We are attempting to implement SecurID, but we are very confused.
For our 2008R2 active directory environment, isn't there some way that I can simply instruct AD to *not* let a user log into the domain if they are assigned a key fob in RSA and they attempt to log in from a machine without an agent? We are more interested in protecting identities than "resources".
For example, if the VP of HR is assigned a key fob, she can't get logged into the domain unless she uses her AD credentials *and* her passcode, from a device with an RSA agent on it. If she attempts to log into a device without an RSA agent, she's denied and can't log in.
Seems simple enough to us, but we've been told over and over by RSA support "that's not how it works". If the device that's being logged onto doesn't have an RSA agent, then RSA is simply bypassed, and the user logs into the domain as if RSA had never been installed.
That seems ridiculous. That would mean all I need to do is somehow obtain the windows creds of a domain admin at a large company, connect to their network with my own laptop that doesn't have an RSA agent on it, join it to the domain (I can do that now that I have the domain admin creds), and I have full access to the network. There; I just defeated the entire RSA organization.
Tell me it ain't so...