Objective
This document focuses on setting up folder permission for the installation directory to ensure seamless usability and to secure the installation from unauthorized access. Unauthorized access to the installation directory could mean a user can tamper with the directory's contents, leading to security risks such as sensitive data exposure and operational risks such as making the product unusable. This document discusses the measures to prevent unauthorized users from accessing the EventLog Analyzer installation directory and modifying its contents.
Prerequisites
- Need access to the application installed server as an Administrator.
Steps to follow
For new installations of builds 12336 and above, only the following types of user accounts are automatically provided access to the installation directory:
This is done to ensure file security and integrity.
Important: If the product is installed as a service, ensure that the account configured under the Log On tab of the service’s properties has been assigned Full Control permission for the installation directory.
Unauthorized users can be prevented from accessing the EventLog Analyzer installation directory for builds lower than 12336 or to reassign the permission below in two ways:
Case 1: Run the setAppPermission.bat file
With this method, access to the installation directory is automatically restricted to only the necessary accounts.
There are two ways to do this:
- Option 1: Update to build 12336. Navigate to the "<Product Installation directory>/bin" folder (by default C:\Program Files\ManageEngine\EventLog Analyzer\bin) and run the setAppPermission.bat file from the elevated Command Prompt.
- Option 2: Download the zip file using this link. Extract the zip and move "setAppPermission.bat" to the "<Product Installation Directory>/bin" folder. Run the setAppPermission.bat file from the elevated command prompt. (See the image below for reference.)
Case 2: Modify required permissions manually
To modify access permissions on the EventLog Analyzer installation directory for unnecessary groups/user accounts manually, follow the steps below:
Step 1: Disable Inheritance for the installation directory (by default C:\Program Files\ManageEngine\ EventLog Analyzer). Refer to the Appendix section for step-by-step instructions.
Step 2: Remove access permissions for all the unnecessary groups. Refer to the Appendix section for step-by-step instructions.
Step 3: Provide Full Control permissions to the Local System Account and the Administrators Group for the product's installation directory. Refer to the Appendix section for step-by-step instructions.
Step 4: Assign Full Control permission for the installation directory folder to users who can start or stop the product. Refer to the Appendix section for step-by-step instructions.
Step 5: If the product is installed as a service, ensure that the account configured under the Log On tab of the service’s properties has been assigned Full Control permission for the installation directory.
Notes: Microsoft recommends that software be installed in the Program Files directory. Based on your specific needs or organizational policies, you can choose a different location.
Appendix
Steps to disable inheritance
Step 1: Right-click the folder and select Properties.
Step 2: Go to the Security tab and click Advanced.
Step 3: Click Disable inheritance.
Step 4: Click Convert inheritance permission to explicit permissions on this object.
Step 5: Click Apply and then OK.
Steps to remove unnecessary accounts from ACL
Step 1: Right-click the folder and select Properties.
Step 2: Go to the Security tab and click Edit.
Step 3: Select all the unnecessary groups and click Remove
Step 4: Click Apply and then OK.
Steps to assign Full control permissions to Users/Groups
Step 1: Right-click the folder and select Properties.
Step 2: Go to the Security tab and click Edit.
Step 3: Click Add.
Step 4: Enter the name of the user or group, and click OK.
Step 5: Under the Permission for Users section, check the box under the Allow column for the Full Control permission
Tips
Establish a secure installation with limited access to ensure data security and integrity.
Use a service account to start the activity and ensure full control only for the service account and, for backup purposes, an administrator account.