Security Dynamics Ace/Server 3.3.1 with SecurID
For many, the name Security Dynamics is synonymous with strong user-authentication solutions. Ace/Server version 3.3.1 with SecurID scored highest in our tests, and it is easy to understand how the company gained its reputation.

However, installation and configuration of Ace/Server took more time than we initially thought it would. An eager administrator could take the quick start documentation and jump headfirst into a misinstalled or non-functioning server. Although the quick start guide is great at interpreting large sections of the user manual, Ace/ Server has a few "gotchas" that will frustrate those who rush through the implementation process. At certain points during installation and configuration, we found ourselves diving quickly into the depths of Ace/Server's comprehensive configuration. You will want to have your manuals handy, the additional PDF files printed and your packaged CDs and disks close at hand as Ace/Server requires several disk reads (for licensing and token import).

Ace/Server offers user, group, realm, site and profile configurations. Ace/Server provided the greatest tiered user-configuration and security scheme among the products we tested. Although the sheer number of rule-set combinations here can be overwhelming, there is little you can't define and specify for your user base.

Security Dynamics sent us a nicely packaged box of 10 key-fob tokens for our tests. These "batches" are configured at the factory, and a disk with the token import data allows easy activation and integration of any number of new tokens--this is a real time-saver if you are planning a large rollout. In addition to the key fob, Security Dynamics also has two credit-card-sized tokens, a SoftID software-based token, an applet token and token software for the PalmPilot personal digital assistant.

Installation of Ace/Agent, the client end of Ace/Server, was a snap. However, to let the client work with the server, a configuration file must be copied from the server and dropped into the \SYSTEM32 directory for each client. On our Windows NT workstation the client interfaced well with the existing desktop security, providing administrative access to the client via a control panel available only to the administrator.

The Ace/Agent administrative client for Ace/Server is the most robust and developed administrative client piece we tested. There is little this client won't do; it provides authentication for the local desktop, Microsoft Internet Information Server (IIS) Web services, network resources and remote authentication. We also found the ability to not challenge certain user groups convenient: A client can be configured to allow administrator-defined access.

We chose the client's interactive authentication test before jumping into normal authentication. This authentication mode allows a user to bypass the challenge if necessary. This can be a lifesaver: If you neglect to disable challenges for administrators and fail to test authentication, you may find yourself locked out of access to your clients. We found ourselves locked out after our first successful authentication. When we configured the server end, we configured our user account to "select own PIN." At the first client authentication we entered a token code and were prompted to select and verify a PIN. However, on our next attempt we couldn't get through. After checking network connections and client configuration we checked the server. Bringing up the user account we found that we had been locked out by Ace/Server's "Evasion-of-Attack" security after three unsuccessful passcodes.

The root of those first three failures was our misunderstanding of SecurID's PIN/passcode scheme. Where other tokens allow you to key in your PIN, the SecurID key fob lacks any input method. You are required to enter your authentication code in the form PIN+TOKEN_ CODE. We overlooked this in the documentation. You can bet your users will too, especially if they get that initial prompt to configure their PIN.

It is also important to note that SecurID uses a patented time-synchronization scheme to ensure that the token's code matches that of the server. You'll need to keep your server clock accurate or your tokens will not authenticate. This is a necessary evil as the encryption algorithms count on time being in sync on the token and the server so the right passcodes are being calculated. Fortunately, an administrator can resynchronize an errant token through the user manager.

Security Dynamics combines a well-developed server that is easy to manage with a flexible client. There is more power in this package than many smaller shops need, but as your needs grow, Ace/Server will scale. Large, multiplatform organizations will recognize benefits at once. With a little work, you'll find that the Ace/Server-SecurID combination does it all.

Ace/Server with SecurID, starts at $4,000, hardware tokens start at $62 per user, Security Dynamics, (800) SECURID, (781) 301-5300. www.securitydynamics.com