RSA SecurID Software Token Security Best Practices Guide. Version 3



Similar documents
RSA Authentication Manager 5.2 and 6.1 Security Best Practices Guide. Version5

How To Upgrade A Crptocard To A 6.4 Migratin Tl (Cpl) For A 6Th Generation Of A Crntl (Cypercoder) On A Crperd (Cptl) 6.

MaaS360 Cloud Extender

Introduction to Mindjet MindManager Server

Information Services Hosting Arrangements

Data Protection Policy & Procedure

ScaleIO Security Configuration Guide

ACTIVITY MONITOR Real Time Monitor Employee Activity Monitor

Introduction LIVE MAPS UNITY PORTAL / INSTALLATION GUIDE Savision B.V. savision.com All rights reserved.

AvePoint High Speed Migration Supplementary Tools

GUIDANCE FOR BUSINESS ASSOCIATES

Password Reset for Remote Users

Junos Pulse Instructions for Windows and Mac OS X

Often people have questions about new or enhanced services. This is a list of commonly asked questions and answers regarding our new WebMail format.

Treasury Gateway Getting Started Guide

Instant Chime for IBM Sametime Quick Start Guide

expertise hp services valupack consulting description security review service for Linux

Preparing to Deploy Reflection : A Guide for System Administrators. Version 14.1

TaskCentre v4.5 Send Message (SMTP) Tool White Paper

ROSS RepliWeb Operations Suite for SharePoint. SSL User Guide

Cloud Services MDM. Windows 8 User Guide

Using PayPal Website Payments Pro UK with ProductCart

User Manual Brainloop Outlook Add-In. Version 3.4

Serv-U Distributed Architecture Guide

Copyright 2013, SafeNet, Inc. All rights reserved. We have attempted to make these documents complete, accurate, and

Multi-Year Accessibility Policy and Plan for NSF Canada and NSF International Strategic Registrations Canada Company,

Service Desk Self Service Overview

WatchDox for Windows User Guide

First Global Data Corp.

iphone Mobile Application Guide Version 2.2.2

Organisational self-migration guide an overview V1-5 April 2014

ICD-10 Handbook APPLICATION MANUAL

Employee Self Service (ESS) Quick Reference Guide ESS User

Aras Innovator Internet Explorer Client Configuration

Aras Innovator Internet Explorer Client Configuration

Data Protection Act Data security breach management

StarterPak: Dynamics CRM On-Premise to Dynamics Online Migration - Option 2. Version 1.0

Configuring and Monitoring AS400 Servers. eg Enterprise v5.6

ViPNet VPN in Cisco Environment. Supplement to ViPNet Documentation

Ensuring end-to-end protection of video integrity

KronoDesk Migration and Integration Guide Inflectra Corporation

Improved Data Center Power Consumption and Streamlining Management in Windows Server 2008 R2 with SP1

Readme File. Purpose. What is Translation Manager 9.3.1? Hyperion Translation Manager Release Readme

Phone support is available if you have any questions or problems with the NASP PRO software during your tournament.

SBClient and Microsoft Windows Terminal Server (Including Citrix Server)

HarePoint HelpDesk for SharePoint. For SharePoint Server 2010, SharePoint Foundation User Guide

Version: Modified By: Date: Approved By: Date: 1.0 Michael Hawkins October 29, 2013 Dan Bowden November 2013

.Net Strong Authentication API

Installation Guide Marshal Reporting Console

Preventing Identity Theft

990 e-postcard FAQ. Is there a charge to file form 990-N (e-postcard)? No, the e-postcard system is completely free.

Process for Responding to Privacy Breaches

Level 3 SM Ready-Access User Guide

This guide is intended for administrators, who want to install, configure, and manage SAP Lumira, server for BI Platform

New in this release. Sphere (October 2013)

Online Learning Portal best practices guide

NETWRIX CHANGE NOTIFIER

Traffic monitoring on ProCurve switches with sflow and InMon Traffic Sentinel

Personal Data Security Breach Management Policy

Privacy Policy. The Central Equity Group understands how highly people value the protection of their privacy.

X7500 Series, X4500 Scanner Series MFPs: LDAP Address Book and Authentication Configuration and Basic Troubleshooting Tips

The Relativity Appliance Installation Guide

State Bank Virtual Card FAQs

PENNSYLVANIA SURPLUS LINES ASSOCIATION Electronic Filing System (EFS) Frequently Asked Questions and Answers

Using Shift4 with Magento

Serv-U Distributed Architecture Guide

Optimal Payments Extension. Supporting Documentation for the Extension Package v1.1

RSA SecurID Software Token Security Best Practices Guide

In addition to assisting with the disaster planning process, it is hoped this document will also::

IT Account and Access Procedure

Bill Payment Agreement & Disclosures

Thuraya Satellite Telecommunications Company. ThurayaGmPRS. Frequently Asked Questions. February 2007

Request for Resume (RFR) CATS II Master Contract. All Master Contract Provisions Apply

Learn More Cloud Extender Requirements Cheat Sheet

IT Help Desk Service Level Expectations Revised: 01/09/2012

HP Connected Backup Online Help. Version October 2012

Research Report. Abstract: Advanced Malware Detection and Protection Trends. September 2013

How To Install An Orin Failver Engine On A Network With A Network Card (Orin) On A 2Gigbook (Orion) On An Ipad (Orina) Orin (Ornet) Ornet (Orn

esafe SmartSuite Release Notes

Adobe Sign. Enabling Single Sign-On with SAML Reference Guide

Cloud Services Frequently Asked Questions FAQ

Plus500CY Ltd. Statement on Privacy and Cookie Policy

MDSB. MemberDirect Small Business. User Guide

Implementing SQL Manage Quick Guide

Using PayPal Website Payments Pro with ProductCart

Configuring and Monitoring SysLog Servers

VCU Payment Card Policy

Online Banking Agreement

Dell InTrust Preparing for Auditing and Monitoring Linux

Mobile Deployment Guide For Apple ios

Using Sentry-go Enterprise/ASPX for Sentry-go Quick & Plus! monitors

Transcription:

RSA SecurID Sftware Tken Security Best Practices Guide Versin 3

Cntact Infrmatin G t the RSA crprate web site fr reginal Custmer Supprt telephne and fax numbers: www.rsa.cm. Trademarks RSA, the RSA Lg and EMC are either registered trademarks r trademarks f EMC Crpratin ( EMC ) in the United States and/r ther cuntries. All ther trademarks used herein are the prperty f their respective wners. Fr a list f RSA trademarks, g t www.rsa.cm/legal/trademarks_list.pdf. License Agreement The guide and any part theref is prprietary and cnfidential t EMC and is prvided nly fr internal use by licensee. Licensee may make cpies nly in accrdance with such use and with the inclusin f the cpyright ntice belw. The guide and any cpies theref may nt be prvided r therwise made available t any ther persn. N title t r wnership f the guide r any intellectual prperty rights theret is hereby transferred. Any unauthrized use r reprductin f the guide may be subject t civil and/r criminal liability. The guide is subject t update withut ntice and shuld nt be cnstrued as a cmmitment by EMC. Nte n Encryptin Technlgies The referenced prduct may cntain encryptin technlgy. Many cuntries prhibit r restrict the use, imprt, r exprt f encryptin technlgies, and current use, imprt, and exprt regulatins shuld be fllwed when using, imprting r exprting the referenced prduct. Distributin Use, cpying, and distributin f any EMC sftware described in this publicatin requires an applicable sftware license. Disclaimer EMC des nt make any cmmitment with respect t the sftware utside f the applicable license agreement. EMC believes the infrmatin in this publicatin is accurate as f its publicatin date. EMC disclaims any bligatin t update after the date heref. The infrmatin is subject t update withut ntice. THE INFORMATION IN THIS PUBLICATION IS PROVIDED TO SUGGEST BEST PRACTICES, IS PROVIDED "AS IS," AND SHALL NOT BE CONSIDERED PRODUCT DOCUMENTATION OR SPECIFICATIONS UNDER THE TERMS OF ANY LICENSE OR SIMILAR AGREEMENT. EMC CORPORATION MAKES NO REPRESENTATIONS OR WARRANTIES OF ANY KIND WITH RESPECT TO THE INFORMATION IN THIS PUBLICATION, AND SPECIFICALLY DISCLAIMS IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. All references t EMC shall mean EMC and its direct and indirect whlly-wned subsidiaries, including RSA Security LLC. Cpyright 2011 EMC Crpratin. All Rights Reserved. April 2011

RSA SecurID Sftware Tken Security Best Practices Guide Revisin Histry Revisin Number Date Sectin Revisin 1 March 17, 2011 2 March 21, 2011 3 April 8, 2011 Versin 1 Prtecting Mbile Devices Added infrmatin abut Micrsft Exchange ActivSync. PIN Management Prvided mre detailed sftware tken PIN recmmendatins fr RSA Authenticatin Manager 6.1 and 7.1. Revised recmmendatins fr cnfiguring PIN plicies Device Management Changed Tken binding t Tken device binding. Help Desk Guidance Remved the reference t device passwrd. Custmer Supprt New list f Custmer Supprt phne numbers Infrmatin Prtecting Sftware Added infrmatin abut using default settings Tken Distributin Files PINless Tkens when issuing sftware tkens. New sectin f recmmendatins fr using PINless tkens. PIN Management New links t Knwledgebase articles that prvide prcedures related t the recmmendatins. Repriritized the list f recmmendatins. Preventing Scial Engineering Attacks Cnfirming A User s Identity New recmmendatins abut Help Desk administratrs interacting with users. New sectin fr Help Desk administratrs describing methds f cnfirming a user s identity. 3

RSA SecurID Sftware Tken Security Best Practices Guide Intrductin This guide is intended t help identify cnfiguratin ptins and best practices designed t ensure secure peratin f RSA SecurID Sftware Tken prducts, and ffer maintenance recmmendatins, hwever, it is up t yu t ensure the prducts are prperly mnitred and maintained when put n yur netwrk. Use this guide in cnjunctin with yur sftware tken dcumentatin, and with yur applicable RSA Authenticatin Manager prduct dcumentatin and RSA Authenticatin Manager Security Best Practices Guide. RSA peridically assesses and imprves all prduct dcumentatin. Please check RSA SecurCare Online fr the latest dcumentatin. Prtecting Sftware Tken Distributin Files RSA strngly recmmends that all RSA SecurID Sftware Tken prducts distributed as files r as Cmpressed Tken Frmat (CTF) strings be prtected with strng passwrds that cnfrm t best practices fr passwrd selectin. RSA als strngly recmmends that all sftware tken distributin files r strings utilize device binding designed t limit the installatin f tkens t nly thse machines matching the binding infrmatin. Refer t yur sftware tken dcumentatin fr mre details n implementing tken binding fr yur platfrm. By default, in Authenticatin Manager 6.x and 7.x, the sftware tken seed is securely randmized when the tken is issued s that the previus seed is n lnger valid. The default settings shuld always be used. (In Authenticatin Manager 6.1, Retain Tken Inf shuld be disabled; in Authenticatin Manager 7.1, Regenerate Tken shuld be enabled). 4

RSA SecurID Sftware Tken Security Best Practices Guide PINless Tkens If yu use PINless RSA SecurID tkens (als knwn as Tkencde Only), yu shuld immediately ensure that a secnd authenticatin factr, such as a Windws passwrd, is required t authenticate t prtected systems. Imprtant: If the system des nt have a secnd factr and ne cannt be implemented, RSA strngly recmmends switching yur RSA SecurID tkens t require a PIN immediately. If yu cannt switch all tkens t require a PIN, RSA strngly recmmends auditing agents n systems that d nt require a secnd authenticatin factr fr PINless tken users. Implement help desk prcedures that ensure that administratrs: allw a user t authenticate with a PINless tken nly when the user requires access t systems that enfrce an additinal authenticatin factr. allw a user t authenticate with a PINless tken nly when there is a secnd authenticatin factr required n every system the user may access. flag grups that cntain users with PINless tkens t ensure that these grups are enabled nly n agents that prtect systems that require a secnd authenticatin factr. If yu use PINless tkens, RSA strngly recmmends that the audit trails f the fllwing administrative activities be carefully mnitred: agent creatin grup creatin and assignment grup membership changes tken assignment PINless tken enablement 5

RSA SecurID Sftware Tken Security Best Practices Guide Prtecting Desktp and Laptp Devices The Windws r MacOS perating systems prvide the fundatin f the security envirnment fr the RSA SecurID Sftware Tken prduct fr desktps. RSA strngly recmmends that users keep their perating system updated with the latest security patches t help maintain the verall security f the platfrm. In additin, RSA strngly recmmends that sftware tken users set a device passwrd t prtect all tkens stred n the lcal hard drive. Setting a device passwrd helps ensure that nly the user fr whm the tkens are intended can access the tkens. Prtecting Mbile Devices When available, RSA recmmends that yu enable the device PIN r device passwrd available n yur mbile r tablet platfrms. Once enabled, yu are required t enter the PIN r passwrd t access t the applicatins installed n the device. Enterprises shuld establish plicies requiring the use f a device PIN fr access when deplying RSA SecurID Sftware Tken prducts t mbile platfrms. In the case f Blackberry deplyments, the Blackberry Enterprise Server (BES) may be utilized t enfrce these plicies acrss all managed Blackberry devices. Micrsft Exchange ActivSync als prvides similar cntrls fr iphne, ipad, Andrid and ther devices. Recmmendatins fr Users Tken Distributin Media Upn successful cmpletin f the tken prvisining peratin fr the platfrm, yu shuld instruct end users t remve all e-mails and files cntaining tken distributin file infrmatin frm the applicatin r file system, frm which the tken infrmatin was riginally btained. This includes e- mails with links cntaining Cmpressed Tken Frmat (CTF) data btained frm the Tken Cnverter tl, file attachments cntaining tken distributin files, and e-mails and files cntaining CT-KIP activatin cdes and URLs. The RSA SecurID Sftware Tken prducts make an attempt t remve this infrmatin upn successful imprt, but e-mail systems and ther applicatins are beynd the scpe f the sftware tken applicatin. RSA strngly recmmends that end users never share their tken files, strings, r activatin cdes with anyne, and accept tken prvisining infrmatin nly frm trusted surces. 6

RSA SecurID Sftware Tken Security Best Practices Guide PIN Management RSA strngly recmmends the fllwing t prtect RSA SecurID PINs: Cnfigure Authenticatin Manager t lckut a user after three failed authenticatin attempts. Require manual interventin t unlck users wh repeatedly fail authenticatin. Fr infrmatin abut cnfiguring the number f failed attempts, see the fllwing Knwledgebase articles: Fr Authenticatin Manager 7.1: a54315 - Hw t change the failed authenticatin threshlds. Fr Authenticatin Manager 6.1: a54318 Hw t mdify number f Incrrect Passcdes befre next tkencde mde r disabling tken. Instruct all users t guard their PINs and t never tell anyne their PINs. Administratrs shuld never ask fr r knw the user s PIN. Cnfigure Authenticatin Manager t require users t change their PINs at regular intervals. These intervals shuld be n mre than 60 days. If yu use 4-digit numeric PINs, the intervals shuld be n mre than every 30 days. Fr infrmatin abut cnfiguring PIN lifetime intervals, see the fllwing Knwledgebase articles: Fr Authenticatin Manager 5.2 and 6.1: a54380 - Hw d I regenerate the tken seed when issuing Sftware Tkens in Authenticatin Manager 5.2 and 6.1? Fr Authenticatin Manager 7.1: a54379 - Hw d I regenerate the tken seed when issuing Sftware Tkens in Authenticatin Manager 7.1? Fr Authenticatin Manager 7.1, cnfigure plicies that restrict the re-use f PINs. Fr Authenticatin Manager 7.1, cnfigure the use f the dictinary t prevent the use f simple PINs. Fr RSA Authenticatin Manager 6.1, the sftware tken PIN shuld be equal in length t the tkencde, and all numeric. Fr Authenticatin Manager 7.1: when sftware tkens are issued as PINPad-style tkens (the Displayed Value is set t Passcde in the Sftware Tken Settings), the sftware tken PIN shuld be equal in length t the tkencde, and all numeric.. when sftware tkens are issued as fb-style tkens (the Displayed Value is set t Tkencde in the Sftware Tken Settings), the sftware tken PIN shuld be alphanumeric and eight digits in length. Nte: It is imprtant t strike the right balance between security best practices and user cnvenience. If alpha numeric 8-digit PINs are t cmplex, find the strngest PIN plicy that best suites yur user cmmunity. 7

RSA SecurID Sftware Tken Security Best Practices Guide Device Management RSA strngly recmmends that in rder t avid authenticatin issues with the RSA Authenticatin Manager r RSA SAE-based applicatins, end users shuld install a tken identified by a unique serial number n nly ne device. Installing a tken with the same serial number n multiple devices with different time surces may result in authenticatin failures n the server. Tken device binding shuld be utilized t simplify the end user experience and prevent yur end users frm installing the same tken n multiple devices. Distributin f applicatins and sftware may take many frms n the varius platfrms. In many cases, the platfrm is wned by the end user, and may r may nt be managed by the Enterprise. RSA strngly recmmends that end users be trained t btain applicatin sftware fr their device frm trusted surces nly. Lst devices represent lst tkens and shuld be reprted as sn as pssible t the Help Desk administratr. The Help Desk administratr must ensure the tken is disabled fr use until either the device is fund r a replacement device is btained and prvisined with a replacement tken. Help Desk Guidance RSA strngly recmmends educating end users abut the infrmatin they shuld share with Help Desk administratrs. End users shuld never disclse the tken serial number in whle r part t anyne ther than a Help Desk administratr upn request when a prblem is ccurring with a tken. End users shuld be aware f infrmatin that Help Desk Administratrs shuld nt request, including device PIN r device passwrd, PIN, tkencde, passcde r tken distributin passwrd. Any request fr this infrmatin listed shuld signal t the end user that a scial engineering attack may be in prgress. Supprting Yur Users It is crucial t have well defined plicies arund help desk prcedures fr yur Authenticatin Manager. Help Desk administratrs must understand the imprtance f PIN strength and the sensitivity f data like the user s lgin name and tken serial number. Creating an envirnment where an end user is frequently asked fr this kind f sensitive data increases the pprtunity fr scial engineering attacks. Train end users t prvide, and Help Desk administratrs t request the least amunt f infrmatin needed in each situatin. 8

RSA SecurID Sftware Tken Security Best Practices Guide Advice fr yur Users RSA strngly recmmends that yu instruct yur users t d the fllwing: Never give the tken serial number, PIN, tkencde, tken, passcde r passwrds t anyne. T avid phishing attacks, d nt enter tkencdes int links that yu clicked in e-mail. Instead, type in the URL f the reputable site t which yu want t authenticate. Infrm yur users f what infrmatin requests t expect frm Help Desk administratrs. Always lg ut f applicatins when yu re dne with them. Always lck yur desktp when yu step away. Regularly clse yur brwser and clear yur cache f data. Immediately reprt lst r stlen tkens Nte: Cnsider regular training t cmmunicate this guidance t users. Preventing Scial Engineering Attacks Fraudsters frequently use scial engineering attacks t trick unsuspecting emplyees r individuals int divulging sensitive data that can be used t gain access t prtected systems. RSA strngly recmmends that yu use the fllwing guidelines t reduce the likelihd f a successful scial engineering attack: Help Desk administratrs shuld nly ask fr a user s User ID ver the phne when they call the help desk. Help Desk administratrs shuld never ask fr tken serial numbers, tkencdes, PINs, passwrds, and s n. The Help Desk telephne number shuld well-knwn t all users. Help Desk administratrs shuld perfrm an actin t cnfirm the user s identity befre perfrming any administrative actin n a user s tken r PIN. Fr example, ask the user a questin that nly they knw the answer t verify their identity. Fr mre infrmatin, see 9

RSA SecurID Sftware Tken Security Best Practices Guide Cnfirming a User s Identity. If Help Desk administratrs need t initiate cntact with a user, they shuld nt request any user infrmatin. Instead, users shuld be instructed t call back the Help Desk at a well-knwn Help Desk telephne number t ensure that the riginal request is legitimate. T cnfirm that all PIN changes are requested by authrized users, yu shuld have a plicy in place t ntify users when their PINs have been changed. Fr example, send an e-mail ntificatin t the user s crprate e-mail address, r leave a vicemail message. Users that suspect a change was made by an unauthrized persn shuld cntact the Help Desk. 10

RSA SecurID Sftware Tken Security Best Practices Guide Cnfirming a User s Identity It is critical that yur Help Desk Administratrs verify the end user s identity befre perfrming any Help Desk peratins n their behalf. Recmmended actins include: Call the end user back n a phne wned by the rganizatin and n a number that is already stred in the system. Imprtant: Be wary f using mbile phnes fr identity cnfirmatin, even if they are wned by the cmpany, as mbile phne numbers are ften stred in lcatins that are vulnerable t tampering r scial engineering. Send the user an e-mail t a cmpany email address. If pssible, use encrypted e-mail. Wrk with the emplyee s manager t verify the user s identity. Verify the identity in persn. Use multiple pen-ended questins frm emplyee recrds (fr example: Name ne persn in yur grup; What is yur badge number?). Avid yes/n questins. Custmer Supprt Infrmatin Fr infrmatin, cntact RSA Custmer Supprt: U.S.: 1-800-782-4362, Optin #5 fr RSA, Optin #1 fr SecurCare nte Canada: 1-800-543-4782, Optin #5 fr RSA, Optin #1 fr SecurCare nte Internatinal: +1-508-497-7901, Optin #5 fr RSA, Optin #1 fr SecurCare nte 11

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information