Web Console FIPS Compliance Configuration (US9525)
By default, both Windows and SQL authentication requirements must be met for users to log in to the Web Console. To satisfy the FIPS compliance requirement, however, the Web Console needs to be reconfigured so that Windows authentication is the only form of authentication allowed.
To run the Web Console in FIPS compliance mode, you must first create Web Console domain users. Once users become domain users, they need to update the default.json and LogRhythm.Web.Services.ServicesHost.exe files on their Windows devices.
To add a domain user
In the SQL Server Management Studio, execute the following script against all LogRhythm databases except for CMDB:
EXEC sp_addrolemember N'LogRhythmGlobalWebUI', N'DOMAIN\firstname.lastname
In the Object Explorer panel of the SQL Server Management Studio, expand the CMBD folder and then do the following:
- Expand the Security folder.
- Right click the Users folder and select New User.
- In the User name field, enter the user name.
For the Login name click the corresponding ellipsis button.
The Select Login dialog box displays.
- Click Browse.
- Scroll as needed to locate the user name (domain\firstname.lastname).
- Click the corresponding check box for the user name, then click OK.
- In the Select Login dialog box, click OK.
In the Database User - New dialog box, click the ellipsis button to the right of the Default schema field.
The Browse for Objects dialog box displays.
- Click the check box for [dbo], then click OK.
- In the Select Schema dialog box, click OK.
- In the Database role membership scroll box, click the check box for LogRhythmGlobalWebUI.
- Click OK to complete the process of adding a domain user.
After users are designated as domain users, they need to make the following configuration changes to their Windows devices.
- From the Start menu, click Services.
- In the Services dialog box, right-click LogRhythmServices Host and select Properties, then click the Log On tab.
- Click the radio button for This Account.
- Enter your domain user credentials, then click OK.
Using Windows Explorer, go to the LogRhythm.Web.Services.ServicesHost.exe.config file on your C drive (Program Files > LogRhythm > LogRhythm Web Console > Service>) and open it in a text editor, then modify the value of the ApplicationAccountType so that it reads as follows:
<add key="ApplicationAccountType" value="WindowsAccountType" />
- Save and close the LogRhythm.Web.Services.ServicesHost.exe file.
Go to the default.json file (Program Files > LogRhythm Web Console > config) and open it in a text editor, then do the following:
- Add parameter: "restrictToWindowsAuth": true,
Delete the value for CaseUsername and leave it blank.
"CaseUsername": "",
- Save and close the default.json file.