Best practices to enhance the protection of ADManager Plus

Best practices to enhance the protection of ADManager Plus

This article lists some of the best practices that you can use to secure ADManager Plus. You can implement these recommendations, regardless of whether you choose to deploy the product on-premises or on the cloud.

Modify the permissions of ADManager Plus installation folder   

Why should you do this?  
By default, ADManager Plus will be installed in C:\ProgramFiles\ManageEngine folder. In builds before 7210, in a few cases, users without administrative privileges who were part of the Authenticated Users group were given Full Control permission for the files in the installation directory. But there are chances that this might allow any user of the Authenticated Users group, with a malicious intent, to tamper with the contents of the bin folder.


What can you do to address this?  

Starting from 7210 release, the Authenticated Users group will be removed access to the installation directory, and only users in the SYSTEM, Administrators, Domain Admins groups, and the user account linked during installation will have default access.

If you are using builds prior to 7210, to remove the Authenticated Users group from ACL you can either manually modify the permission settings or use the SecureDeployment.exe file to automatically modify the settings.

Click here for detailed information about this scenario, and the steps to modify the permissions of ADManager Plus installation folder.

Disabling or restricting the Employee Search option   

Why should you do this?  
The Employee Search, one of the popular features of ADManager Plus, is used as a Corporate Directory Search by many of our users. It is therefore enabled by default. However, to suit the specific needs of your organization, or for security reasons, you might want to display only specific details of users and contacts in the search result, or might even prefer not to have this option at all.


What can you do to address this scenario?  

Based on the specific needs of your organization or for security reasons, you can:

  1. Limit the scope of Employee Search to only specific domains, or OUs.

  1. Specify the details of users or contacts that can be displayed in the search result.

  1. Specify the attributes or details based on which users or contacts can be located.

  1. Disable the Employee Search option completely.

Click here for the steps to customize or disable the Employee Search option.

Change the default admin password   

Why should you do this? 

If ADManager Plus' default admin password is not changed, there are chances that anyone who is aware of the default password might use it log in to the product, and perform malicious changes in your Active Directory (AD) or view information about AD objects.


What can you do to address this situation?  

We recommend that you change the default admin password, at least before you move to the deployment phase from the evaluation phase, for security reasons. You can change the default password in the My Account section found in the top right corner of the product's web-console.

Click here for steps to change the default admin password.

Additional security for ADManager Plus logins   

ADManager Plus supports smart card, two-factor authentication (TFA), CAPTCHA, etc. and also allows you to block users in case of bad passwords, to enhance the security for user logon process and prevent unauthorized users from logging in. Click the links below for steps to configure the various options to secure the logon process for your users.

Security hardening   

ADManager Plus offers a series of security and data privacy options to improve your management and reporting experience, secure access to the product, secure data disposal, and more. To learn how to configure the security and privacy settings in ADManager Plus, click here.

If you need further information, have any questions, or face any difficulties in performing the recommended steps, please get in touch with us at support@admanagerplus.com or +1-844-245-1108 (toll free).


                  New to ADSelfService Plus?