This document provides the steps to improve the security of your ADManager Plus instance for specific scenarios mentioned below.
By default, ADManager Plus will be installed in C:\ManageEngine folder. This will grant even non-admin users belonging to the Authenticated Users group, Full Control permission over the files in the bin directory.
It is designed this way so that any domain user can access the folder, and start or stop the product. But there are chances that this might allow any user of the Authenticated Users group, with a malicious intent, to tamper with the contents of the bin folder.
Removing Authenticated Users from ACL will not help, as this will allow only admin users to start ADManager Plus, as a service or application. Non-admin users will not be able to do this even if they are allowed to or when required, due to lack of privileges.
There are two ways to tackle this problem. You can either manually modify the permission settings or use the SecureDeployment.exe file which will automatically modify the settings.
1. Using SecureDeployment.exe
The SecureDeployment.exe file in the bin directory will automatically:
The SecureDeployment.exe file will ensure that the deployment environment is secured.
2. Manually modifying permissionsSteps to perform if ADManager Plus is installed in C:\ManageEngine folder:
i. If ADManager Plus is installed in a client OS
ii. If ADManager Plus is installed in a server OS
By default, the client OS C: directory has Authenticated Users with Modify permission for subfolders. However, C: directory in the server OS does not have Authenticated Users in the ACL.
i) If ADManager Plus is installed in a client OS
To allow users with less privileges to start or stop ADManager Plus on the client OS, follow the steps:
ii) If ADManager Plus is installed in a server OS
Note: The steps mentioned in both the above cases hold good for any location of your choice besides C:\ManageEngine
b. Steps to perform if ADManager Plus is installed in C:\Program Files folder
- Microsoft recommends that any software should be installed in the Program Files directory. Based on your specific needs or organizational policies, you can choose a different location.
- The steps mentioned in this guide are applicable to all ManageEngine products which have 'C:\ManageEngine' as the default installation location.
ADManager Plus' Employee Search can be used by users or employees to look up the details of fellow employees and contacts of their organization.
Description: The Employee Search is one of the popular features of ADManager Plus and is used as a Corporate Directory Search, and it is enabled by default. However, to suit the specific needs of your organization, or for security reasons, you might want to display only specific details, of users and contacts in the search result, or might even prefer not to have this option at all.
Based on the need, you can easily:
Mentioned below are the steps:
Why should you do this?
If ADManager Plus' default admin password is not changed, there are chances that anyone who is aware of the default password might use it log in to the product, and perform malicious changes in your Active Directory (AD) or view information about AD objects.
What can you do to address this situation?
We recommend that you change the default admin password, at least before you move to the deployment phase from the evaluation phase, for security reasons. You can change the default password in the 'My Account' section found in the top right corner of the product's web-console.
Click here for steps to change the default admin password.
ADManager Plus supports smart card, two-factor authentication (TFA), CAPTCHA, etc. and also allows you to block users in case of bad passwords, to enhance the security for user logon process and prevent unauthorized users from logging in. Click the links below for steps to configure the various options to secure the logon process for your users.
||⚠️Note: For securely hosting ADManager Plus over the internet refer to this deployment guide.|