SecurID IIS Agent cookies rsa-csrf and rsa-local are not marked as Secure
4 years ago
Originally Published: 2021-09-16
Article Number
000044247
Applies To
Product Set: SecurID
Product/Service Type: Authentication Agent for Web: IIS
Version/Condition: 8.0.x
 
Issue
After successful installation of the IIS Authentication Agent on an IIS Server, It's seen on the RSA Agent Login Page that the rsa-csrf cookie is not marked as secure, and after the successful authentication we will see also the rsa-csrf in addition to the rsa-local cookies both not marked as secure:

User-added image

User-added image

This is seen as a security risk because this means that the cookie could potentially be stolen by an attacker who can successfully intercept and decrypt the traffic, or following a successful man-in-the-middle attack (unlikely since HSTS is enabled). 
Resolution
This is not a vulnerability, it is just some configurations that can be changed to mark these two cookies as Secure.
  1. From the IIS Manager on the Web Agent machine, in the Connections pane, double-click server_name, and click Sites-> Default Web Site.
  2. In the Default Web Site Home pane, double-click RSA SecurID.
  3. Enable below option: Require Secure Connection to Access Protected Pages.
User-added image
  1. Restart IIS or run an iisreset.
  2. Do the Authentication.
The above steps will mark both cookies as Secure:

User-added image

User-added image
 

Related Articles

Trending Articles

Don't see what you're looking for?