How to set folder permission for EventLog Analyzer installation directory: Windows
Objective
This document focuses on setting up folder permission for the installation directory to ensure seamless usability and to secure the installation from unauthorized access. Unauthorized access to the installation directory could mean a user can tamper with the directory's contents, leading to security risks such as sensitive data exposure and operational risks such as making the product unusable. This document discusses the measures to prevent unauthorized users from accessing the EventLog Analyzer installation directory and modifying its contents.
Prerequisites
- Need access to the application installed server as an Administrator.
Steps to follow
For new installations of builds 12336 and above, only the following types of user accounts are automatically provided access to the installation directory:
- Local system account
- User account used during product installation
- Administrators group
This is done to ensure file security and integrity.
Important: If the product is installed as a service, ensure that the account configured under the Log On tab of the service’s properties has been assigned Full Control permission for the installation directory.
Unauthorized users can be prevented from accessing the EventLog Analyzer installation directory for builds lower than 12336 or to reassign the permission below in two ways:
Case 1: Run the setAppPermission.bat file
With this method, access to the installation directory is automatically restricted to only the necessary accounts.
There are two ways to do this:
- Option 1: Update to build 12336. Navigate to the "<Product Installation directory>/bin" folder (by default C:\Program Files\ManageEngine\EventLog Analyzer\bin) and run the setAppPermission.bat file from the elevated Command Prompt.
- Option 2: Download the zip file using this link. Extract the zip and move "setAppPermission.bat" to the "<Product Installation Directory>/bin" folder. Run the setAppPermission.bat file from the elevated command prompt. (See the image below for reference.)
Case 2: Modify required permissions manually
To modify access permissions on the EventLog Analyzer installation directory for unnecessary groups/user accounts manually, follow the steps below:
Step 1: Disable Inheritance for the installation directory (by default C:\Program Files\ManageEngine\ EventLog Analyzer). Refer to the Appendix section for step-by-step instructions.
Step 2: Remove access permissions for all the unnecessary groups. Refer to the Appendix section for step-by-step instructions.
Step 3: Provide Full Control permissions to the Local System Account and the Administrators Group for the product's installation directory. Refer to the Appendix section for step-by-step instructions.
Step 4: Assign Full Control permission for the installation directory folder to users who can start or stop the product. Refer to the Appendix section for step-by-step instructions.
Step 5: If the product is installed as a service, ensure that the account configured under the Log On tab of the service’s properties has been assigned Full Control permission for the installation directory.
Notes: Microsoft recommends that software be installed in the Program Files directory. Based on your specific needs or organizational policies, you can choose a different location.
Appendix
Steps to disable inheritance
Step 1: Right-click the folder and select Properties.
Step 2: Go to the Security tab and click Advanced.
Step 3: Click Disable inheritance.
Step 4: Click Convert inheritance permission to explicit permissions on this object.
Step 5: Click Apply and then OK.
Steps to remove unnecessary accounts from ACL
Step 1: Right-click the folder and select Properties.
Step 2: Go to the Security tab and click Edit.
Step 3: Select all the unnecessary groups and click Remove
Step 4: Click Apply and then OK.
Steps to assign Full control permissions to Users/Groups
Step 1: Right-click the folder and select Properties.
Steps to assign Full control permissions to Users/Groups
Step 1: Right-click the folder and select Properties.
Step 2: Go to the Security tab and click Edit.
Step 3: Click Add.
Step 4: Enter the name of the user or group, and click OK.
Step 5: Under the Permission for Users section, check the box under the Allow column for the Full Control permission
Tips
- Establish a secure installation with limited access to ensure data security and integrity.
- Use a service account to start the activity and ensure full control only for the service account and, for backup purposes, an administrator account.
New to ADSelfService Plus?
Related Articles
How to set folder permissions for the EventLog Analyzer installation directory: Linux OS
Objective This document focuses on setting up folder permissions for the installation directory to ensure seamless usability and to secure the installation from unauthorized access. Unauthorized access to the installation directory could enable a ...How to stop EventLog Analyzer | Windows OS
Objective This article offers step by step instructions for a clean shutdown of EventLog Analyzer application in Windows OS without disrupting the application. Prerequisites Need access to the EventLog Analyzer server installation folder, as well as ...Unable to start EventLog Analyzer
Issue description This issue occurs when the EventLog Analyzer service fails to start, or when users are unable to access the web client through the browser (typically on ports 8400 or 8445). Users may experience one or more of the following ...Windows agent not communicating with EventLog Analyzer server
Issue description When the agent fails to communicate with the EventLog Analyzer server, the log transfer between devices is disrupted. As a result, logs accumulate on the agent machine until connectivity is restored. This delay in log transmission ...How to migrate EventLog Analyzer standalone edition to different server or drive [Windows to Windows]
Objective This article provides a detailed step-by-step guide to migrate EventLog Analyzer Standalone instance (not integrated with Log360) to a new server or different server or drive. Prerequisites Refer to the System Requirement to plan the new ...