Guide to enhance the protection for ADManager Plus installation

    This document provides the steps to improve the security of your ADManager Plus instance for specific scenarios mentioned below.

    Preventing an user of Authenticated Users group from tampering with the ADManager Plus bin folder.

    By default, ADManager Plus will be installed in C:\ManageEngine folder. This will grant even non-admin users belonging to the Authenticated Users group, Full Control permission over the files in the bin directory.

    It is designed this way so that any domain user can access the folder, and start or stop the product. But there are chances that this might allow any user of the Authenticated Users group, with a malicious intent, to tamper with the contents of the bin folder.

    Removing Authenticated Users from ACL will not help, as this will allow only admin users to start ADManager Plus, as a service or application. Non-admin users will not be able to do this even if they are allowed to or when required, due to lack of privileges.

    Solution:

    There are two ways to tackle this problem. You can either manually modify the permission settings or use the SecureDeployment.exe file which will automatically modify the settings.

    1. Using SecureDeployment.exe
    2. Manually modifying permissions
    1. When ADManager Plus is installed in C:\ManageEngine folder
    2. When ADManager Plus is installed in C:\Program FIles folder

    1. Using SecureDeployment.exe

    The SecureDeployment.exe file in the bin directory will automatically:

    • Prevent users in Authenticated Users group from accessing the ADManager Plus installation folders.
    • Assign Full permissions for the given account.
    • Configure 'log-on as' account credentials if ADManager Plus is accessed as a service.

    The SecureDeployment.exe file will ensure that the deployment environment is secured.

    2. Manually modifying permissions

    Steps to perform if ADManager Plus is installed in C:\ManageEngine folder:

    i. If ADManager Plus is installed in a client OS

    ii. If ADManager Plus is installed in a server OS

    By default, the client OS C: directory has Authenticated Users with Modify permission for subfolders. However, C: directory in the server OS does not have Authenticated Users in the ACL.

    i) If ADManager Plus is installed in a client OS

    To allow users with less privileges to start or stop ADManager Plus on the client OS, follow the steps:

    1. Disable Inheritance for the C:\ManageEngine\ADManager Plus folder.
    2. Remove Authenticated Users from the ACL.
    3. Remove Authenticated Users permission for these folders from the product's installation folder: bin\licenses, lib\licenses, temp, webapps\adsm\temp
    4. Assign Modify permission to the C:\ManageEngine\ADManager Plus folder for users who have the responsibility of starting the product. If the product is installed as a service with 'log-on as' account, ensure this account has the modify permission.

    ii) If ADManager Plus is installed in a server OS

    1. Remove Authenticated Users permission for these folders from the product's installation folder: bin\licenses, lib\licenses, temp, webapps\adsm\temp
    2. Assign Modify permission to the C:\ManageEngine\ADManager Plus folder for users who have the responsibility of starting the product. If the product is installed as a service with 'log-on as' account, ensure this account has the modify permission.

    Note: The steps mentioned in both the above cases hold good for any location of your choice besides C:\ManageEngine

    b. Steps to perform if ADManager Plus is installed in C:\Program Files folder

    1. Remove Authenticated Users permission for these folders from the product's installation folder: bin\licenses, lib\licenses, temp, webapps\adsm\temp
    2. Assign Modify permission to the C:\Program Files\ADManager Plus folder for users who have the responsibility of starting the product. If the product is installed as a service with 'log-on as' account, ensure this account has the modify permission.
    Note:

    - Microsoft recommends that any software should be installed in the Program Files directory. Based on your specific needs or organizational policies, you can choose a different location.

    - The steps mentioned in this guide are applicable to all ManageEngine products which have 'C:\ManageEngine' as the default installation location.

    Disabling or restricting the Employee Search option.

    ADManager Plus' Employee Search can be used by users or employees to look up the details of fellow employees and contacts of their organization.

    Description: The Employee Search is one of the popular features of ADManager Plus and is used as a Corporate Directory Search, and it is enabled by default. However, to suit the specific needs of your organization, or for security reasons, you might want to display only specific details, of users and contacts in the search result, or might even prefer not to have this option at all.

    Solution

    Based on the need, you can easily:

    1. Limit the scope of Employee search to only specific domains, or OUs.
    2. Specify the details of users or contacts that can be displayed in the search result .
    3. Specify the attributes or details based on which users or contacts can be located.
    4. Disable the Employee Search option.

    Mentioned below are the steps:

    1. Log in to ADManager Plus.
    2. Click on the Admin tab.
    3. From the options on the LHS, click Employee Preferences and select Configure AD Search.
      • Disabling Employee Search: Uncheck the 'Show Employee Search in login page' option to disable this search completely and also not display this option on the login page.
      • Limiting the scope of Employee Search: Select the domain and its corresponding OUs, from the ones displayed in Selected Domains field, to restrict the search to only that specific domain and its OUs.
      • Limiting the scope of this search to only user and/or contact objects: Click the Users and Contacts tabs, and uncheck the ones that you do not wish to be searched using this option. Also, under Users and Contacts tabs, under Available Columns, in Display Columns, uncheck the attributes or details that you don't want to be displayed in the search result.
      • Specifying the attributes based on which users or contacts can be searched: Under Users and Contacts tabs, under Search Criteria, in Available Columns select only the desired attributes.
    4. Click Save Settings to save your preferred settings for the Employee Search.

    Change ADManager Plus' default admin password.

    Why should you do this?

    If ADManager Plus' default admin password is not changed, there are chances that anyone who is aware of the default password might use it log in to the product, and perform malicious changes in your Active Directory (AD) or view information about AD objects.

    What can you do to address this situation?

    We recommend that you change the default admin password, at least before you move to the deployment phase from the evaluation phase, for security reasons. You can change the default password in the 'My Account' section found in the top right corner of the product's web-console.

    Click here for steps to change the default admin password.

    Additional security for ADManger Plus logins

    ADManager Plus supports smart card, two-factor authentication (TFA), CAPTCHA, etc. and also allows you to block users in case of bad passwords, to enhance the security for user logon process and prevent unauthorized users from logging in. Click the links below for steps to configure the various options to secure the logon process for your users.

    Security hardening

    This option allows you to view and configure the various security related settings that enhance the product security, from a single location. To help you easily ascertain how secure your ADManager Plus instance is, a Product Security Hardening score calculated based on the impact of each security setting that is configured is displayed on the right side of the dashboard.

    The following security configurations are available to harden the security of ADManager Plus:

    1. Enforce HTTPS: Establish a secure connection between the web browsers and the ADManager Plus web server.
    2. Enforce Two-factor Authentication: Add an additional layer of security while logging in to ADManager Plus. For more information on TFA services available in ADManager Plus, refer to this help document.
    3. Change the default Password of the Admin account: Changing the default password and using a strong one will strengthen the password of the Admin account, and ensure it is not compromised
    4. Enable CAPTCHA: Configure CAPTCHA settings after a specific number of invalid login attempts to help mitigate bot-based attacks.
    5. Block Invalid Login Attempts: Block a particular technician's account, once a specific number of consecutive unsuccessful login attempts have been made.
    6. Enforce LDAP SSL: Set up a LDAP over SSL (LDAPS) connection to secure the information exchange between ADManager Plus and the LDAP servers.
    7. Enforce Secure TLS: Ensure older TLS versions are disabled. ADManager Plus supports TLS versions 1.0, 1.1, and 1.2.

    Steps to configure security hardening settings in ADManager Plus:

    1. Login to ADManager Plus console and navigate to the Admin tab.
    2. Click Connection listed under General Settings.
    3. Under Security Hardening, you can configure the respective security settings using the buttons available next to them.

    ⚠️Note: For securely hosting ADManager Plus over the internet refer to this deployment guide.