Article Content
Article Number | 000038056 |
Applies To | RSA Product Set: SecurID RSA Product/Service Type: Authentication Agent for Windows RSA Version/Condition: 7.4 |
Issue | A Windows user with administrative rights can enable the Reserve Password in the RSA Control Center. This ability raises two questions:
|
Tasks | Configure the GPO one of two ways: either disable or override. |
Resolution | Domain policies take precedence over settings made in the RSA Control Center. Thus, a domain policy can be pushed with a Reserve Password to prevent a privileged user from setting a Reserve Password through either the RSA Control Center or the locally installed GPO templates. The domain policy can set a totally bogus Reserve Password if all you want to do is to block users from setting their own. Alternatively, you could set a reserve password in the domain policy that only certain Authentication Manager administrators know. This password can be changed periodically to ensure its' security. |
Notes | If users have administrative privileges, pushing out domain policies is probably a generally good practice for maintaining control, even for policies for which the default agent behavior is the behavior that you want. |