Guide to enhance the protection for SharePoint Manager Plus installation
This document provides the steps to improve the security of your SharePoint Manager Plus instance for specific scenarios mentioned below.
Preventing Authenticated Users from tampering with the SharePoint Manager Plus bin folder.
The SharePoint Manager Plus installation directory contains important files required for it to function properly, including files that are used to start and stop the product and the license file. In older versions, SharePoint Manager Plus will be installed in the C:\ManageEngine folder. This will grant even non-admin users belonging to the Authenticated Users group Full Control permission over the files and folders in the product's installation directory, meaning any domain user can access the folder and modify its contents, potentially making the product unusable.
Simply removing Authenticated Users from the Access Control List (ACL) won't help, as this will render them unable to even start SharePoint Manager Plus as a service or application.
Solution
To overcome this issue, follow the steps outlined below based on where SharePoint Manager Plus is installed.
- If SharePoint Manager Plus is installed in C:\ManageEngine folder
- If SharePoint Manager Plus is installed in C:\Program Files folder
i. Steps to perform if SharePoint Manager Plus is installed in the C:\ManageEngine folder.
By default, the C: directory in a Windows Client OS has Authenticated Users with the Modify permission for subfolders. However, the C: directory in a Windows Server OS does not have Authenticated Users in its ACL. So, based on the OS in which SharePoint Manager Plus is installed, the steps may vary.
- If SharePoint Manager Plus is installed in a client OS
- If SharePoint Manager Plus is installed in a server OS
a) If SharePoint Manager Plus is installed in a client OS:
- Disable Inheritance for the C:\ManageEngine\SharePoint Manager Plus folder. Refer to the Appendix below for step-by-step instructions.
- Remove Authenticated Users from the folder's ACL. Refer to the Appendix for step-by-step instructions.
- Remove the Authenticated Users permission for the folders listed below from the product's installation directory.
- bin\licenses
- temp
- webapps\spmp
- ES\temp
- lib\license
- Assign the Modify permission for the C:\ManageEngine\SharePoint Manager Plus folder to users who can start the product. Refer to the Appendix for step-by-step instructions.
- If the product is installed as a service, make sure that the account is configured under the Log On tab of the service’s properties has been assigned the Modify permission for the folder.
b. If SharePoint Manager Plus is installed in a server OS:
- Remove the Authenticated Users permission for the folders listed below from the product's installation directory.
- bin\licenses
- temp
- webapps\spmp
- ES\temp
- lib\license
- Assign the Modify permission for the C:\ManageEngine\SharePoint Manager Plus folder to users who can start the product. Refer to the Appendix for step-by-step instructions.
- If the product is installed as a service, make sure that the account is configured under the Log On tab of the service’s properties has been assigned the Modify permission for the folder.
ii. Steps to perform if SharePoint Manager Plus is installed in C:\Program Files folder
- Remove the Authenticated Users permission for the folders listed below from the product's installation directory. Refer to the Appendix for step-by-step instructions.
- bin\licenses
- temp
- webapps\spmp
- ES\temp
- lib\license
- Assign the Modify permission for the C:\Program Files\SharePoint Manager Plus folder to users who have can start the product. Refer to the Appendix for step-by-step instructions.
- If the product is installed as a service, make sure that the account is configured under the Log On tab of the service’s properties has been assigned the Modify permission for the folder.
- Microsoft recommends that software be installed in the Program Files directory. Based on your specific needs or organizational policies, you can choose a different location.
- The steps mentioned in this guide are applicable to all ManageEngine products installed in the C:\ManageEngine folder by default
Change default admin password of SharePoint Manager Plus
Why should you do this?
If the default admin password of SharePoint Manager Plus is not changed, there are chances that anyone who is aware of the default password might use it to log into the product, and perform malicious changes in your SharePoint or view information about SharePoint objects.
What can you do to address this situation?
We recommend that you change the default admin password, at least before you move to the deployment phase from the evaluation phase, for security reasons. You can change the default password in the My Account section found in the top right corner of the product's web-console.
Additional security for SharePoint Manger Plus logins
SharePoint Manager Plus supports multi-factor authentication (MFA), IP restrictions, and also allows you to block users in case of bad passwords, to enhance the security for user logon process and prevent unauthorized users from logging in. Click the links below for steps to configure the various options to secure the logon process for your users.
Security Hardening
This option allows you to view and configure the various security related settings that enhance the product security, from a single location. To help you easily ascertain how secure your SharePoint Manager Plus instance is, a Product Security Hardening score calculated based on the impact of each security setting that is configured is displayed on the right side of the dashboard.
The following security configurations are available to harden the security of SharePoint Manager Plus:
Change Default Admins Password: Changing the default password and using a strong one will strengthen the password of the Admin account, and ensure it is not compromised
Enforce HTTPs: Establish a secure connection between the web browsers and the SharePoint Manager Plus web server.
Enable Multi-factor Authentication: Use this setting to add an extra layer of security while logging into SharePoint Manager Plus. Choose from the set of authentication options available like email verification, SMS verification, Google Authentication, Duo Security, and more.
Enable IP Restriction: Allowing communication from only known or authorized sources, or blocking requests from unauthorized sources.
Block Invalid Login Attempts: Block a particular technician's account, once a specific number of consecutive unsuccessful login attempts have been made.
Enforce Secure LDAP: Secure the LDAP connection between SharePoint Manager Plus server and AD with SSL.
Auto-Install Hotfixes: Configure automatic hotfix updates and fix critical vulnerabilities instantaneously.
Enforce Secure TLS: Ensure older TLS versions like v1.0, v1.1 are disabled.
Steps to configure security hardening settings in SharePoint Manager Plus:
- Login to SharePoint Manager Plus console and navigate to the Admin tab.
- On the left pane, under General Settings, click on Security and Privacy.
- Navigate to Security Hardening and configure the respective security settings using the buttons available next to them.
- Enable the Don't show alerts even if the recommended settings are not configured option to hide alerts on security hardening, regardless of the state of the recommended settings.
Appendix
Steps to disable inheritance
- Right-click the folder and select Properties.
- Go to the Security tab and click Advanced.
- Click Disable inheritance.
- Click Apply and OK.
Steps to remove Authenticated Users
- Right-click the folder and select Properties.
- Go to the Security tab and click Edit.
- Select the Authenticated Users group and click Remove.
- Click Apply and OK.
Steps to assign the Modify permission
- Right-click the folder and select Properties.
- Go to the Security tab and click Edit.
- Click Add.
- Enter the name of the user or group and click OK.
- In the Permissions for Users section, in the Allow column, check the box to allow the Modify permission.
- Click Apply and OK.