Guide to enhance the protection for ADManager Plus installation

This document provides the steps to improve the security of your ADManager Plus instance for specific scenarios mentioned below.

• Preventing an user of Authenticated Users group from tampering with the ADManager Plus bin folder.
• Disable or restrict the Employee Search option located on the login page.
• Change ADManager Plus' default admin password.
• Enhance the security for ADManager Plus logins.
• Security hardening.

Preventing an user of Authenticated Users group from tampering with the ADManager Plus bin folder

By default, ADManager Plus will be installed in the C:\ProgramFiles\ManageEngine folder. Starting with the 7210 release, the Authenticated Users group will no longer have access to the installation directory, and only users in the SYSTEM, Administrators, Domain Admins groups, and the user account linked during installation will have default access.

For prior builds, even users without administrative privileges who were part of the Authenticated Users group were given Full Control permission to access files in the installation directory in a few cases. To remove the Authenticated Users group from the Access Control List (ACL) on ADManager Plus, follow these instructions.

Solution

There are two ways to tackle this problem. You can either manually modify the permission settings or, use the SecureDeployment.exe file which will automatically modify the settings.

1. Using SecureDeployment.exe
2. Manually modifying permissions
   • When ADManager Plus is installed in a folder other than Program Files
   • When ADManager Plus is installed in C:\Program Files folder

1. Using SecureDeployment.exe

The SecureDeployment.exe file in the bin directory will automatically:

• Prevent users in Authenticated Users group from accessing the ADManager Plus installation folders.
• Assign Full permissions for the given account.
• Configure log-on as account credentials if ADManager Plus is accessed as a service.

The SecureDeployment.exe file will ensure that the deployment environment is secured.

2. Manually modifying permissions

a. Steps to perform if ADManager Plus is installed in a folder other than Program Files:

i. If ADManager Plus is installed in a client OS

ii. If ADManager Plus is installed in a server OS

By default, the client OS C: directory has Authenticated Users with Modify permission for subfolders. However, the C: directory in the server OS does not have Authenticated Users in the ACL.

i) If ADManager Plus is installed in a client OS

To allow users with less privileges to start or stop ADManager Plus on the client OS, follow the steps:

1. Disable Inheritance for the folder where ADManager Plus is installed.
2. Remove Authenticated Users from the ACL.
3. Remove Authenticated Users permission for these folders from the product's installation folder: bin\licenses, lib\licenses, temp, webapps\adsm\temp
4. Assign Modify permission to the folder where ADManager Plus is installed for users who are responsible for starting the product. If the product is installed as a service with log-on as account, ensure this account has the modify permission.

ii) If ADManager Plus is installed in a server OS

1. Remove Authenticated Users permission for these folders from the product's installation folder: bin\licenses, lib\licenses, temp, webapps\adsm\temp
2. Assign Modify permission to the folder where ADManager Plus is installed for users who have the responsibility of starting the product. If the product is installed as a service with log-on as account, ensure this account has the modify permission.

b. Steps to perform if ADManager Plus is installed in C:\Program Files folder

1. Remove Authenticated Users permission for these folders from the product's installation folder: bin\licenses, lib\licenses, temp, webapps\adsm\temp
2. Assign Modify permission to the folder where ADManager Plus is installed for users who have the responsibility of starting the product. If the product is installed as a service with log-on as account, ensure this account has the modify permission.

Disabling or restricting the Employee Search option

ADManager Plus' Employee Search can be used by users or employees to look up the details of fellow employees and contacts of their organization.

Description: The Employee Search is one of the popular features of ADManager Plus and is used as a Corporate Directory Search, and it is enabled by default. However, to suit the specific needs of your organization, or for security reasons, you might want to display only specific details, of users and contacts in the search result, or might even prefer not to have this option at all.

Solution

Based on the need, you can easily:

1. Limit the scope of Employee search to only specific domains, or OUs.
2. Specify the details of users or contacts that can be displayed in the search result .
3. Specify the attributes or details based on which users or contacts can be located.
4. Disable the Employee Search option.

Mentioned below are the steps:

1. Log in to ADManager Plus.
2. Click on the Admin tab.
3. From the options on the LHS, click Employee Preferences and select Configure AD Search.
   • Disabling Employee Search: Uncheck the 'Show Employee Search in login page' option to disable this search completely and also not display this option on the login page.
   • Limiting the scope of Employee Search: Select the domain and its corresponding OUs, from the ones displayed in Selected Domains field, to restrict the search to only that specific domain and its OUs.
   • Limiting the scope of this search to only user and/or contact objects: Click the Users and Contacts tabs, and uncheck the ones that you do not wish to be searched using this option. Also, under Users and Contacts tabs, under Available Columns, in Display Columns, uncheck the attributes or details that you don't want to be displayed in the search result.
   • Specifying the attributes based on which users or contacts can be searched: Under Users and Contacts tabs, under Search Criteria, in Available Columns select only the desired attributes.
4. Click Save Settings to save your preferred settings for the Employee Search.

Change ADManager Plus' default admin password

Why should you do this?

If ADManager Plus' default admin password is not changed, there are chances that anyone who is aware of the default password might use it log in to the product, and perform malicious changes in your Active Directory (AD) or view information about AD objects.

What can you do to address this situation?

We recommend that you change the default admin password, at least before you move to the deployment phase from the evaluation phase, for security reasons. You can change the default password in the 'My Account' section found in the top right corner of the product's web-console.

Click here for steps to change the default admin password.

Additional security for ADManger Plus logins

ADManager Plus supports smart card, two-factor authentication (TFA), CAPTCHA, etc. and also allows you to block users in case of bad passwords, to enhance the security for user logon process and prevent unauthorized users from logging in. Click the links below for steps to configure the various options to secure the logon process for your users.

• Enable Captcha
• Configure smart card-based authentication
• Enforce two-factor authentication (TFA)
• Enable single sign-on (SSO)
• Configure block user settings

Security hardening

ADManager Plus offers a series of security and data privacy options to improve your management and reporting experience, secure access to the product, secure data disposal, and more. To learn how to configure the security and privacy settings in ADManager Plus, click here.