Planning For Security: Microsoft Dynamics GP 2015
Planning For Security: Microsoft Dynamics GP 2015
Limitation of liability This document is provided “as-is”. Information and views expressed in this document, including
URL and other Internet Web site references, may change without notice. You bear the risk of using
it.
Some examples depicted herein are provided for illustration only and are fictitious. No real
association or connection is intended or should be inferred.
Intellectual property This document does not provide you with any legal rights to any intellectual property in any
Microsoft product.
You may copy and use this document for your internal, reference purposes.
Trademarks Microsoft, Active Directory, Dexterity, Excel, Microsoft Dynamics, SQL Server, Visual Basic,
Windows, Windows Server, and Windows Vista are trademarks of the Microsoft group of
companies. FairCom and c-tree Plus are trademarks of FairCom Corporation and are registered in
the United States and other countries.
Warranty disclaimer Microsoft Corporation disclaims any warranty regarding the sample code contained in this
documentation, including the warranties of merchantability and fitness for a particular purpose.
License agreement Use of this product is covered by a license agreement provided with the software product. If you
have any questions, please call the Microsoft Dynamics GP Customer Assistance Department at
800-456-0025 (in the U.S. or Canada) or +1-701-281-6500.
ii P L A N N I N G F O R S EC U R I T Y
Introduction
Use the information in this document to help you plan for security within Microsoft
Dynamics® GP.
Most organizations plan for external attacks and construct firewalls, but many
companies do not consider how to mitigate a security breach once a malicious user
gets inside the firewall. Security measures in your organization’s environment will
work well if users are not required to perform too many procedures and steps to
conduct business in a secure manner. Implementing security policies should be as
easy as possible for users or they will tend to find less secure ways of doing things.
Since the size of Microsoft Dynamics GP implementations can vary a great deal, it is
important to carefully consider the needs of a smaller business and to weigh the
effectiveness of security against the costs that may be involved. Use your best
judgment to recommend a policy that helps to meet security needs.
Symbol Description
The light bulb symbol indicates helpful tips, shortcuts and
suggestions.
This document uses the following conventions to refer to sections, navigation and
other information.
Convention Description
Creating a batch Italicized type indicates the name of a section or procedure.
File >> Print or File > The (>>) or (>) symbol indicates a sequence of actions, such as
Print selecting items from a menu or toolbar, or pressing buttons in
a window. This example directs you to go to the File menu and
choose Print.
TAB or ENTER All capital letters indicate a key or a key sequence.
Contents
Opens the Help file for the active Microsoft Dynamics GP component, and displays
the main “contents” topic. To browse a more detailed table of contents, click the
Contents tab above the Help navigation pane. Items in the contents topic and tab
are arranged by module. If the contents for the active component includes an
“Additional Help files” topic, click the links to view separate Help files that
describe additional components.
To find information in Help by using the index or full-text search, click the
appropriate tab above the navigation pane, and type the keyword to find.
To save the link to a topic in the Help, select a topic and then select the Favorites tab.
Click Add.
Index
Opens the Help file for the active Microsoft Dynamics GP component, with the
Index tab active. To find information about a window that’s not currently displayed,
type the name of the window, and click Display.
2 P L A N N I N G F O R S EC U R I T Y
About this window
Displays overview information about the current window. To view related topics
and descriptions of the fields, buttons, and menus for the window, choose the
appropriate link in the topic. You also can press F1 to display Help about the current
window.
Lookup
Opens a lookup window, if a window that you are viewing has a lookup window.
For example, if the Checkbook Maintenance window is open, you can choose this
item to open the Checkbooks lookup window.
Printable Manuals
Displays a list of manuals in Adobe Reader .pdf format, which you can print or
view.
What’s New
Provides information about enhancements that were added to Microsoft Dynamics
GP since the last major release.
To send comments about specific topics from within Help, click the Documentation
Feedback link, which is located at the bottom of each Help topic.
Note: By offering any suggestions to Microsoft, you give Microsoft full permission to use
them freely.
Microsoft SQL Server 2012 encrypt the pre-login credential exchange by default, but
to encrypt the entire session of communication between SQL Server and Microsoft
Dynamics GP, you will need to follow the instructions in the Microsoft SQL Server
2012 Books Online manual or the Microsoft SQL Server 2014 Books Online manual.
For more information about securing your network, refer to the following Web
sites:
• Use the Windows Update tool provided with Windows Vista®, Windows 7,
Windows 8, Windows Server 2008, and Windows Server 2012 to maintain the
most current security patches.
Physical security
Physical security represents the best place to start preventing malicious attacks. For
example, if a hard disk drive is stolen, eventually the data on that drive will be
stolen, as well. Discuss the following physical security issues when developing a
policy with users:
• Keep unauthorized users away from the power and reset switches on the server.
• Ensure that burglar alarms are installed, regardless of how sensitive the data is.
• Ensure that backups of critical data are stored offsite and that software is stored
in fire and waterproof containers when not in use.
Employees
It is a good idea to limit administrative rights across all products and features. By
default, you should give employees read-only access to system functions, unless
they require greater access to perform their jobs. We recommend following the
principle of least privilege: give users only the minimum privileges required to
access data and functionality. For example, avoid requiring administrative rights to
run features.
• Make sure that you inactivate all associated Windows accounts and passwords
when an employee leaves. For reporting purposes, do not delete users.
6 P L A N N I N G F O R S EC U R I T Y
• Train users to be alert and to report suspicious activity.
System administrators
We highly recommend that system administrators keep up with the latest security
fixes available from Microsoft. Hackers are very adept at combining small bugs to
enable large intrusions into a network. Administrators should first ensure that each
individual computer is as secure as possible, and then add security updates and
patches. To that end, many links and resources are provided throughout this guide
to help in finding security-related information and best practices.
Complexity introduces another set of tradeoffs for securing your network. The more
complex the network, the more difficult it will be to secure or fix it once an intruder
has successfully gained access. The administrator should document the network
topography thoroughly, and work toward keeping it as simple as possible.
Also, develop contingency plans for emergencies before they happen and combine
thorough planning with solid technology. For more information about general
security, see “The Ten Immutable Laws of Security Administration,” located at
http://www.microsoft.com/technet/archive/community/columns/security/
essays/10salaws.mspx.
For many organizations, patch management will form a part of their overall change
and configuration management strategy. However, whatever the nature and size of
In the Windows environment, you must ensure that you have the most recent
security patches throughout your system. To ease this task, you should consider
using the technologies that Microsoft has made available. These include:
8 P L A N N I N G F O R S EC U R I T Y
Microsoft System Center Configuration Manager System Center
Configuration Manager comprehensively assesses, deploys, and updates servers,
client computers, and devices—across physical, virtual, distributed, and mobile
environments. For more information, see http://technet.microsoft.com/en-us/
library/gg682129.aspx.
We recommend that you consider each of these security tools and encourage their
use. It is very important that security issues are addressed as quickly as possible,
while maintaining the stability of the environment.
For additional information for Windows Server 2008 R2 security, see http://
technet.microsoft.com/en-us/windowsserver/bb310558.aspx. For additional
information for Windows Server 2012 security, see http://technet.microsoft.com/
en-us/windowsserver/hh534429.
The most important features of the Windows server security model are
authentication, access control, and single sign-on, as described below.
• Single sign-on allows a user to log in to the Windows domain once, using a
single password, and authenticate to any computer in the Windows domain.
Single sign-on enables administrators to implement secure password
authentication across the Windows network, while providing end users with
ease of access.
Authentication
Authentication is a fundamental aspect of system security. It confirms the identity
of any user trying to log in to a domain or access network resources. The weak link
in any authentication system is the user’s password.
Passwords provide the first line of defense against unauthorized access to the
domain and local computers. We recommend using password best practices, where
appropriate, for your organization. For more information, refer to Password
protection on page 12, Strong passwords on page 12, and Defining the password policy
on page 14.
Password protection
It always is important that users use passwords and follow these password
recommendations.
• Always require strong passwords. For more information, see Strong passwords
on page 12.
• Be careful about where passwords are saved on computers. Some dialog boxes,
such as those for remote access and other telephone connections, present an
option to save or remember a password. Selecting this option poses a potential
security threat because the password is stored in the system registry.
Strong passwords
The role that passwords play in securing an organization’s network is often
underestimated and overlooked. As mentioned, passwords provide the first line of
defense against unauthorized access to your organization. Windows Server 2012
and Windows Server 2008 have a feature that checks the complexity of the
password for the Administrator account during the setup of the operating system. If
the password is blank or does not meet complexity requirements, the Windows
Setup dialog box appears, warning of the dangers of not using a strong password
for the Administrator account.
In a workgroup environment, a user will not be able to access a computer over the
network using an account with a blank password. Weak passwords provide
attackers with easy access to computers and the network, while strong passwords
are considerably harder to crack, even with the password-cracking software that is
available today.
12 P L A N N I N G F O R S EC U R I T Y
Password-cracking tools continue to improve, and the computers used to crack
passwords are more powerful than ever. Password-cracking software uses one of
three approaches: intelligent guessing, dictionary attacks, and brute-force
automated attacks that try every possible combination of characters. Given enough
time, the automated method can crack any password. However, strong passwords
are much harder to crack than weak passwords. A secure computer has strong
passwords for all user accounts.
A weak password
• Is no password at all.
A strong password
• Does not contain the user’s name, real name, or company name.
• Contains characters from each of the four groups listed in the following table.
Group Example
Uppercase letters ABCD
Lowercase letters abcd
Numerals 01234
Symbols ‘~@#$%^&*()_+-={}[]\:“;<>?,./
A password can meet most of the criteria of a strong password but still be rather
weak. For example, Hello2U! is a relatively weak password even though it meets
most of the criteria for a strong password and also meets the complexity
requirements of password policy. H!elZl2o is a strong password because the
dictionary word is interspersed with symbols, numbers, and other letters. It is
important to educate all users about the benefits of using strong passwords and to
teach them how to create passwords that are actually strong.
Passwords can be created containing characters from the extended ASCII character
set. Using extended ASCII characters increases the number of characters that users
can choose when they create passwords. As a result, it might take more time for
password-cracking software to crack passwords that contain these extended ASCII
characters than it does to crack other passwords. Before using extended ASCII
characters in a password, test them thoroughly to make sure that passwords
containing extended ASCII characters are compatible with other applications that
the organization uses. Be especially cautious about using extended ASCII characters
in passwords if the organization uses several different operating systems.
Examples of passwords that contain characters from the extended ASCII character
set are kUµ!0o and Wf©$0k#"g¤5ªrd.
• Define the Enforce password history policy setting so that several previous
passwords are remembered. With this policy setting, users cannot use the same
password when their password expires.
• Define the Maximum password age policy setting so that passwords expire as
often as necessary for the client’s environment, typically, every 30 to 90 days.
• Define the Minimum password age policy setting so that passwords cannot be
changed until they are more than a certain number of days old. This policy
setting works in combination with the Enforce password history policy setting.
If a minimum password age is defined, users cannot repeatedly change their
passwords to get around the Enforce password history policy setting and then
use their original passwords. Users must wait the specified number of days to
change their passwords.
• Enable the Password must meet complexity requirements policy setting. This
policy setting checks all new passwords to ensure that they meet basic strong
password requirements. For a full list of these requirements, see “Password
Must Meet Complexity Requirements” in Windows Server Online Help.
14 P L A N N I N G F O R S EC U R I T Y
If you decide to apply account lockout policy, set the Account lockout threshold
policy setting to a high enough number that authorized users are not locked out of
their user accounts simply because they type a password incorrectly.
Authorized users can be locked out if they change their passwords on one
computer, but not on another computer. The computer that is still using the old
password will continuously attempt to authenticate the user with the old password,
and it will eventually lock out the user account. This might be a costly consequence
of defining account lockout policy, because the authorized users cannot access
network resources until their accounts are restored. This issue does not exist for
organizations that use only domain controllers that are members of Windows
Server family.
You can search Windows Server Help for information about account lockout policy
and how to apply or modify the account lockout policy.
Access control
A Windows network and its resources can be secured by considering what rights
that users, groups of users, and other computers have on the network. You can
secure a computer or multiple computers by granting users or groups specific user
rights. You can secure an object, such as a file or folder, by assigning permissions to
allow users or groups to perform specific actions on that object. The following key
concepts make up access control:
• Permissions
• Ownership of objects
• Inheritance of permissions
• User rights
• Object auditing
Permissions
Permissions define the type of access granted to a user or group for an object or
object property such as files, folders, and registry objects. Permissions are applied to
any secured objects such as files or registry objects. Permissions can be granted to
any user, group, or computer. It is a good practice to assign permissions to groups.
Ownership of objects
When a member of the Administrators group creates an object in Windows Server,
the Administrators group becomes the owner, rather than the individual account
that created the object. This behavior can be changed through the Local Security
Settings Microsoft Management Console (MMC) snap-in, using the setting System
objects: Default owner for objects created by members of the Administrators group.
No matter what permissions are set on an object, the owner of the object can always
change the permissions on an object. For more information, see “Manage Object
Ownership” in Windows Server 2012 Online Help.
Inheritance of permissions
Inheritance allows administrators to easily assign and manage permissions. This
feature automatically causes objects within a container to inherit all the inheritable
permissions of that container. For example, the files within a folder, when created,
inherit the permissions of the folder. Only permissions marked to be inherited will
be inherited.
Object auditing
You can audit users’ access to objects. You can then view these security-related
events in the security log using the Event Viewer. For more information, see
“Auditing” in Windows Server Online Help.
• Use Deny permissions for certain special cases. For instance, you can use Deny
permissions to exclude a subset of a group that has Allow permissions. Use
Deny permissions to exclude one special permission when you have already
granted full control to a user or group.
• Never deny the Everyone group access to an object. If you deny everyone
permission to an object, that includes administrators. A better solution would
be to remove the Everyone group, as long as you give other users, groups, or
computers permissions to that object.
• Assign permissions to an object as high on the tree as possible and then apply
inheritance to propagate the security settings through the tree. You can quickly
and effectively apply access control settings to all children or a subtree of a
parent object. By doing this, you gain the greatest breadth of effect with the least
effort. The permission settings that you establish should be adequate for the
majority of users, groups, and computers.
• For permissions on Active Directory® objects, be sure that you understand the
best practices specific to Active Directory objects. For more information, search
for “Active Directory objects” in Windows Server 2012 Online Help.
Single sign-on
A key feature of Windows Server family authentication is its support of single sign-
on. Single sign-on allows a user to log in to the Windows domain once, using a
single password, and authenticate to any computer in the Windows domain
without having to reenter that password.
Single sign-on provides two main security benefits. For a user, the use of a single
password or smart card reduces confusion and improves work efficiency. For
administrators, the amount of administrative support required for domain users is
reduced, because the administrator needs to manage only one account per user.
16 P L A N N I N G F O R S EC U R I T Y
Authentication, including single sign-on, is implemented as a two-part process:
interactive logon and network authentication. Successful user authentication
depends on both of these processes. For more information about how to configure
the Windows single sign-on feature, see Windows Server Online Help.
If the firewall is configured to accept the specified protocol through the targeted
port, the packet is allowed through.
ISA Server
Internet Security and Acceleration (ISA) Server securely routes requests and
responses between the Internet and client computers on the internal network.
ISA Server acts as the secure gateway to the Internet for clients on the local network.
The ISA Server computer is transparent to the other parties in the communication
path. The Internet user should not be able to tell that a firewall server is present,
unless the user attempts to access a service or go to a site where the ISA Server
computer denies access. The Internet server that is being accessed interprets the
requests from the ISA Server computer as if the requests originated from the client
application.
• Be sure that the latest operating system and SQL Server service packs and
updates are installed. For the latest details, see the Microsoft Security & Privacy
Web site (http://www.microsoft.com/security/default.asp).
• For file system-level security, be sure that all SQL Server data and system files
are installed on NTFS partitions. You should make the files accessible only to
administrative or system-level users through NTFS permissions. This will
• Use a low-privilege domain account or the LocalSystem account for SQL Server
service (MSSQLSERVER). This account should have minimal rights in the
domain and should help contain - but not stop - an attack to the server in case of
compromise. In other words, this account should have only local user-level
permissions in the domain. If SQL Server is using a domain administrator
account to run the services, a compromise of the server will lead to a
compromise of the entire domain. To change this setting, use SQL Server
Management Studio. The access control lists (ACLs) on files, the registry, and
user rights will be changed automatically.
For the most up-to-date SQL Server security information for SQL Server 2012 or
SQL Server 2014, see http://www.microsoft.com/en-us/server-cloud/solutions/
data-security-compliance.aspx.
18 P L A N N I N G F O R S EC U R I T Y
Chapter 3: Network security
Use the following information to learn more about keeping your network secure.
The illustration below shows a perimeter network bounded by firewalls and placed
between a private network and the Internet in order to secure the private network.
Application Gateways Application gateways are used when the actual content
of an application is of greatest concern. That they are application-specific is both
their strength and their limitation, because they do not adapt easily to changes in
technology.
Proxy Servers Proxy servers are comprehensive security tools, which include
firewall and application gateway functionality, that manage Internet traffic to and
from a LAN. Proxy servers also provide document caching and access control. A
proxy server can improve performance by caching and directly supplying
frequently requested data, such as a popular Web page. A proxy server can also
filter and discard requests that the owner does not consider appropriate, such as
requests for unauthorized access to proprietary files.
Be sure to take advantage of firewall security features that can help your
organization. Position a perimeter network in the network topology at a point
where all traffic from outside the corporate network must pass through the
perimeter maintained by the external firewall. You can fine-tune access control for
the firewall to meet your organization’s needs and you can configure firewalls to
report all attempts at unauthorized access.
To minimize the number of ports that you need to open on the inner firewall, you
can use an application layer firewall, such as ISA Server.
For more information about TCP/IP and how to design a TCP/IP network, search
the TechNet Library located at http://technet.microsoft.com/en-us/library/
default.aspx.
Wireless networks
By default, wireless networks are typically configured in a manner that allows
eavesdropping on the wireless signals. They can be vulnerable to a malicious
outsider gaining access because of the default settings on some wireless hardware,
the accessibility that wireless networks offer, and present encryption methods.
There are configuration options and tools that can protect against eavesdropping,
but keep in mind that they do nothing to protect the computers from hackers and
viruses that enter through the Internet connection. Therefore, it is extremely
important to include a firewall to protect the computers from unwanted intruders
on the Internet.
For more information about protecting a wireless network, see “How to Make your
802.11b Wireless Home Network More Secure,” located at: http://
support.microsoft.com/default.aspx?scid=kb;en-us;309369.
20 P L A N N I N G F O R S EC U R I T Y
Network security scenarios
The level of network security that your organization requires will depend on
several factors. It usually comes down to a compromise between budget and the
need to keep the corporate data safe. It is possible for a small company to provide a
very complex security structure that will provide the highest level of network
security possible, but a small company may not be able to afford that level of
security. In this section, we will review four scenarios and make recommendations
in each that will provide varying levels of security at a relative cost.
This single firewall solution is more secure than an entry-level firewall appliance
and provides Windows-specific security services.
One Existing Firewall If you have an existing firewall that separates your
intranet from the Internet, you may want to consider an additional firewall that
provides multiple ways to configure internal resources to the Internet.
One such method is Web publishing. This is when an ISA Server is deployed in
front of an organization’s Web server that is providing access to Internet users. With
incoming Web requests, ISA Server can impersonate a Web server to the outside
world, fulfilling client requests for Web content from its cache. ISA Server forwards
requests to the Web server only when the requests cannot be served from its cache.
22 P L A N N I N G F O R S EC U R I T Y
Another method is server publishing. ISA Server allows publishing internal servers
to the Internet without compromising the security of the internal network. You can
configure Web publishing and server publishing rules that determine which
requests should be sent to a server on the local network, providing an increased
layer of security for the internal servers.
This scenario is similar to the preceding scenario after the second firewall is added.
The only difference is that the internal firewall that supports reverse proxy is not an
ISA Server. In this scenario, you should work closely with the managers of each
firewall to define server publishing rules that adhere to the security policy.
24 P L A N N I N G F O R S EC U R I T Y
Chapter 4: Virus protection
Use the following information to learn about the different types of computer viruses
and what you can do to help keep the computers within your company from being
infected by a computer virus.
• Overview of viruses
• Types of viruses
Overview of viruses
A computer virus is an executable file that is designed to replicate itself, erase or
corrupt data files and programs, and avoid detection. In fact, viruses are often
rewritten and adjusted so that they cannot be detected. Viruses are often sent as e-
mail attachments. Antivirus programs must be updated continuously to look for
new and modified viruses. Viruses are the number one method of computer
vandalism.
Antivirus software is specifically designed for the detection and prevention of virus
programs. Because new virus programs are created all the time, many makers of
antivirus products offer periodic updates of their software to customers. Microsoft
strongly recommends implementing antivirus software in your organization’s
environment.
Virus software is usually installed at each of these three places: user workstations,
servers, and the network where e-mail comes into (and in some cases, leaves) the
organization.
For more information about viruses and computer security in general, refer to the
following Microsoft Security Web sites:
Types of viruses
There are four main types of viruses that infect computer systems: boot-sector
viruses, file-infecting viruses, Trojan horse programs, and macro viruses.
Boot-Sector viruses When a computer starts, it scans the boot sector of the
hard disk before loading the operating system or any other startup files. A boot-
sector virus is designed to replace the information in the hard disk’s boot sectors
with its own code. When a computer is infected with a boot-sector virus, the virus’
code is read into memory before anything else. After the virus is in memory, it can
replicate itself onto any other disks that are in use in the infected computer.
Some file-infecting viruses are designed for specific programs. Program types that
are often targeted are overlay (.ovl) files and dynamic-link library (.dll) files.
Although these files are not run, executable files call them. The virus is transmitted
when the call is made.
Damage to data occurs when the virus is triggered. A virus can be triggered when
an infected file is run or when a particular environment setting is met (such as a
specific system date).
Trojan horse programs A Trojan horse program is not really a virus. The key
distinction between a virus and a Trojan horse program is that a Trojan horse
program does not replicate itself; it only destroys information on the hard disk. A
Trojan horse program disguises itself as a legitimate program, such as a game or
utility. When it’s run, though, it can destroy or scramble data.
Macro viruses A macro virus is a type of computer virus that’s stored in a macro
within a file, template, or add-in. The spread of a macro virus can be prevented.
Here are some tips to avoid infection that you should share with your organization.
• Install a virus protection solution that scans incoming messages from the
Internet for viruses before the messages pass the router. This will ensure that e-
mails are scanned for known viruses.
• Know the source of the documents that are received. Documents should not be
opened unless they are from someone that the user feels is trustworthy.
• Talk to the person who created the document. If the users are at all unsure
whether the document is safe, they should contact the person who created the
document.
• Use the Microsoft Office macro virus protection. In Office, the applications alert
the user if a document contains macros. This feature allows the user to either
enable or disable the macros as the document is opened.
• Set the macro security level of Microsoft Office files to High or Medium and use
digital signatures. A digital signature is an electronic, encryption-based, secure
stamp of authentication on a macro or document. This signature confirms that
the macro or document originated from the signer and has not been altered. For
more information about Microsoft Office security features, visit the Microsoft
Office Online Web site (http://office.microsoft.com/en-us/default.aspx).
26 P L A N N I N G F O R S EC U R I T Y
Chapter 5: Microsoft Dynamics GP security
Microsoft Dynamics GP provides several types of security. The following
information is an overview of the security features in Microsoft Dynamics GP.
The Microsoft Dynamics GP System Setup manual can be accessed by choosing the
Printable Manuals option from the Microsoft Dynamics GP Help menu, or by
downloading it from the CustomerSource Web Site.
Microsoft Dynamics GP uses Microsoft SQL Server fixed and database roles for
more effective security management.
Security tasks Security tasks are assigned to roles and grant access to windows,
reports, files, and other resources within Microsoft Dynamics GP that users need to
access to complete a specific task. Some default security tasks have been created for
you. For example, the DEFAULTUSER task allows users to access things that most
users will need to access in Microsoft Dynamics GP.
Security roles Security roles contain the security tasks that a user needs to
access to do their job. Some default security roles have been created for you. For
example, the ACCOUNTING MANAGER* role contains security tasks that allow a
user who is assigned to this role to view General Ledger account information, enter
journal entries, enter bank transactions, and perform other tasks that an accounting
manager might need to perform.
For example, user ABC is an accounting manager for Fabrikam, Inc., and needs
access to set up General Ledger, taxes, bank accounts, and credit cards as well as
perform many other accounting tasks. Review the default security roles in Microsoft
Dynamics GP to find one that grants access to the appropriate accounting
functionality for user ABC. For our example, the ACCOUNTING MANAGER*
security role is appropriate for user ABC. Use the User Security Setup Window to
assign the ACCOUNTING MANAGER* security role to user ABC in the Fabrikam,
Inc. company.
Account Account level security enhances security and account views. Users can
enter, edit, and view information from a reduced account set based on the access
granted for accounts.
Field level security Field level security restricts access to any field, window, or
form in Microsoft Dynamics GP. It allows you to apply a password, or to make a
window or form unavailable. It also allows you to hide, lock, or apply passwords to
fields.
For example, user ABC is an accounting manager for Fabrikam, Inc., and needs
access to set up General Ledger, taxes, bank accounts, and credit cards as well as
perform many other accounting tasks. Review the default security roles in Microsoft
Dynamics GP to find one that grants access to the appropriate accounting
functionality for user ABC. For our example, the ACCOUNTING MANAGER*
security role is appropriate for user ABC. Use the User Security Setup Window to
assign the ACCOUNTING MANAGER* security role to user ABC in the Fabrikam,
Inc. company.
28 P L A N N I N G F O R S EC U R I T Y
How passwords are used in Microsoft Dynamics GP
Microsoft Dynamics GP uses passwords to control access to a company and selected
parts of the accounting system. Passwords can contain uppercase and lowercase
letters, numeric characters, punctuation, and embedded spaces. There are three
types of passwords.
User passwords User passwords control whether a particular user has access to
Microsoft Dynamics GP. User passwords are initially set up in the User Setup
window by an administrator or entered during the initial Microsoft Dynamics GP
installation process for GP users that have been set up with a SQL Server Account.
Users can change their own passwords using the User Password Setup window.
Application security
Use the following information to better understand how Microsoft Dynamics GP
handles application security.
• All users of the Microsoft Dynamics GP desktop client must have valid
passwords to log in to the application. If a blank password is detected, the user
is forced to change the password before logging into the application. We also
recommend that all inactive user accounts be deleted or assigned a valid
password and removed from all company access.
• Users ofd the web client can log into Microsoft Dynamics GP using their SQL,
Windows or Organizational Account credentials.
• When the DYNSA login is created, the login is assigned to the SecurityAdmin
and dbCreator Fixed Server Roles.
• Any user with the correct SQL permissions can install Microsoft Dynamics GP.
• Access to the SY02400 table (System Password Master Table) in Report Writer is
removed for all users.
• When the DYNSA login is created, the login automatically is assigned to the
SecurityAdmin and dbCreator Fixed Server Roles.
30 P L A N N I N G F O R S EC U R I T Y
Chapter 6: The Microsoft Dynamics GP database
security model
Use this information to learn about the Microsoft Dynamics GP database security
model.
• Password security
• Directory Accounts database access
• DYNGRP database role
• SysAdmin fixed server role
• SQL Server fixed database roles beginning with “rpt_”
Password security
User accounts must be created within the Microsoft Dynamics GP application to
ensure that security is applied to all Microsoft Dynamics GP windows and reports.
Microsoft Dynamics GP encrypts the password during the user creation process
before it is passed to Microsoft SQL Server. For example, if a user account is created
with a password of ‘1234,’ before the user account is created in the Microsoft SQL
Server, that password passes through the Microsoft Dynamics GP encryption
process and is changed to something like ‘ABCD.’ When this happens, only the
Microsoft Dynamics GP application and other applications that use the Microsoft
Dynamics GP encryption process have the ability to translate the user’s password
before sending it to Microsoft SQL Server.
If a user tries to access the Microsoft SQL Server from outside the Microsoft
Dynamics GP application, the attempt to log in will be denied because the
passwords will not match. For improved security, Microsoft Dynamics GP does not
allow a user to change their password to blank or unencrypted.
Users should be added as members to the SQL Server roles that correspond to the
reports or data connections that they need access to. See your System Setup Guide
(Help >> Contents >> select Setting up the System) for more information. For
detailed information about SQL Server Reporting Services, refer to the SQL Server
Reporting Services Guide. This guide describes how to install Reporting Services,
how to deploy predefined reports that are included in Microsoft Dynamics GP to a
server, and how to set up security for reports. For the most current documentation,
see the Microsoft Dynamics GP 2015 documentation resources Web site (https://
mbs.microsoft.com/partnersource/northamerica/deployment/downloads/
product-releases/MDGP2015_Release_Download).
32 P L A N N I N G F O R S EC U R I T Y
Chapter 7: Core application security tasks
The following information provides common core application security tasks and a
number of options to complete the tasks. The options vary in their level of security.
The highest numbered option is the most secure option for each task.
Options
1. Log in to Microsoft Dynamics GP as the system administrator (“sa”) and create
the users as required (no change from previous releases). Microsoft Dynamics
GP administrator accounts can be any user account within the application.
Options
1. Log in to the application as the system administrator (“sa”) and delete the user
records as required (no change from previous releases).
3. Assign the database owner login (DYNSA) to the SecurityAdmin Fixed Server
Role and log into the client using DYNSA. With this option, DYNSA must be
the database owner of ALL Microsoft Dynamics GP databases.
34 P L A N N I N G F O R S EC U R I T Y
Options
1. Log in to the application as the system administrator (“sa”) and grant access as
required (no change from previous releases).
3. Log in as the database owner (DYNSA). With this option, DYNSA must be the
database owner of ALL Microsoft Dynamics GP databases.
Backing up databases
The following options are available to choose from. The most secure choice is option
4.
Options
1. Log in to the application as the system administrator (“sa”) and perform the
backup as required (no change from previous releases).
4. Assign the specific Microsoft Dynamics GP user(s) SQL Login account to the
Db_BackupOperator Database Role. Since this option doesn’t require the
Microsoft Dynamics GP Administrator(s) to login as the SQL Server system
administrator, this is the most secure option.
Restoring databases
The ability to restore databases is also an option within the Microsoft Dynamics GP
application. Because there is a risk that this feature could be misused to alter,
Options
1. Log in to the application as the system administrator (“sa”) and create the
business alert as required (no change from previous releases).
SQL maintenance
The SQL Maintenance window provides the ability to drop and create tables and
stored procedures from within the Microsoft Dynamics GP application. The system
administrator (“sa”) and the database owner (DYNSA) have access to this window
and access can be assigned to other logins as well. There are three ways to gain
access to this window. The most secure choice is option 3.
Options
1. Log in to the application as the system administrator (“sa”) to access this
window (no change from previous releases).
3. Log in as the database owner (DYNSA) to access this window. Since this option
doesn’t require the Microsoft Dynamics GP Administrator(s) to log in as the
SQL Server system administrator, this is the most secure option.
Deleting companies
The Delete Company window is used to delete Microsoft Dynamics GP companies.
The following options are available. Option 3 is the most secure.
Options
1. Log in to the application as system administrator (“sa”) and process as required
(no change from previous releases).
36 P L A N N I N G F O R S EC U R I T Y
3. Log in as the database owner (DYNSA). Since this option doesn’t require the
Microsoft Dynamics GP Administrator(s) to log in as the SQL Server system
administrator, this is the most secure option.
• User accounts
• Microsoft Dynamics GP windows
• Security in Microsoft Dynamics GP
User accounts
The following information contains answers to questions about user accounts.
Why does one user account need access to all Microsoft Dynamics
GP databases to delete another user account?
When a user account is being deleted, Microsoft Dynamics GP removes the user
account from all databases it is a member of and deletes the SQL login. The current
user will need to have access to each of the databases, as well as the correct
permissions to delete the user account from SQL Server. If the current user doesn’t
have access to the database to remove a user account, a message is displayed
alerting them of this.
Does the user account have to be in the same database role for all
databases?
Technically, the user doesn’t have to belong to the same database role for all
databases, but it is highly recommended. It is possible to have a user belong to the
DB_OWNER role in one database and the DB_ACCESSADMIN and
DB_SECURITYADMIN in another database, and the ability to grant users access to
company databases will still work as designed. However, all Microsoft Dynamics
GP users should belong to the DYNGRP database role for proper functioning of the
application.
When I open the User Access window, why aren’t the check boxes
available?
When the requirements for using the User Access window are not met, the check
boxes are unavailable. Within the User Access window, you have the ability to grant
and deny access to companies. This action of granting and denying access is
nothing more than adding and removing user accounts to the database and making
the user a member of the DYNGRP. This action making check boxes available is
determined by the following two factors:
• What database permissions the current user has when the window is opened.
The Save button is unavailable when the current user doesn’t have the correct
permissions to create a user account. If the current user doesn’t belong to the
SysAdmin Fixed Server role, then a combination of SQL Server roles must be used
to create the login. The current user must be a member of the SecurityAdmin Fixed
Server role and at least a member of the Db_Owner role or member of
Db_AccessAdmin and Db_SecurityAdmin roles for the DYNAMICS database.
The Delete button is unavailable when the current user doesn’t have the correct
permissions to delete a user account. If the current user doesn’t belong to the
SysAdmin Fixed Server role, then a combination of SQL Server roles must be used
to create the login. The current user must be a member of the SecurityAdmin Fixed
Server role and at least a member of the Db_Owner role or member of
Db_AccessAdmin for all databases that exist in the Company Master table
(SY01500). If there are records in the Company Master table that do not have a
corresponding database, those records must be removed in order for the Delete
button to be available.
Microsoft Dynamics GP recognizes and uses the following Microsoft SQL Server
roles. No other roles are checked to permit or deny access to functionality within the
Microsoft Dynamics GP product. It is required that each Microsoft Dynamics GP
user be a member of the DYNGRP database role for each Microsoft Dynamics GP
database.
40 P L A N N I N G F O R S EC U R I T Y
• Db_Owner–Performs the activities of all database roles, as well as other
maintenance and configuration activities in the database. The permissions of
this role span all of the other fixed database roles.
Some security features are not “rolled” into all of the additional products right
away, but will most likely be added in a future release. This means that an
administrator might need to use the system administrator (“sa”) login to initialize
or convert any tables that require a conversion. In order for additional product
dictionaries to utilize the security features, a new function, called syUserInRole, has
been created, which can determine what database roles the user is a member of.