Help Center
Quick Start
- Overview
- System requirements
- Minimum privileges required
- Default port configuration
- Installing DataSecurity Plus
- Uninstalling DataSecurity Plus
- Starting DataSecurity Plus
- Launching DataSecurity Plus
- Configuring your solution
- Licensing details
- Applying a license
File Auditing
- About File Auditing
- Domain configuration
- File server configuration
- Failover cluster configuration
- NetApp server configuration
- Workgroup configuration
Setting up File Audit
Dashboard
Reports
Alerts
Configuration
Storage Configuration
File Analysis
- About File Analysis
- On-Demand Reports
Setting up File Analysis
Dashboard
Reports
Alerts
Configuration
Data Risk Assessment
- About Data risk assessment
Setting up Data risk assessment
Dashboard
Reports
Ownership analysis
Configuration
Endpoint DLP
- About Endpoint DLP
Setting up Endpoint DLP
Reports
Alerts
Prevention policies
Configuration
Cloud Protection
- About Cloud Protection
- Gateway Server Configuration
- Certificate Authority Configuration
- Gateway Configuration in Endpoint
- Manage Certificate Trust Store
- Threat Analytics Database
- Manage Banned Applications
- Manage Authorized Applications
- Gateway Server Failover
- Two-way SSL configuration
- Global Insight
- Application Insight
- User Insight
- Shadow Application Insight
- Banned Application Insight
- Cloud App Discovery
- Cloud Access Reports
- Application Insights
- Shadow Cloud Application Reports
- Banned Cloud Application Reports
- File Upload & Download Reports
Setting up Cloud Protection
Dashboard
Reports
Control Policies
Storage Configuration
Administrative settings
- Technician configuration
- Notification filters
- Manage agent
- Agent settings
- SIEM integration
- Business hours configuration
- Two-factor authentication
- Workgroup configuration
- Security policy
Email configuration
General settings
- Connection
- Personalize
- DataSecurity Plus Server
- Privacy Settings
- Disk utilization
- Schedule Retention Policy
Policy Configuration
Release notes
2024
2023
2022
2021
2020
2019
2018
2017
2016
2015
Troubleshooting
- HTTP communication failure
- Dormant DataEngine
- Secure Gateway server failure
- RPC communication failure
- Known issues and limitations
- Known errors and solutions
Guides
- Agent document
- How to Migrate/Move DataSecurity Plus
- How to apply SSL certificate
- How to automate DataSecurity Plus database backup
- How to set alerts in DataSecurity Plus
- How to secure your DataSecurity Plus installation
Secure installation guide for DataSecurity Plus
Description
The DataSecurity Plus installation directory contains crucial files that enable it to start and stop, such as files containing database configuration information and the license file. The installation directory should be secured to prevent tampering, which could pose security risks, such as data theft, sensitive data exposure, and operational risks, and potentially render the product dysfunctional and unusable. By default, DataSecurity Plus will be stored in the C:\Program Files\ManageEngine\DataSecurity Plus folder, which grants Full Control access to non-admin users in the Authenticated Users group for the files and folders located in the DataSecurity Plus installation directory and allows content modification. To prevent this from happening, implement the measures below based on your DataSecurity Plus installation build.
Note: Removing Authenticated Users from the access control list (ACL) won't help, as this will render them unable to start DataSecurity Plus as a service or application.
Solution
To overcome unauthorized access to the DataSecurity installation directory, follow the steps below, based on the build version.
- For new DataSecurity Plus Installations, builds 6126 and above
- For existing DataSecurity Plus Installations, builds lower than 6126
1. For new DataSecurity Plus installations, builds 6126 and above
ⅰ For new installations of builds 6126 and above, only the following users and groups are provided with access to the installation directory to ensure file security and integrity:
- Local system account
- User account used for DataSecurity Plus installation
- Administrators group
- Domain Admins group
ⅱ Permissions are removed for the following groups and users:
- CREATOR OWNER
- BUILTINUSERS
- Authenticated users
- ALL APPLICATION PACKAGES
- ALL RESTRICTED APPLICATION PACKAGES
ⅲ By default, inheritance will be disabled for the DataSecurity Plus folder.
Note: If the product is installed as a service, right-click ManageEngine DataSecurity Plus in the Windows Services application. Click Properties > Logon and make sure that the account configured has been assigned Full Control permission for the installation directory.
2. For existing DataSecurity Plus installations, lower than build 6126
Note: The below instructions are applicable only for users who have installed DataSecurity Plus before 6126 build and have upgraded to the latest version by applying service pack.
Unauthorized users can be prevented from accessing the DataSecurity Plus installation directory in two ways:
I. Run the setAppPermission.bat file
With this method, access to the installation directory is automatically restricted to only the necessary accounts. There are two ways to do this:
Option 1: Update to build 6126 or above. Navigate to the <Installation Directory>/bin folder (by default, C:\Program Files\ManageEngine\DataSecurity Plus\bin) and run the setAppPermission.bat file using the elevated Command Prompt.
Option 2: Download the zip file from this link. Extract the zip and move setAppPermission.bat to the <Installation Directory>/bin folder. Run the setAppPermission.bat file using the elevated Command Prompt.
II. Modify the required permissions manually
To modify access permissions on the DataSecurity Plus installation directory for unnecessary groups and user accounts manually, follow the steps below:
- Disable inheritance for the installation directory (by default, C:\Program Files\ManageEngine\DataSecurity Plus). Refer to the Appendix for step-by-step instructions.
- Remove access permissions for all unnecessary groups. Refer to the Appendix for step-by-step instructions.
- Provide Full Control permissions to the Local System Account and the Administrators Group for the product's installation directory. Refer to the Appendix for step-by-step instructions.
- Provide Modify permissions to the Domain Admins group for the product's installation directory. Refer to the Appendix for step-by-step instructions.
- Assign Full Control permission to users who can start or stop the product. Refer to the Appendix for step-by-step instructions.
- If the product is installed as a service, right-click ManageEngine DataSecurity Plus in the Windows Services application. Click Properties > Logon and make sure that the account configured has been assigned Full Control permission for the installation directory.
- Microsoft recommends that software be installed in the Program Files directory. Based on your specific needs or organizational policies, you can choose a different location.
Appendix
Ⅰ Steps to disable inheritance
- Right-click the folder and select Properties.
- Go to the Security tab and click Advanced.
- Click Disable Inheritance.
- Click Apply and then OK.
Ⅱ Steps to remove unnecessary accounts from the ACL
- Right-click the folder and select Properties.
- Go to the Security tab and click Edit.
- Select the Authenticated Users group and click Remove.
- Click Apply and then OK.
Ⅲ To assign Full Control or Modify permissions to users
- Right-click the folder and select Properties.
- Go to the Security tab and click Edit.
- Click Add.
- Enter the name of the user or group and click OK.
- Under the Permission for User section, check the box under the allow column for the Full Control or Modify permission.
- Click Apply and then OK.