As a QRadar® administrator, is there guidance for configuring external authentication such as LDAP?
Considerations for local fallback
Example 3:Bob leaves the default QRadar admin user account enabled after setting up LDAP, and uses local authentication fallback to access the QRadar account, since they do not have an LDAP user called admin. Mallory has an LDAP user called admin that was created by the domain administrator, but is not supposed to have access to QRadar. Mallory is able to use the LDAP credentials for the admin user to access QRadar.
Deployment Best Practice
- Disable the default ‘admin’ account, unless a matching account exists in the external authentication provider.
- Ensure all QRadar accounts match an existing account in the external authentication provider.
- Remember to disable local fallback or the QRadar user account when you revoke access.
- For more information about external authentication guidelines in QRadar, see: External authentication guidelines (https://www.ibm.com/support/knowledgecenter/SS42VS_7.4/com.ibm.qradar.doc/c_qradar_adm_auth_ovrvw.html).
- For more information about security configuration options, see: Hardening QRadar appliances.
12 November 2020