Sec/User Mgmt: Step 2: Change the Default admin Passwords

Document created by RSA Information Design and Development on Jul 28, 2016
Version 1Show Document
  • View in full screen mode
 

The system administrator's user account is installed with Security Analytics. The username is admin and the default password is netwitness. The Administrators role is assigned to admin. This role has full system privileges to control what a user can do and which services a user can access. The only modification you can make to this account is to change the password. Unlike other Security Analytics users, changes to the admin user password do not automatically propagate to downstream services. When you configure the password strength settings, they apply to all Security Analytics users, including the admin user.

Passwords, an important aspect of computer security, are the front line of protection for your system. The admin user is pre-installed in Security Analytics and on each Security Analytics Core service. For security, you create the Users and Roles for your organization in Security Analytics, and on each Security Analytics Core service.

Best Practices

RSA recommends the following best practices:

  • Change the admin password of each service from the default.
  • Create a different password for the admin account on each service.

Change the admin Password for the Security Analytics Service

Change the admin password for the Security Analytics service in the Profile view. See Change Your Password in Getting Started with Security Analytics. The password of the admin user does not propagate to Core services.

Note: After you change the admin password, you must remove and re-add a Data Source on the Reporting Engine. For more information, see below.

Change the admin Password for Security Analytics Core Services

To change the admin password for a Core service:

  1. In the Security Analyticsmenu, select Administration > Services.
  2. Select a service, and then select ic-actns.png > View > Security.
  3. On the Users tab, select the admin user.
     ChgAdmSrvPwd.png
  4. In the Password field, type a new admin password for the selected service.
  5. In the Confirm Password field, retype the new password.
  6. Click Apply.

Note: After you change the admin password, you must remove and re-add a Data Source on the Concentrator, Broker, Event Stream Analysis (ESA) and Reporting Engine.

Remove and Re-add a Data Source

The Concentrator, Broker, ESA and Reporting Engine validates a Data Source using the Data Source username and password. If you change the username or password of a Data Source, you must remove and re-add the Data Source.

To remove and re-add a data source on the Concentrator:

  1. In the Security Analytics menu, select Administration > Services.

  2. In the Services view, select Concentrator and ic-actns.png View > Config.
  3. In the General tab, select a service to remove and click Icon_Delete_sm.png.
  4. Click Icon-Add.png and select Available Services.
  5. Select the service you removed in step 3 and click OK.

  6. When prompted, enter the new username and password for the service.

To remove and re-add a data source on the Broker:

  1. In the Security Analytics menu, select Administration > Services.

  2. In the Services view, select Broker and ic-actns.png View > Config.
  3. In the General tab, select a service to remove and click Icon_Delete_sm.png.
  4. Click Icon-Add.png and select Available Services.
  5. Select the service you removed in step 3 and click OK.

  6. When prompted, enter the new username and password for the service.

To remove and re-add a data source on the ESA:

  1. In the Security Analytics menu, select Administration > Services.

  2. In the Services view, select ESA and ic-actns.png View > Config.
  3. In the Data Source tab, select a service to remove and click Icon_Delete_sm.png.
  4. Click Icon-Add.png and select Available Services.
  5. Select the service you removed in step 3 and click OK.

  6. When prompted, enter the new username and password for the service.

To remove and re-add a data source on the Reporting Engine:

  1. In the Security Analytics menu, select Administration > Services.
  2. In the Services view, select Reporting Engine and ic-actns.png View > Config.
  3. Click the Sources tab.
  4. Select a service to remove and click Icon_Delete_sm.png.
  5. Click Icon-Add.png and select Available Services.
  6. Select the service you removed in step 4 and click OK.
  7. When prompted, enter the new username and password for the service.

Change the admin Password for a Service Using the REST API

In rare circumstances, you may need to change the admin password for a Core service outside of the Security Analytics user interface. This is simply another way to perform the Security Analytics Core password change, and is not the preferred method.

To change the admin password for the service using the REST User Interface:

  1. Open a web browser, and go to the following URL:
    <hostname>:<port>
    where the hostname is the name of a Security Analytics Core service and port is the port used for REST communication. Here is an example for a Security Analytics Decoder: http://10.20.30.40:50104
    The authentication dialog is displayed.
    NewDeviceConnect.png
  2. In the dialog enter the user name and password used for authentication as admin on the service, and click OK. The default user name is admin and the default password is netwitness.
    The REST window for the service is displayed.
  3. Navigate through the node structure to users/accounts/admin/config.
    The user configuration fields for admin are displayed in the browser window.
    PWRestPWnedit.png
  4. In the Password field, type a new admin password and click Set.
You are here: Set Up System Security > Step 2. Change the Default admin Passwords

Attachments

    Outcomes