This article explains how ADManager Plus secures customer data when it is stored at rest, and when it is transmitted (in transit).

Data security at rest  

ADManager Plus protects sensitive data stored in its database using strong encryption and access controls.

• Sensitive data, such as passwords, authentication tokens, and credentials stored in the database, is encrypted using the 256-bit Advanced Encryption Standard (AES).

• This industry-standard encryption ensures that data remains unreadable even if storage files are accessed directly.

ADManager Plus uses the following encryption methods to store sensitive data:

The following sensitive information is encrypted and stored in the database:

Database access protection  

• The built-in database can be accessed only using instance-specific credentials.

• Access to the built-in database is restricted to localhost, preventing remote or external access.

• The database resides entirely within the customer’s environment, ensuring full data ownership and control.

• Alternatively, customers can configure ADManager Plus to use their own Microsoft SQL Server instance, allowing them to apply their existing database security, access controls, and compliance policies.

Password security  

• Built-in technician passwords are one-way hashed using bcrypt.

• Bcrypt uses a per-user salt, making password reversal computationally expensive and impractical.

• Password values are filtered from all logs, ensuring they are never exposed through debugging or audit trails.

Search Guard–based protection for Elasticsearch (ES) data  

• ADManager Plus uses Search Guard to secure ES data with certificate-based encryption and access control.

• Access to ES data is restricted to authorized product components and trusted Elasticsearch nodes validated by certificates issued by a trusted CA.

• Authentication and role-based authorization are enforced using certificate attributes mapped to defined access rules in the Elasticsearch configuration.

 These measures collectively protect stored data from unauthorized access, tampering, or reverse engineering.

Data security in transit  

ADManager Plus also secures data while it is being transmitted between clients, servers, and directory services.

Encrypted communication  

• All communication between the following is protected using configurable HTTPS and LDAPS (SSL/TLS) encryption:

• User browsers and the ADManager Plus server

• ADManager Plus and integrated services

• Search Guard keeps data safe by using TLS certificates to encrypt all communication and verify identities. Every connection, client to ES and node to node, is encrypted, so data cannot be read or altered if intercepted.

Secure directory communication  

• ADManager Plus supports secure LDAP (LDAPS) for communication with Active Directory, ensuring directory credentials and queries are encrypted during transmission.

• Only secure TLS protocols are permitted, based on the configured security settings.

Network-level protection  

• Data transmitted across internal networks, VPNs, or public networks remains encrypted end to end when HTTPS is configured, as HTTPS is configurable and not enabled by default.

• When deployed over the internet, SSL encryption ensures credentials and administrative actions are not exposed in transit.