SecurID® Knowledge Base
Find answers to your questions and identify resolutions for known issues with knowledge base articles written by SecurID experts.
Article Number
000044247
Applies To
Product Set: SecurID
Product/Service Type: Authentication Agent for Web: IIS
Version/Condition: 8.0.x
Product/Service Type: Authentication Agent for Web: IIS
Version/Condition: 8.0.x
Issue
After successful installation of the IIS Authentication Agent on an IIS Server, It's seen on the RSA Agent Login Page that the rsa-csrf cookie is not marked as secure, and after the successful authentication we will see also the rsa-csrf in addition to the rsa-local cookies both not marked as secure:
Image description
Image description
This is seen as a security risk because this means that the cookie could potentially be stolen by an attacker who can successfully intercept and decrypt the traffic, or following a successful man-in-the-middle attack (unlikely since HSTS is enabled).
Image descriptionImage descriptionThis is seen as a security risk because this means that the cookie could potentially be stolen by an attacker who can successfully intercept and decrypt the traffic, or following a successful man-in-the-middle attack (unlikely since HSTS is enabled).
Resolution
This is not a vulnerability, it is just some configurations that can be changed to mark these two cookies as Secure.
Image description
Image description
Image description
- From the IIS Manager on the Web Agent machine, in the Connections pane, double-click server_name, and click Sites-> Default Web Site.
- In the Default Web Site Home pane, double-click RSA SecurID.
- Enable below option: Require Secure Connection to Access Protected Pages.
Image description
- Restart IIS or run an iisreset.
- Do the Authentication.
Image descriptionImage descriptionIn this article
