RSA Authentication Manager allows you to require the Security Console and the Self-Service Console to display the same response for both valid and invalid usernames, instead of returning different responses.
This feature helps to prevent an attacker from learning which usernames are valid. These usernames can be used for brute force attacks on user passwords, to attempt to reset passwords, to lock user accounts with invalid logon attempts, to deny users access to their accounts, or for social engineering.
After you complete the procedure below, the Self-Service Console prompts every user to select from a drop-down list of authentication methods that are configured in the RSA Authentication Manager deployment. These methods can include password, passcode, or on-demand authentication.
Before you begin
Obtain the rsaadmin operating system password.
Procedure
- Log on to the appliance using an SSH client.
- When prompted for the user name and password, enter the operating system User ID, rsaadmin, and the operating system account password.
- Change directories:
cd /opt/rsa/am/utils
- To add the parameter that allows the Security Console and the Self-Service Console to give the same response for both valid and invalid usernames, enter:
./rsautil store -o admin -a add_config ims.authentication.service.all.methodchoice false GLOBAL 500
- To require the Security Console and Self-Service Console to give the same response for both valid and invalid usernames, enter:
./rsautil store -o admin -a update_config ims.authentication.service.all.methodchoice true GLOBAL 500
- Restart the services on the primary instance. If there are replica instances, restart the services after replication is complete.
- Change directories:
cd /opt/rsa/am/server
- Run the following:
./rsaserv restart all
You are here
Table of Contents > General Configuration > Require the Security Console and Self-Service Console to Provide the Same Response for Valid and Invalid Usernames
