrk infrastructure, including withut limitatin: Run anti-virus and anti-malware tls with the mst current definitin files. D nt directly cnnect Authenticatin Manager servers t the Internet r place them in a De- Militarized Zne (DMZ). D nt c-hst Authenticatin Manager n the same perating system instance with ther sftware. Examine yur self-service plicies and cnsider hardening self-service access and functinality. Limit access t Deplyment Manager nly t users inside yur crprate netwrk. RSA strngly recmmends that yu d nt allw users t clear their PIN with Deplyment Manager. Users that must clear their PIN shuld cntact the Help Desk. On UNIX systems, run Authenticatin Manager under its wn service accunt and restrict access t its files t that service accunt. This cannt be changed after installatin. 11

Using a Firewall It is imprtant t restrict netwrk traffic between Authenticatin Manager services and external systems. RSA strngly recmmends that custmers utilize firewalls designed t remve unnecessary netwrk access t Authenticatin Manager, and fllw netwrk security best practices. Fr infrmatin abut prt usage, see the Authenticatin Manager Installatin Guide, and nly allw inbund and utbund traffic n the dcumented prts t reach Authenticatin Manager. RSA als recmmends that custmers use a sftware firewall n the Authenticatin Manager server and segment Authenticatin Manager netwrk with a hardware firewall. Onging Mnitring & Auditing As with any critical infrastructure cmpnent, yu shuld cnstantly mnitr yur system and perfrm peridic and randm audits (cnfiguratin, permissins, and s n). Cnfiguratin Settings and Rles At a minimum, yu shuld review that the fllwing settings match cmpany plicy and functinal needs: Cnfiguratin Settings Administratrs and their task lists and scpe Agent Hst enabled lists 12

Mnitring Authenticatin Manager RSA strngly recmmends the fllwing: Run netwrk intrusin detectin systems and hst intrusin detectin systems in yur envirnment. Be sure t mnitr which prts are pen. Fr infrmatin abut prt usage, see the Authenticatin Manager Installatin Guide. Audit and analyze system and applicatin lgs peridically. Yu can use Security Infrmatin and Event Management t help yu with this task. Fr infrmatin abut the SNMP Plug-in fr RSA SecurID Appliance 2.0, see the fllwing Knwledgebase article: a54310 - Hw t btain SecurID lg messages frm Appliance 2.0. Fr infrmatin abut using RSA envisin fr alerts, and fr the cllectin and analysis f data, see the fllwing Knwledgebase article: https://knwledge.rsasecurity.cm/dcs/rsa_env/device_cnfig/rsaauthmanager.pdf. Retain lg data in cmpliance with yur security plicies and lcal laws. Fr infrmatin abut methds f mnitring the Authenticatin Manager, see the fllwing Knwledgebase articles: a54309 Hw t send SecurID lgs t syslg fr mnitring a54300 - Use Custm Query t capture security-related audit lg messages Secure Maintenance Always apply the latest security patches fr RSA Authenticatin Manager, which are available frm RSA n RSA SecureCare Online (SCOL). Security Patch Management All security patches fr RSA prducts riginate at RSA and are available fr dwnlad as an update as lng as yu have a current maintenance agreement in place with RSA. Updates are available n RSA SecurCare Online at https://knwledge.rsasecurity.cm. RSA strngly recmmends that yu immediately register yur prduct and sign up fr RSA SecurCare Online Ntes & Security Advisries, which RSA distributes via e-mail t bring attentin t imprtant security infrmatin fr the affected RSA prducts. RSA strngly recmmends that all custmers determine the applicability f this infrmatin t their individual situatins and take apprpriate actin. 13

If yu want t receive r change which RSA prduct family Ntes & Security Advisries yu currently receive, lg n t RSA SecurCare Online at https://knwledge.rsasecurity.cm/sclcms/mysupprt.aspx. When yu apply an update, first apply it n the primary system, and then apply it n the replica systems. RSA strngly recmmends that custmers fllw best practices fr patch management and regularly review available patches fr all sftware n systems hsting Authenticatin Manager, including antivirus and anti-malware sftware, and perating system sftware. Nte: Apply patches t embedded third-party prducts nly as part f RSA-delivered patches. Fr example, all patches t the embedded Prgress database must cme frm RSA. Any required but nt embedded third party cmpnents fr sftware frm factr shuld be patched accrding t the vendr specific recmmendatins. Fr mre infrmatin, see yur RSA SecurID Appliance r Authenticatin Manager dcumentatin. Prtecting Sensitive Data Sensitive Files Cnsider keeping an encrypted cpy f the fllwing data ffline in a secure physical lcatin, such as a lcked safe, in accrdance with yur disaster recvery and business cntinuity plicies: Authenticatin Manager license files (sdti.cer, server.cer, server.key, and license.rec) Backup data Authenticatin Manager passwrds Archived lg files and reprt data T help prtect nline data, such as current lg files and cnfiguratin files, restrict access t the files and cnfigure file permissins s that nly trusted administratrs are allwed t access them. 14

Backups Mst sensitive data stred in a backup, such as user PINs, is encrypted. Hwever, ther sensitive data such as tken serial number and tken assignments are nt. Fr this reasn yu must take the fllwing steps t prtect yur backup data: When creating Appliance backups, generate the backup t the lcal file system. When mving it t a remte system, use a secure tl t perfrm the data transfer. Encrypt yur backups, especially when cntaining sftware tkens. Prtect the encryptin key in a secure lcatin, such as a safe. LDAP Synchrnizatin LDAP systems hld sensitive data that Authenticatin Manager frequently accesses. Take the fllwing steps designed t increase the security f this flw f infrmatin: Use SSL t cmmunicate with all directry servers. Regularly change the passwrd fr the accunts that cnnect t yur LDAP. The passwrd is specified as the passwrd fr the Binding DN in yur LDAP synchrnizatin jb. Agents Agent hsts are ften mre expsed t external threats than Authenticatin Manager. RSA strngly recmmends that yu take the fllwing steps t help prtect yur agent hsts. Update the perating system and hsted applicatins prtected by agents with the latest security patches. Limit physical access t the devices that hst agents. Limit remte access t privileged accunts n devices that hst agents. D nt cnfigure agents as pen t all users. RSA strngly recmmends restricting access t agents t specific users and grups. Ensure that the lcatin where yur agents are installed is prtected by strng access cntrl lists (ACL). Run anti-virus and anti-malware sftware. Run hst-based intrusin detectin systems. 15

If lgging is enabled, write lgs t a secure lcatin. D nt mdify any agent file permissins and wnerships. D nt allw unauthrized users t access agent files. When yu integrate an agent int a custm applicatin, make sure yu fllw industry standard best practices t develp a secure custm applicatin. Supprting Yur Users It is imprtant t have well defined plicies arund help desk prcedures fr yur Authenticatin Manager. Help Desk administratrs must understand the imprtance f PIN strength and the sensitivity f data such as the user s lgin name and tken serial number. Creating an envirnment where an end user is frequently asked fr this kind f sensitive data increases the pprtunity fr scial engineering attacks. Train end users t prvide, and Help Desk administratrs t request the least amunt f infrmatin needed in each situatin. Preventing Scial Engineering Attacks Fraudsters frequently use scial engineering attacks t trick unsuspecting emplyees r individuals int divulging sensitive data that can be used t gain access t prtected systems. Use the fllwing guidelines t reduce the likelihd f a successful scial engineering attack: Help Desk administratrs shuld nly ask fr a user s User ID ver the phne when they call the help desk. Help Desk administratrs shuld never ask fr tken serial numbers, tkencdes, PINs, passwrds, and s n. Nte: When resynchrnizing tkens, users shuld enter tkencdes in the administrative interface under the supervisin f the lgged in administratr. If the user is unable t enter tkencdes in this way, make sure that the user adheres t the ther recmmendatins in this sectin and that administratrs adhere t the recmmendatins in the fllwing sectin Cnfirming a User s Identity when it is necessary t resynchrnize a tken. The Help Desk telephne number shuld be well-knwn t all users. Help Desk administratrs shuld perfrm an actin t authenticate the user s identity befre perfrming any administrative actin n a user s tken r PIN. Fr example, ask the user ne r mre questins that nly he r she knws the answer t verify their identity. Fr mre infrmatin, see Cnfirming a User s Identity. 16

If Help Desk administratrs need t initiate cntact with a user, they shuld nt request any user infrmatin. Instead, users shuld be instructed t call back the Help Desk at a well-knwn Help Desk telephne number t ensure that the riginal request is legitimate. T cnfirm that all PIN changes are requested by authrized users, yu shuld have a plicy in place t ntify users when their PINs have been changed. Fr example, send an e-mail ntificatin t the user s crprate e-mail address, r leave a vicemail message. Users that suspect a change was made by an unauthrized persn shuld cntact the Help Desk. Cnfirming a User s Identity It is critical that yur Help Desk Administratrs verify the end user s identity befre perfrming any Help Desk peratins n their behalf. Recmmended actins include: Call the end user back n a phne wned by the rganizatin and n a number that is already stred in the system. Imprtant: Be wary f using mbile phnes fr identity cnfirmatin, even if they are wned by the cmpany, as mbile phne numbers are ften stred in lcatins that are vulnerable t tampering r scial engineering. Send the user an e-mail t a cmpany email address. If pssible, use encrypted e-mail. Wrk with the emplyee s manager t verify the user s identity. Verify the identity in persn. Use multiple pen-ended questins frm emplyee recrds (ex. Name ne persn in yur grup; What is yur badge number?). Avid yes/n questins. PIN Management RSA strngly recmmends the fllwing t help prtect RSA SecurID PINs: Cnfigure Authenticatin Manager t lck ut a user after three failed authenticatin attempts. Require manual interventin t unlck users wh repeatedly fail authenticatin. Fr infrmatin abut cnfiguring the number f failed attempts, see the fllwing Knwledgebase article: a54318 Hw t mdify number f Incrrect Passcdes befre next tkencde mde r disabling tken. D nt use 4-character numeric PINs. If yu must use a shrt PIN (e.g. a 4-character PIN), require alphanumeric characters (a-z, A-Z, 0-9) when the tken type supprts them. 17

Yur crprate PIN plicy shuld require the use f 6-character t 8-character PINs. RSA recmmends that yur PIN plicy requires alphanumeric characters (a-z, A-Z, 0-9) when the tken type supprts them. Yu must cnfigure Authenticatin Manager t allw these characters. If yu mdify yur Authenticatin Manager PIN plicy settings, all users wh d nt meet the new plicy settings will be set t New PIN mde. If yu have changed yur Authenticatin Manager PIN plicy settings and users are nt being prmpted fr a new PIN, cntact RSA Custmer Supprt fr infrmatin n hw t frce the new PIN mde. Nte: It is imprtant t strike the right balance between security best practices and user cnvenience. If system-generated alpha numeric 8-digit PINs are t cmplex, find the strngest PIN plicy that best suits yur user cmmunity. Yu shuld ntify yur users befre yu update the plicy. If yu have a large number f users wh d nt meet the new plicy, yu may experience an increase in Help Desk calls. Yu can increase the cmplexity f user PINs by requiring system-generated PINs. Hwever, yu may be reducing security as peple may write dwn cmplex PINs, r call the Help Desk mre frequently t have their PINs cleared. Increased phne calls t the Help Desk t clear PINs increases the pssibility f a scial engineering attack frm unauthrized individuals psing as users. Fr mre infrmatin, see Cnfirming a User s Identity. Instruct all users t guard their PINs and t never tell anyne their PINs. Administratrs shuld never ask fr r knw the user s PIN. Cnfigure Authenticatin Manager t require users t change their PINs at regular intervals. These intervals shuld be n mre than 60 days. If yu use 4-digit numeric PINs, the intervals shuld be n mre than every 30 days. Fr sftware tkens, the PIN shuld be equal in length t the tkencde, and all numeric. Fr infrmatin abut requiring peridic PIN changes fr users, see the fllwing Knwledgebase article: a54302 Cnfigure Authenticatin Manager t require users t change their PINs at regular intervals Nte that mre frequent PIN changes may als result in an increase in Help Desk calls. RSA strngly recmmends that yu d nt use system-generated PINs in cnjunctin with the RADIUS PAP prtcl. 18

Fr infrmatin abut changing t a strnger PIN plicy, see the fllwing Knwledgebase articles: a54294 - Hw T PIN Management a54276 - Frce all tkens t be in New PIN mde, withut clearing PIN Fr infrmatin abut gradually phasing in a requirement fr users t change their PINs, see the fllwing Knwledgebase article: a54317 Set tkens specified in a text file int New PIN required mde. Imprtant: After making any changes t PIN plicies, restart the server t ensure that the changes take effect. Advice fr yur Users RSA strngly recmmends that yu instruct yur users t d the fllwing: Never give the tken serial number, PIN, tkencde, tken, passcde r passwrds t anyne. T help avid phishing attacks, d nt enter tkencdes int links that yu clicked in email. Instead, type in the URL f the reputable site t which yu want t authenticate. Infrm yur users f what infrmatin requests t expect frm Help Desk administratrs. Always lg ut f applicatins when yu re dne with them. Always lck yur desktp when yu step away. Regularly clse yur brwser and clear yur cache f data. Immediately reprt lst r stlen tkens Nte: Cnsider regular training t cmmunicate this guidance t users. Emergency Access and Static Passwrds Use temprary passwrds (either a fixed passwrd r a ne-time passwrd set) t grant emergency access t users. RSA strngly recmmends that yu adhere t the fllwing guidelines: Perfrm an actin t cnfirm the user s identity befre assigning the user a fixed passwrd r netime passwrd set. Fr example, ask the user a questin that nly they knw the answer t verify their identity D nt re-use the same fixed passwrd acrss multiple users. D nt use a predictable passwrd, fr example, d nt use the date. 19

Discntinue the use f static passwrds. Temprary passwrds are nt a permanent slutin t lst tkens. Ensure that temprary passwrds expire within a shrt perid f time. RSA strngly recmmends that temprary passwrds expire within a day. Fr infrmatin abut determining which users have static passwrds, see the Knwledgebase article: a54330 - Determine all users with static passwrds. Administratin Tlkit When using the Administratin Tlkit (ATK) (C r TCL interface), RSA recmmends that yu: Obfuscate passwrds accepted by the sftware whenever pssible (dn t shw keystrkes). Never accept passwrds n the cmmand line (STDIN is k). Prtect any secrets yu manage. D nt cnfigure the ATK t allw remte cnnectins. Deplyment Manager and Quick Admin RSA Authenticatin Manager 5.2 and 6.1 includes a service called sdcmmd r, alternatively the web admin service r the quick admin service, which is needed t run Deplyment Manager prvisining and Quick Admin administratin. If yu are running Deplyment Manager r Quick Admin, d the fllwing: Make sure that the sdcmmd cnfiguratin file cntains nly thse remte systems that need t cnnect t Authenticatin Manager using the sdcmmd service. On Windws the cnfiguratin file is Sdcmmdcnfig.txt. On Unix the file is sdcmmd.txt. Peridically audit yur sdcmmd cnfiguratin file t make sure the list f allwed systems is crrect. Deplyment Manager uses an administratr accunt t perfrm its tasks. Restrict the scpe f this accunt t the minimal scpe apprpriate fr yur envirnment. Fr example, if all users created by web express shuld be in the self service AM Grup, restrict Web Express t the AM self service grup. Use the Authenticatin Manager Database Administratin applicatin t assign an empty task list t the accunt. 20

Custmer Supprt Infrmatin Fr infrmatin, cntact RSA Custmer Supprt: U.S.: 1-800-782-4362, Optin #5 fr RSA, Optin #1 fr SecurCare nte Canada: 1-800-543-4782, Optin #5 fr RSA, Optin #1 fr SecurCare nte Internatinal: +1-508-497-7901, Optin #5 fr RSA, Optin #1 fr SecurCare nte 21