I’m
deploying RSA SecureID solution only for administrative access. However in my network
we have got some Windows Terminal Servers which allow access to SCADA systems
from terminals not connected to domain (Terminals have saved network
credentials which allow them to connect to SCADA applications without user
interaction). I want to allow terminals to connect to RDP without login, but
administrators which belong to RSA_Required group should login with RSA
SecureID login.
Hello Marek,
Kindly be advised that the normal behavior when we challenge users from the RSA control center, the challenged users will be prompted for SecurID authentication and the non-challenged users will be able to authenticate with their Windows credentials only.
So kindly check and advise us back if there is any assistance needed from our side.
Best Regards,
Hello Hussein
I opened support request with this case and I get this same answer.
However I think that this will be nice product functionality if it can allow similar situation.
Now I can’t use RSA login for administrators on some RDP Production Servers.
Thanks for information and have a nice day
Pozdrawiam/Best Regards
Marek Kulczyk
Specjalista administrator systemów i baz danych
SWISS KRONO
Kronopol sp. z o.o.
ul. Serbska 56, 68-200 Żary, Poland
Tel.: +48 683631499
Kom.: +48 607331212
E-mail: m.kulczyk@kronopol.pl<mailto:m.kulczyk@kronopol.pl>
www: www.kronopol.pl<%20www.kronopol.pl%20>
Sąd Rejonowy w Zielonej Górze
Wydział VIII Gospodarczy Krajowego Rejestru Sądowego
65-364 Zielona Góra ul. Kożuchowska 8
nr KRS 0000052023, NIP 928-00-12-700, REGON 970327738
Kapitał zakładowy spółki 60 000 000,00 zł
Marek,
As Hussein indicated, when you protect a resource with a SecurID Authentication Manager agent, The RSA agent changes the Logon Credential Prompt to show the RSA Logo and ask for Passcode for everyone. Some of our older version agents allowed you to edit this display so say Password instead of Passcode, but again for everyone. I believe Engineering thought it best security practice to present as little information as possible to this logon screen, so as not to help hackers.
In order to have a dynamic prompt, the agent would need to ask for the UserID separately first, in order to evaluate if they user was to be Challenged for a PassCode, or not Challenged for just a Password. But if the agent did this, it would provide verification to a hacker that an account UserID existed and which accounts were challenged and which were not.
So While RSA has the option to Request for an Enhancement, RFE, to ask for new functionality, I do not think Engineering would want to provide this because of Security Concerns. However, if you as a customer were will to accept the risk of having this type of agent, it might be worth opening an RFE for this functionality, not by default but as something an Administrator could configure.
Hope this explanation helps. Also I believe there is an option to include your own company Logo instead of RSA. Regards,
Hello Marek,
Kindly be advised that the normal behavior when we challenge users from the RSA control center, the challenged users will be prompted for SecurID authentication and the non-challenged users will be able to authenticate with their Windows credentials only.
So kindly check and advise us back if there is any assistance needed from our side.
Best Regards,