Hi,

 We wanted to let you know about some of the best practices that you can use to ensure additional protection for your ADManager Plus installation. You can implement these recommendations immaterial of whether you choose to deploy the product on-premises or on the internet.

 - Modify the permissions of ADManager Plus installation folder.

 - Disable or restrict the Employee Search option.

 - Change ADManager Plus' default admin password

Modify the permissions of ADManager Plus installation folder

Why should you do this?

By default, ADManager Plus will be installed in C:\ManageEngine folder. This will grant even non-admin users belonging to the Authenticated Users group, Full Control permission over the files in the bin directory. It is designed this way so that any domain user can access the folder, and start or stop the product. But there are chances that this might allow any user of the Authenticated Users group, with a malicious intent, to tamper with the contents of the bin folder.

Removing Authenticated Users from ACL will not help, as this will allow only admin users to start ADManager Plus, as a service or application. Non-admin users will not be able to do this even if they are allowed to or when required, due to lack of privileges.

What can you do to address this?

You have to modify the permissions of the folder. This can be done in two ways:

1. Automatically, using SecureDeployment.exe


2. Manually modifying permissions

 Click here for detailed information about this scenario, and the steps to modify the permissions of ADManager Plus installation folder.

Disabling or restricting the Employee Search option  

Why should you do this?

The Employee Search, one of the popular features of ADManager Plus, is used as a Corporate Directory Search by many of our users. It is therefore enabled by default. Also, to use this search, a user doesn't have to log in to the product. However, there are chances that this search might be used by even unauthenticated users to look up other users and contacts in the organization, and view their personally identifiable information (PII).

What can you do to address this scenario?

Based on the specific needs of your organization, or for security reasons, you can: 

1. Limit the scope of Employee Search to only specific domains, or OUs.


2. Specify the details of users or contacts that can be displayed in the search result.


3. Specify the attributes or details based on which users or contacts can be located.


4. Disable the Employee Search option completely.

 Click here for the steps to customize or disable the Employee Search option.

Change the default admin password

Why should you do this?

If ADManager Plus' default admin password is not changed, there are chances that anyone who is aware of the default password might use it log in to the product, and perform malicious changes in your Active Directory (AD) or view information about AD objects.

What can you do to address this situation?

Regards,

Toll-Free: +1-844-245-1108

Email: support@admanagerplus.com