Installation folder privileges
To enhance the security of your ADAudit Plus installation, starting from build 7251, default access to the ADAudit Plus folder is limited to the user account used for installation and the SYSTEM, Administrators, and Domain Admins groups. However, to allow other users to start ADAudit Plus, you can follow the steps under Assign Modify permission to the ADAudit Plus folder for users starting the product.
If you are using an earlier build of ADAudit Plus, or if you have upgraded to build 7251 recently, there are two ways to safeguard the ADAudit Plus folder from unauthorized modifications:
Using SecureDeployment.exe
The SecureDeployment.exe file will strengthen the security of your ADAudit Plus installation by automatically:
- Preventing non-administrative groups from accessing the ADAudit Plus folder.
- Assigning the Modify permission to a selected user account.
- Configuring "Log On" account credentials if ADAudit Plus is installed as a service.
To run the SecureDeployment.exe file:
- Go to <Installation_Directory>\ADAudit Plus\bin folder (if you have upgraded to build 7251 recently) and locate SecureDeployment.exe file.
Note: If you are using an earlier build, download the SecureDeployment zip file, unzip it and copy its contents to <Installation_Directory>\ADAudit Plus\bin folder.
- Right-click the SecureDeployment.exe file and select Run as Administrator.
- Enter "1" and proceed with removing the permissions for the non-administrative groups, namely Authenticated Users, BUILTIN\Users, CREATOR OWNER, ALL RESTRICTED APPLICATION PACKAGES, ALL APPLICATION PACKAGES, TrustedInstaller, and Everyone.
- Once the permissions are removed, press any key to open the Select User or Group dialog box.
- Enter the name of the user that you want to assign the permission to start ADAudit Plus, and click Check Names to confirm the selection.
Note: If you have installed ADAudit Plus as a service with "Log On" account credentials, enter the username associated with that account.
- Click OK.
Note: If you want to assign the permission to start ADAudit Plus to multiple users, follow the steps under Assign Modify permission to the ADAudit Plus folder for users starting the product.
Modifying the permissions manually
If you do not want to use the SecureDeployment.exe file, you can strengthen the security of your ADAudit Plus installation by ensuring the following:
Disable Inheritance for the ADAudit Plus folder.
- Go to <Installation_Directory>\ManageEngine.
- Right-click the ADAudit Plus folder and select Properties.
- Click the Security tab and then click Advanced.
- In the Advanced Security Settings window, click Disable inheritance.
- Click OK.
Remove non-administrative groups from ADAudit Plus folder's Access Control List.
- Go to <Installation_Directory>\ManageEngine.
- Right-click the ADAudit Plus folder and select Properties.
- Click the Security tab and then click Advanced.
- In the Advanced Security Settings window, under Permission entries, select the non-administrative users and groups, and click Remove.
- Click OK.
Assign Full control permission to the Domain Admins, Administrators, and SYSTEM groups.
- Go to <Installation_Directory>\ManageEngine.
- Right-click the ADAudit Plus folder and select Properties.
- Click the Security tab and then click Advanced.
- In the Permissions tab, click Add.
- Click the Select a principal link and add Domain Admins, Administrators, and SYSTEM groups.
- Click OK.
- Next to Type, select Allow, and next to Applies to, select This folder, subfolders, and files.
- Under Basic Permissions, check the Full control box.
- Click OK.
Assign Modify permission to the ADAudit Plus folder for users starting the product.
- Go to <Installation_Directory>\ManageEngine.
- Right-click the ADAudit Plus folder and select Properties.
- Click the Security tab and then click Advanced.
- In the Permissions tab, click Add.
- Click the Select a principal link, enter the name of the user that you want to assign the permission to start ADAudit Plus, and then click Check Names to confirm the selection.
- Click OK.
- Next to Type, select Allow and next to Applies to, select This folder, subfolders, and files.
- Under Basic Permissions, check the Modify box.
- Click OK.
Note: If the product is installed as a service with "Log On" account credentials, ensure this account has Modify permission.
Exclude ADAudit Plus from antivirus and endpoint protection
To prevent any performance issues and to avoid potential disruptions to the ADAudit Plus database's (PostgreSQL) operation, it is essential to exclude certain directories from antivirus and endpoint protection on the ADAudit Plus server. This exclusion is crucial, as antivirus and endpoint protection solutions can sometimes falsely tag the database and other files within ADAudit Plus' installation directory as a threat or vulnerability.
The performance issues that you might face in ADAudit Plus due to antivirus and endpoint protection software include high latency when processing events and alerts, low throughput when adding data to the database or DataEngine, and corruption of database files.
For optimal performance, it is recommended that you exclude the directories used by java.exe and postgres.exe from antivirus and endpoint protection on the ADAudit Plus server. The directories that need to be excluded are listed below:
<Installation_folder>\ManageEngine\ADAudit Plus\index
<Installation_folder>\ManageEngine\ADAudit Plus\eventdata
<Installation_folder>\ManageEngine\ADAudit Plus\alertdata
<Installation_folder>\ManageEngine\ADAudit Plus\ehcache
<Installation_folder>\ManageEngine\ADAudit Plus\apps\dataengine-xnode\data
<Installation_folder>\ManageEngine\ADAudit Plus\pgsql
Note: The
java.exe and
postgres.exe processes are located, respectively, at:
<Installation_Directory>\ManageEngine\ADAudit Plus\jre\bin\java.exe
<Installation_Directory>\ManageEngine\ADAudit Plus\pgsql\bin\postgres.exe
Don't see what you're looking for?
-
Visit our community
Post your questions in the forum.
-
Request additional resources
Send us your requirements.
-
Need implementation assistance?
Try onboarding