Best practices to enhance the protection for your ADManager Plus installation

This article lists some of the best practices that you can use to ensure additional protection for your ADManager Plus installation. You can implement these recommendations immaterial of whether you choose to deploy the product on-premises or on the internet.

• Modify the permissions of ADManager Plus installation folder.
• Disable or restrict the Employee Search option.
• Change ADManager Plus' default admin password

Modify the permissions of ADManager Plus installation folder

Why should you do this?

By default, ADManager Plus will be installed in C:\ManageEngine folder. This will grant even non-admin users belonging to the Authenticated Users group, Full Control permission over the files in the bin directory.

It is designed this way so that any domain user can access the folder, and start or stop the product. But there are chances that this might allow any user of the Authenticated Users group, with a malicious intent, to tamper with the contents of the bin folder.

Removing Authenticated Users from ACL will not help, as this will allow only admin users to start ADManager Plus, as a service or application. Non-admin users will not be able to do this even if they are allowed to or when required, due to lack of privileges.

What can you do to address this?

You have to modify the permissions of the folder. This can be done in two ways:

1. Automatically, using SecureDeployment.exe
2. Manually modifying permissions

Click here for detailed information about this scenario, and the steps to modify the permissions of ADManager Plus installation folder.

Disabling or restricting the Employee Search option

Why should you do this?

The Employee Search, one of the popular features of ADManager Plus, is used as a Corporate Directory Search by many of our users. It is therefore enabled by default. Also, to use this search, a user doesn't have to log in to the product. However, there are chances that this search might be used by even unauthenticated users to look up other users and contacts in the organization, and view their personally identifiable information (PII).

What can you do to address this scenario?

Based on the specific needs of your organization, or for security reasons, you can:

1. Limit the scope of Employee Search to only specific domains, or OUs.
2. Specify the details of users or contacts that can be displayed in the search result.
3. Specify the attributes or details based on which users or contacts can be located.
4. Disable the Employee Search option completely.

Click here for the steps to customize or disable the Employee Search option.

Change the default admin password

Why should you do this?

If ADManager Plus' default admin password is not changed, there are chances that anyone who is aware of the default password might use it log in to the product, and perform malicious changes in your Active Directory (AD) or view information about AD objects.

What can you do to address this situation?

We recommend that you change the default admin password, at least before you move to the deployment phase from the evaluation phase, for security reasons. You can change the default password in the 'My Account' section found in the top right corner of the product's web-console.

Click here for steps to change the default admin password.

If you need further information, have any questions, or face any difficulties in performing the recommended steps, please get in touch with us at support@admanagerplus.com or +1-844-245-1108 (toll free).