By Cameron Sturdevant  |  Posted 2004-10-18 Print this article Print

For some time, RSA Security Inc. has had two-factor authentication that works with Windows. Now, SecurID for Windows, a new offering, fully integrates with Microsoft Corp.s Active Directory and enables domain-level access management along with new offline capabilities.

IT managers who already use RSAs SecurID for VPN, Unix/Linux or Web servers should consider using SecurID for Windows in areas where strong authentication and reliable audit logs are needed.

SecurID for Windows started shipping earlier this month. Pricing for two-factor authentication systems varies widely based on the number of users. For example, SecurID for Windows for 1,000 users is priced at $107 per user and includes 1,000 RSA SecurID tokens, an RSA Authentication Manager license for 1,000 users and one year of maintenance. Current RSA customers with active support contracts can upgrade at no added cost until March.

Using the least expensive hardware tokens, CryptoCard Corp.s Crypto-Server 6.1 costs roughly $75 per user for 1,000 users.

Click here to read Labs review of Crypto-Server 6.1. The biggest cost differentiator is the tokens that users carry. RSAs token is a sealed unit that is purchased based on guaranteed operation for two to five years. In contrast, CryptoCards token has a user-serviceable battery. Tokens from competitor Aladdin Knowledge Systems Ltd. use a USB (Universal Serial Bus) device and need no battery. Since our experience is that users are notoriously bad at hanging on to hardware tokens, we think IT managers using any token system should plan to have plenty of replacements on hand.

Testing at eWEEK Labs showed that IT managers should need only a couple of hours to get SecurID for Windows up and running. We advise working closely with RSA service staff to create access policies that work for the organization. One policy decision that merits careful consideration is how long users should be able to work offline—if at all.

We used the work-offline capability on a laptop that was disconnected from Authentication Manager (which longtime RSA users know as ACE/ Server.) Previous RSA support for Windows required that the computer be connected to the server. During tests, we easily generated files that stored a one-way hash of the product of the RSA-generated passcode. The seed, the value that was used to create the code, is not stored on the local machine. This is stored on Authentication Manager and in the token codes. This let us authenticate using our token while away from the network.

The trade-off for the capability to work offline is that hash file contents are time-limited. SecureID for Windows creates a separate file for every day. We set up our work-offline feature to function for 14 days at a stretch.

The downside of the current implementation of the work-offline feature is that it applies to all users without exception. We hope that RSA in the future provides a facility for IT managers to create groups of users who can have work-offline settings, adjusted independently.

SecurID for Windows is designed to protect network-connected data assets, although it will also protect access to the local desktop or laptop Windows systems. In tests, SecurID for Windows did a fine job of this, especially when we forgot our PIN or misplaced our token.

Technical Director Cameron Sturdevant can be reached at cameron_sturdevant@ziffdavis.com.

Check out eWEEK.coms Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.

Be sure to add our eWEEK.com Security news feed to your RSS newsreader or My Yahoo page

Cameron Sturdevant Cameron Sturdevant has been with the Labs since 1997, and before that paid his IT management dues at a software publishing firm working with several Fortune 100 companies. Cameron also spent two years with a database development firm, integrating applications with mainframe legacy programs. Cameron's areas of expertise include virtual and physical IT infrastructure, cloud computing, enterprise networking and mobility, with a focus on Android in the enterprise. In addition to reviews, Cameron has covered monolithic enterprise management systems throughout their lifecycles, providing the eWEEK reader with all-important history and context. Cameron takes special care in cultivating his IT manager contacts, to ensure that his reviews and analysis are grounded in real-world concern. Cameron is a regular speaker at Ziff-Davis Enterprise online and face-to-face events. Follow Cameron on Twitter at csturdevant, or reach him by email at csturdevant@eweek.com.

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel