This document provides the steps to improve the security of your SharePoint Manager Plus instance for specific scenarios mentioned below.
The SharePoint Manager Plus installation directory contains important files required for it to function properly, including files that are used to start and stop the product and the license file. In older versions, SharePoint Manager Plus will be installed in the C:\ManageEngine folder. This will grant even non-admin users belonging to the Authenticated Users group Full Control permission over the files and folders in the product's installation directory, meaning any domain user can access the folder and modify its contents, potentially making the product unusable.
Simply removing Authenticated Users from the Access Control List (ACL) won't help, as this will render them unable to even start SharePoint Manager Plus as a service or application.
To overcome this issue, follow the steps outlined below based on where SharePoint Manager Plus is installed.
By default, the C: directory in a Windows Client OS has Authenticated Users with the Modify permission for subfolders. However, the C: directory in a Windows Server OS does not have Authenticated Users in its ACL. So, based on the OS in which SharePoint Manager Plus is installed, the steps may vary.
a) If SharePoint Manager Plus is installed in a client OS:
b. If SharePoint Manager Plus is installed in a server OS:
If the default admin password of SharePoint Manager Plus is not changed, there are chances that anyone who is aware of the default password might use it to log into the product, and perform malicious changes in your SharePoint or view information about SharePoint objects.
We recommend that you change the default admin password, at least before you move to the deployment phase from the evaluation phase, for security reasons. You can change the default password in the My Account section found in the top right corner of the product's web-console.
SharePoint Manager Plus supports multi-factor authentication (MFA), IP restrictions, and also allows you to block users in case of bad passwords, to enhance the security for user logon process and prevent unauthorized users from logging in. Click the links below for steps to configure the various options to secure the logon process for your users.
This option allows you to view and configure the various security related settings that enhance the product security, from a single location. To help you easily ascertain how secure your SharePoint Manager Plus instance is, a Product Security Hardening score calculated based on the impact of each security setting that is configured is displayed on the right side of the dashboard.
The following security configurations are available to harden the security of SharePoint Manager Plus:
Change Default Admins Password: Changing the default password and using a strong one will strengthen the password of the Admin account, and ensure it is not compromised
Enforce HTTPs: Establish a secure connection between the web browsers and the SharePoint Manager Plus web server.
Enable Multi-factor Authentication: Use this setting to add an extra layer of security while logging into SharePoint Manager Plus. Choose from the set of authentication options available like email verification, SMS verification, Google Authentication, Duo Security, and more.
Enable IP Restriction: Allowing communication from only known or authorized sources, or blocking requests from unauthorized sources.
Block Invalid Login Attempts: Block a particular technician's account, once a specific number of consecutive unsuccessful login attempts have been made.
Enforce Secure LDAP: Secure the LDAP connection between SharePoint Manager Plus server and AD with SSL.
Auto-Install Hotfixes: Configure automatic hotfix updates and fix critical vulnerabilities instantaneously.
Enforce Secure TLS: Ensure older TLS versions like v1.0, v1.1 are disabled.