Guide to enhance the protection for ADManager Plus installation

    This document provides the steps to improve the security of your ADManager Plus instance for specific scenarios mentioned below.

    Preventing an user of Authenticated Users group from tampering with the ADManager Plus bin folder.

    By default, ADManager Plus will be installed in C:\ManageEngine folder. This will grant even non-admin users belonging to the Authenticated Users group, Full Control permission over the files in the bin directory.

    It is designed this way so that any domain user can access the folder, and start or stop the product. But there are chances that this might allow any user of the Authenticated Users group, with a malicious intent, to tamper with the contents of the bin folder.

    Removing Authenticated Users from ACL will not help, as this will allow only admin users to start ADManager Plus, as a service or application. Non-admin users will not be able to do this even if they are allowed to or when required, due to lack of privileges.

    Solution:

    There are two ways to tackle this problem. You can either manually modify the permission settings or use the SecureDeployment.exe file which will automatically modify the settings.

    1. Using SecureDeployment.exe
    2. Manually modifying permissions
    1. When ADManager Plus is installed in C:\ManageEngine folder
    2. When ADManager Plus is installed in C:\Program FIles folder

    1. Using SecureDeployment.exe

    The SecureDeployment.exe file in the bin directory will automatically:

    • Prevent users in Authenticated Users group from accessing the ADManager Plus installation folders.
    • Assign Full permissions for the given account.
    • Configure 'log-on as' account credentials if ADManager Plus is accessed as a service.

    The SecureDeployment.exe file will ensure that the deployment environment is secured.

    2. Manually modifying permissions

    Steps to perform if ADManager Plus is installed in C:\ManageEngine folder:

    i. If ADManager Plus is installed in a client OS

    ii. If ADManager Plus is installed in a server OS

    By default, the client OS C: directory has Authenticated Users with Modify permission for subfolders. However, C: directory in the server OS does not have Authenticated Users in the ACL.

    i) If ADManager Plus is installed in a client OS

    To allow users with less privileges to start or stop ADManager Plus on the client OS, follow the steps:

    1. Disable Inheritance for the C:\ManageEngine\ADManager Plus folder.
    2. Remove Authenticated Users from the ACL.
    3. Remove Authenticated Users permission for these folders from the product's installation folder: bin\licenses, lib\licenses, temp, webapps\adsm\temp
    4. Assign Modify permission to the C:\ManageEngine\ADManager Plus folder for users who have the responsibility of starting the product. If the product is installed as a service with 'log-on as' account, ensure this account has the modify permission.

    ii) If ADManager Plus is installed in a server OS

    1. Remove Authenticated Users permission for these folders from the product's installation folder: bin\licenses, lib\licenses, temp, webapps\adsm\temp
    2. Assign Modify permission to the C:\ManageEngine\ADManager Plus folder for users who have the responsibility of starting the product. If the product is installed as a service with 'log-on as' account, ensure this account has the modify permission.

    Note: The steps mentioned in both the above cases hold good for any location of your choice besides C:\ManageEngine

    b. Steps to perform if ADManager Plus is installed in C:\Program Files folder

    1. Remove Authenticated Users permission for these folders from the product's installation folder: bin\licenses, lib\licenses, temp, webapps\adsm\temp
    2. Assign Modify permission to the C:\Program Files\ADManager Plus folder for users who have the responsibility of starting the product. If the product is installed as a service with 'log-on as' account, ensure this account has the modify permission.
    Note:

    - Microsoft recommends that any software should be installed in the Program Files directory. Based on your specific needs or organizational policies, you can choose a different location.

    - The steps mentioned in this guide are applicable to all ManageEngine products which have 'C:\ManageEngine' as the default installation location.

    Disabling or restricting the Employee Search option.

    ADManager Plus' Employee Search can be used by users or employees to look up the details of fellow employees and contacts of their organization.

    Description: The Employee Search is one of the popular features of ADManager Plus and is used as a Corporate Directory Search, and it is enabled by default. However, to suit the specific needs of your organization, or for security reasons, you might want to display only specific details, of users and contacts in the search result, or might even prefer not to have this option at all.

    Solution

    Based on the need, you can easily:

    1. Limit the scope of Employee search to only specific domains, or OUs.
    2. Specify the details of users or contacts that can be displayed in the search result .
    3. Specify the attributes or details based on which users or contacts can be located.
    4. Disable the Employee Search option.

    Mentioned below are the steps:

    1. Log in to ADManager Plus.
    2. Click on the Admin tab.
    3. From the options on the LHS, click Employee Preferences and select Configure AD Search.
      • Disabling Employee Search: Uncheck the 'Show Employee Search in login page' option to disable this search completely and also not display this option on the login page.
      • Limiting the scope of Employee Search: Select the domain and its corresponding OUs, from the ones displayed in Selected Domains field, to restrict the search to only that specific domain and its OUs.
      • Limiting the scope of this search to only user and/or contact objects: Click the Users and Contacts tabs, and uncheck the ones that you do not wish to be searched using this option. Also, under Users and Contacts tabs, under Available Columns, in Display Columns, uncheck the attributes or details that you don't want to be displayed in the search result.
      • Specifying the attributes based on which users or contacts can be searched: Under Users and Contacts tabs, under Search Criteria, in Available Columns select only the desired attributes.
    4. Click Save Settings to save your preferred settings for the Employee Search.

    Change ADManager Plus' default admin password.

    Why should you do this?

    If ADManager Plus' default admin password is not changed, there are chances that anyone who is aware of the default password might use it log in to the product, and perform malicious changes in your Active Directory (AD) or view information about AD objects.

    What can you do to address this situation?

    We recommend that you change the default admin password, at least before you move to the deployment phase from the evaluation phase, for security reasons. You can change the default password in the 'My Account' section found in the top right corner of the product's web-console.

    Click here for steps to change the default admin password.

    ⚠️Note: For securely hosting ADManager Plus over the internet refer to this deployment guide.