How to protect a windows system with RSA SecurID 2FA, Part-1

Md. Mahim Bin Firoj
5 min readMay 11, 2024

--

In this blog post I will show how a windows system can be protected with RSA securid 2fa IAM solution. I am assuming that you already have a valid license of authentication manager license either on-prem or cloud.

Let’s write down the key steps:

  1. We can create user’s in authentication manager’s internal database for user token assignment or else we need to integrate identity source which is Active Directory, so that we can assign tokens to AD users.
  2. Now we need to give a host record of the windows machine as authentication agent record into the AM which is authentication manager. The hostname of the machine should be resolved by your internal dns server.
  3. Now you need to generate the agent configuration file (sdconf.rec). This agent configuration file contains the information of primary and replica server’s address.
  4. Now you need to import the software or hardware token in the AM. This step and number 1 AD integration step you need to perform only once. You also need to create a software token profile.
  5. Assign the token to user’s and distribute it.

Let’s get into the details:

  1. Adding identity source:

Firstly login to the AM using the appropriate link and oc credentials, oc means operation console. RSA has two console for configurations. Security console and operation console. You need to integrate AD from operation console.

Navigate to Deployment Configuration>Identity Sources>Manage Existing. You then will be asked to provide security console super admin password. Provide that.

By default, there is one Identity Source called Internal Database (this is the internal Authentication Manager database).
Click Add New Identity Source. We will add Cloud_Users and Accounting OU in the AM.

Type should be Microsoft Active Directory

You need to provide a user’s credentials that has enough permission to query AD to fetch user’s details. i.e. AD Administrator. Now click on Test Connection. If successful then click next.

Provide user base and user group base DN (in your case it will be different).

Now in the User ID section, if you give samAccountName then user will be populated using their samAccountName. And if you choose Uses the same mapping as E-mail, then user will be populated as email id.

Now click save.

Following the same process, add Accounting OU as well. Here in User ID section, keep the setting as samAccountName.

User ID with email address
User id with samAccountName

Now let’s create internal database user.

Navigate to Identity>Users>Add New

Email address I gave user1@example.com because in our lab, this mail address is configured in the mail client. You can give your user email address.

Set mobile number (optional, based on additional attribute configuration)

Now click Save.

User has been created successfully.

2. Give authentication agents record.

The machine that we want to protect, we need to allow that machine as valid host.

We already provide a host A record of that machine in the local dns server.

Click Save.

3. Now we will generate the agent configuration file.

Make sure the necessary ports are allowed in your internal firewall.

You need to move this file to the machine winagent1 because at the time of Authentication agent installation, we need this file.

Now download RSA Authentication Agent 7.4.6 (latest version) from rsa portal and move it to the winagent1 machine. In our lab we will install less version.

Browse the location where you extracted the file AM_Config.zip that contains sdconf.rec file.

Installation done.

We will continue the rest from Part-2

If you find this helpful, please subscribe below.

LinkedIn:

https://www.linkedin.com/in/md-mahimbin-firoj-7b8a5a113/

YouTube:

https://www.youtube.com/@mahimfiroj1802/videos

--

--