<Partner Name> <Partner Product> RSA SECURID ACCESS Authenticator Implementation Guide Intel Security Daniel R. Pintal, RSA Partner Engineering Last Modified: December 12, 2016
Solution Summary Intel Security/McAfee Drive Encryption and the RSA SID800 smart card combine seamlessly to provide end-users with a single form factor for enterprise two-factor authentication. Users can store the keys necessary to unlock the encrypted data on their hard drive on the same device used to provide RSA SecurID authentication throughout the enterprise. Partner Integration Overview Interoperable through RSA Authentication Cli t Pre-Boot Authentication If Pre-Boot, which tokens are supported? No Yes SID800 Rev Dx -- 2 -
Product Configuration for Interoperability Interoperability between the RSA Authenticators and Intel Security/McAfee Drive Encryption requires the installation of Intel Security/McAfee Drive Encryption. Before You Begin This section provides instructions for integrating RSA Authenticators with Intel Security/McAfee Drive Encryption. The document is not intended to suggest optimum installations or configurations. It is assumed that the reader has both working knowledge of all products involved, and the ability to perform the tasks outlined in this section. Administrators should have access to the product documentation for all products in order to install the required components. All vendor products/components must be installed and working prior to the integration. Perform the necessary tests to confirm that this is true before proceeding. Configuration There are two methods of RSA SID800 integration available for use with Intel Security/McAfee Drive Encryption. RSA PKI smart card PKI smart card authentication requires a Certificate Authority integrated with a Microsoft Windows Domain. The Certificate Authority issues the PKI certificate to a Windows Domain user. The private key is stored on the RSA SID800 smart card and associated with the Windows Domain user. Authentication with PKI smart card requires the following actions; Enabling LDAP Synchronization for the Domain is required. Associate a Drive Encryption User to a computer is required. Create policy and policy assignment rule for PKI Authentication. Enable UBP Enforcement is required. RSA Stored Value Token A stored value is written to the RSA SID800 smart card by the Intel Security/McAfee pre-boot environment. Authentication with a Stored Value Token requires the following actions; Enabling LDAP Synchronization for the Domain is not required for users not managed by a Windows Domain. Associate a Drive Encryption User to a computer is required. Create policy and policy assignment rule for Stored Value Authentication. Enable UBP Enforcement is required. Important: If you require both PKI and Stored Value authentication types within your environment you must create separate policies. -- 3 -
Enable LDAP Synchronization for the Domain 1. Select Menu > Server Tasks to create an LDAP synchronization task. 2. Select the button at the bottom of the page. -- 4 -
3. Name the task and select Next. 4. Select LDAPSync: Sync across users from LDAP within the Actions drop down list and set your LDAP Server then select Next. -- 5 -
5. Set the frequency of the LDAP synchronization server task as needed then select Next. 6. Complete the creation of the task by selecting Save. -- 6 -
7. Click the Run link under the Actions column to verify LDAP synchronization. 8. The task must complete successfully to continue. -- 7 -
Associate a Drive Encryption User to a computer 1. Associate a user with a computer by selecting Menu > Data Protection > Encryption Users. 2. Select the system to associate the user and click Actions > Drive Encryption and Add User(s). -- 8 -
3. Select the button to associate the User to the computer. 4. Search for the user to associate and add by selecting the checkbox next to the users name and click OK. -- 9 -
5. Click OK once you have selected the user. -- 10 -
Create policy and policy assignment rule for PKI Authentication 1. Create a PKI Policy Catalog by selecting Menu > Policy and Policy Catalog. 2. Select the Duplicate Action for the McAfee Default User Based Policies Catalog. -- 11 -
3. Set the Policy Name of the User Based policy then click OK. 4. Select the New Policy by clicking RSA SID800 PKI Policy. -- 12 -
5. Select RSA PKI Smart Card from the Token Type list. 6. Select Save. -- 13 -
7. Create a PKI Policy Assignment to enable PKI authentication with the SID800 smart card. Select Menu > Policy Assignment Rules. 8. Create a new Policy Assignment Rule by selecting New Assignment Rule. -- 14 -
9. Enter the name for the assignment rule and set the Rule Type to User Based then select Next. 10. Select Add Policy. -- 15 -
11. Select from the Product list, User Based Policies from the Category list and RSA SID800 PKI Policy from the Policy list, the select Next. 12. Select User from the User Criteria and to associate a user to the PKI smart card rule. -- 16 -
13. Select Container and children from the Preset drop down list. b 14. Select the user and then select OK. -- 17 -
15. Select Next. 16. Select Save. -- 18 -
Create policy and policy assignment rule for Stored Value Authentication 1. Create a Stored Value Policy Catalog by selecting Menu > Policy and Policy Catalog. 2. Select the Duplicate Action for the McAfee Default User Based Policies Catalog. -- 19 -
3. Set the Policy Name of the User Based policy. 4. Select the New Policy by clicking RSA SID800 Stored Value Policy. -- 20 -
5. Select RSA Stored Value Smart Card from the Token Type list. 6. Select Save. -- 21 -
7. Create a Stored Value smart card Policy Assignment to enable Stored Value authentication with the SID800 smart card. Select Menu > Policy Assignment Rules. 8. Create a new Policy Assignment Rule by selecting New Assignment Rule. -- 22 -
9. Enter the name for the assignment rule and set the Rule Type to User Based then select Next. 10. Select Add Policy. -- 23 -
11. Select from the Product list, User Based Policies from the Category list and RSA SID800 Stored value Policy from the Policy list, the select Next. 12. Select User from the User Criteria and to associate a user to the Stored Value smart card rule. b -- 24 -
13. Select Container and children from the Preset drop down list. b 14. Select the user and then select OK. -- 25 -
15. Select Next. 16. Select Save. -- 26 -
Client Synchronization 1. To complete setup of smart card authentication with the SID800 the client computer needs to be updated by synchronizing with the epo server. A synchronization will push the recently created policies associated with that user and their token data to the client computer. 2. A synchronization can be forced from epo using an Agent Wake-Up call or the synchronization can be forced from the client using the Intel Security/McAfee Agent user interface or simply by waiting for the next ASCI + Policy Enforcement interval. 3. To verify the status of Drive Encryption on the users workstation open Intel Security/Mcafee Drive Encryption System Status by right clicking the Intel Security/McAfee Tray icon. 4. Select Quick Settings > Show Drive Encryption Status. -- 27 -
5. Select Close and restart the system if Drive Encryption is complete. Important: Before restarting the system, insure that encryption is completed. Once encryption is completed the user will be able to perform preboot authentication with the assigned SID800 token. Rebooting the system prior to the completion of encryption will require the user to login using a password or perform a Intel Security/McAfee Drive Encryption Recovery. Restart the System and Authenticate 1. When the system is restarted the Drive Encryption pre boot will be displayed. At this stage the user is prompted to authenticate. Ensure that the token is inserted either before booting the system or before attempting to authenticate. 2. Enter the username and click Next. 3. The user will be prompted for the PIN, enter the smart card PIN and click OK. 4. If the client is configured as a PKI smart card user the client is authenticated. 5. If the client is configured as a Stored Value token user the user will be prompted to enter the McAfee epo default password and then the smart card PIN. The smart card will then be initialized with the stored value and the client computer will boot Windows. Important: The RSA SID800 smart card is now ready for use and is successfully assigned to the user. -- 28 -
Certification Checklist for 3 rd Party Applications Date Tested: December 12, 2016 Product Tested Version Operating System Intel Security/McAfee epolicy Orchestrator 5.1 Windows 2008 R2 Intel Security/McAfee Drive Windows 10 7.1.3.604 Encryption RSA Authentication Client 3.6 Windows 10 RSA SecurID 800 Rev Dx Windows 10 Test Cases Symmetric Keys Asymmetric Keys RSA SecurID 800 Preboot Authentication Disk/File Encryption N/A N/A 1024 Certificate N/A 2048 Certificate N/A Write Key/Certificate Delete Key/Certificate Token Management RAC API Modify Token PIN Verify Token PIN N/A N/A Initialize Token N/A N/A DRP = Pass = Fail N/A = Non-Available Function -- 29 -