We are attempting to implement SecurID, but we are very confused.
For our 2008R2 active directory environment, isn't there some way that I can simply instruct AD to *not* let a user log into the domain if they are assigned a key fob in RSA and they attempt to log in from a machine without an agent? We are more interested in protecting identities than "resources".
For example, if the VP of HR is assigned a key fob, she can't get logged into the domain unless she uses her AD credentials *and* her passcode, from a device with an RSA agent on it. If she attempts to log into a device without an RSA agent, she's denied and can't log in.
Seems simple enough to us, but we've been told over and over by RSA support "that's not how it works". If the device that's being logged onto doesn't have an RSA agent, then RSA is simply bypassed, and the user logs into the domain as if RSA had never been installed.
That seems ridiculous. That would mean all I need to do is somehow obtain the windows creds of a domain admin at a large company, connect to their network with my own laptop that doesn't have an RSA agent on it, join it to the domain (I can do that now that I have the domain admin creds), and I have full access to the network. There; I just defeated the entire RSA organization.
Tell me it ain't so...
It may be simple enough, but without an agent RSA cannot step in front of the Windows or AD logon, so the place to do this is in AD in your Domain, possibly with Windows or another product. You might look into Credential Providers, which you should be able to control in the Registry or with GPO, and display only certain Credential providers for certain people, possibly displaying only something that won't work, e.g. Windows SmartCard, and not displaying Windows Password for people assigned a token (which implies said people are in an AD group), and since there is not RSA Credential provider on a Windows platform without an RSA AM agent, these people cannot logon.