Professional Documents
Culture Documents
Microsoft Dynamics AX 2009 Security Hardening Guide
Microsoft Dynamics AX 2009 Security Hardening Guide
Hardening Guide
Microsoft Corporation
Published: May 2008
Table of Contents
Introduction to the Security Hardening Guide 5
Reduce the attack surface of the Microsoft Dynamics AX client
Reduce the attack surface of the Microsoft Dynamics AX Application Object Server
Reduce the attack surface of the Microsoft Dynamics AX database
Appendix A: Table Permissions Framework Reference
16
20
24
Microsoft Dynamics AX
Concepts
This guide discusses the following security concepts.
Concept
Description
Attack surface
Least privilege
Microsoft Dynamics AX
Concept
Description
Microsoft Dynamics AX
Only keyboard strokes and images of information that is displayed on the Terminal Services
server are transmitted over the network. Microsoft Dynamics AX data is not transmitted over
the network to client computers, which reduces the threat of a malicious user acquiring data
that was stored on a user's client computer.
No data is processed, cached, or stored on a user's local computer. All data processing,
caching, and storage occur on the Windows Server computer that is running the Microsoft
Microsoft Dynamics AX
Dynamics AX client. If a user's client computer is misappropriated or lost, a malicious user
would not have access to Microsoft Dynamics AX data on that computer.
If a security patch were issued for Microsoft Dynamics AX, that patch would only need to be
applied to the Terminal Services cluster computers, which means that the overall Microsoft
Dynamics AX attack surface is minimized.
Figure 1 shows an example of how you might architect Microsoft Dynamics AX to run on a
Terminal Services cluster.
Figure 1: Microsoft Dynamics AX deployed on a Terminal Services cluster
1. Users log on to their client computers and open a Remote Desktop Connection or a Remote
Desktop Web connection (if they are connecting by using the HTTP service). Or, the user
double-clicks the Microsoft Dynamics AX client icon on their computer and runs the
application as a Terminal Services session (which is a feature of Windows Server 2008 called
RemoteApp).
2. The load balancing solution routes traffic to the Terminal Services cluster based on server
availability and load.
3. Terminal Services receives the session request and communicates with the Terminal
Services Directory and Licensing Services to manage sessions and to verify that there is an
available license. If a license is available, Terminal Services starts a unique session for each
user. Depending on how you configured Terminal Services, users view a Windows desktop
Security Hardening Guide
8
Microsoft Dynamics AX
where they can access the Microsoft Dynamics AX client from the All Programs menu, or if
they are using Terminal Services RemoteApp, the Microsoft Dynamics AX client opens and
appears to users as an application that is running on their client computer.
4. The Microsoft Dynamics AX clients running on the Terminal Services cluster communicate
with the Microsoft Dynamics AX AOS and database server through normal channels.
5. The Terminal Services cluster transmits images of information that is displayed on the
Terminal Services server over the network to client computers. No data is transmitted over
the network, and therefore no Microsoft Dynamics AX data resides on users' client
computers.
Deployment considerations
By default, Terminal Services allows only two client sessions at one time. Business decision
makers in your business or organization will need to assess the cost of purchasing additional
Terminal Services licenses before you can deploy a Terminal Services cluster. We highly
recommend the investment because it reduces administration overhead and the attack
surface for security threats against Microsoft Dynamics AX and any other line-of-business
applications that you choose to run on the cluster.
Each user who will connect to the Microsoft Dynamics AX client on the Terminal Services
cluster must be a member of the Remote Desktop User group in Microsoft Windows Users
and Groups.
To enhance the security of your computing environment, deploy Group Policy and Encrypting
File System on all computers. If your business or organization uses Windows Server 2008,
Windows Vista Enterprise, or Windows Vista Ultimate deploy Windows BitLocker. Group
Policy and Encrypting File System are described in more detail in the following section.
For more information about Terminal Services, see the Windows Server 2008 Terminal Services
Technical Library or the Windows Server 2003 Terminal Service Reference.
Microsoft Dynamics AX data sent between the client and the AOS is at greater risk of being
intercepted by a malicious user because there is more data being sent across the network.
Data that is stored on individual computers is at greater risk of being accessed by a malicious
user if users are not diligent about securing their computers, or if a computer is lost or stolen.
If users have access to the Internet, there is a greater risk of virus attacks or problems with
malicious software.
Your computing environment is at greater risk if your business or organization does not
enforce a policy that requires users to download and install security patches as soon as they
are available.
Microsoft Dynamics AX
You can mitigate some of these security risks by deploying the Windows security features that
are described in the following sections.
Deployment considerations
This section describes deployment practices that we recommend if you deploy the Microsoft
Dynamics AX client to multiple computers. If you deploy the client according to these
recommendations, you can improve security and mitigate some of the risks described earlier.
Centrally manage software installations, updates, repairs, upgrades, and software removal.
Centrally deploy, recover, restore, and replace users data, software, and personal settings.
Control device installation and access to devices, such as USB drives, CD-RW drives, DVDRW drives, and other removable media.
Manage firewall and Internet Protocol security Group Policy settings together, a feature that
provides greater security for scenarios, such as securing server-to-server communications
over the Internet, limiting access to domain resources based on trust relationships or the
health of a computer, and protecting data communication to a specific server to meet
regulatory requirements for data privacy and security.
Open and edit Internet Explorer Group Policy settings without the risk of inadvertently altering
the state of the policy settings based on the configuration of the administrative computer.
For more information, see Group Policy in Windows Server 2008 or Group Policy in Windows
Server 2003.
10
Microsoft Dynamics AX
BitLocker encrypts all data that is stored on the Windows operating system volume (and
configured data volumes). This includes the Windows operating system, hibernation and
paging files, applications, and data that are used by applications.
BitLocker is configured by default to use a Trusted Platform Module (TPM) to help ensure the
integrity of early startup components (components that are used in the earlier stages of the
startup process). BitLocker "locks" any BitLocker-protected volumes so that they remain
protected even if the computer is tampered with when the operating system is not running.
11
Microsoft Dynamics AX
To maintain the security of the production environment, developers should not be granted access
to the Microsoft Dynamics AX production database. Client computers that are used for
development should have their own AOS and database, and the development environment
should have its own data set. To maintain security and privacy, you should not use production
data in a development environment.
12
Microsoft Dynamics AX
malicious user would see data from those communications. In this situation, RPC encryption is
not used, because the information between the Role Center page and the AOS is sent by using
the Hypertext Transfer Protocol (HTTP).
If your business or organization uses Role Centers, then you must ensure that Enterprise Portal
is configured to use SSL encryption. SSL is a feature of Internet Information Services, the Web
server software that hosts the Enterprise Portal framework. For more information about
configuring SSL, see Secure Sockets Layer encryption in IIS 7.0 or Secure Sockets Layer
encryption in IIS 6.0.
Description
You can read about how to set up and configure users, user
groups, domains, and record-level security in the Microsoft
Dynamics AX online Help. (Click the Help icon > System and
Application Setup > System setup > Setting up and
maintaining security.)
Before you set up and configure least-privileges in Microsoft
Dynamics AX, consider the following:
Microsoft Dynamics AX
Recommendation
Description
14
Microsoft Dynamics AX
Recommendation
Description
See Also
TechNet Security Center
15
Microsoft Dynamics AX
The domain user account does not have interactive logon rights.
The domain user account is not listed as user or a member of any groups in Microsoft
Dynamics AX.
The domain user account is not listed as a user or a member of any groups in Windows
Users and Groups on the AOS server.
16
Microsoft Dynamics AX
do not change the default settings, those services would be configured to listen on ports 2712,
2713, and 2714.
If a malicious user learned about a vulnerability in Microsoft Dynamics AX and the user knew the
default port number, they might attempt to gain access to data by using that port number. You
can reduce the attack surface by changing the default port number. You can change the port
number by using the Microsoft Dynamics 2009 Server Configuration utility.
1. On the AOS server, click Start > Administrative Tools > Microsoft Dynamics AX 2009
Server Configuration.
2. Select an instance from the Application Object Server Instance drop-down list.
3. On the Application Object Server tab, enter a new port number in the TCP/IP port field.
Note:
Choose a port number between 1024 and 65000. You can view a list of ports that are
currently being used on the server if you open the services file in a text editor, such
as Microsoft Notepad (<system root>\WINNT\system32\drivers\etc).
4. Click OK.
5. Repeat this process, if necessary, for each instance.
6. You must also specify the new port number on each client that connects to the AOS. You can
change the port number by using the Microsoft Dynamics 2009 Configuration utility.
7. On a client computer, click Start > Administrative Tools > Microsoft Dynamics AX 2009
Configuration.
8. In the Configuration target drop-down list, select Local client.
9. Click Manage > Create configuration.
10. Enter a name, and then select Copy from Active configuration.
11. On the Connection tab, select the appropriate instance in the text box, and then click Edit.
12. Enter the new port number, and then click OK.
13. To expedite the process of configuring multiple client computers, you can export this
configuration to a file and then import the configuration to all other client computers. For more
information, see "Manage a client configuration" in the Microsoft Dynamics 2009
Configuration utility Help.
The file share computer must be configured to use the File Server role in Windows Server
(Start > Administrative Tools > Manage your server > File Server role).
17
Microsoft Dynamics AX
The shared directory must be configured so that the AOS service account (the domain
account or the Network Service account) has Full Control permissions.
Use Internet Protocol security (IPsec) to secure communications between the servers.
Note:
IPsec is described in the next section.
Denial-of-service attacks.
Data corruption.
Data theft.
User-credential theft.
Allows further address or security restrictions for ports that are left open.
18
Microsoft Dynamics AX
Reduces protocol exposure to server message block (SMB), LanMan, and Lightweight
Directory Access Protocol (LDAP).
To access the Security Configuration Wizard, click Start > Administrative Tools > Security
Configuration Wizard. We recommend that you read the Help for this tool before you make
changes to your system. For more information about services, ports, and protocols on your
Windows operating system, see Service overview and network port requirements for the
Windows Server system.
Microsoft Security Baseline Analyzer
The Microsoft Baseline Security Analyzer scans your computer to detect unsecure configurations
and to identify missing security updates. The analyzer then recommends changes and updates to
improve the security of the computer.
For more information, see Microsoft Security Baseline Analyzer.
19
Microsoft Dynamics AX
Requirement
Build and Maintain a Secure 1. Install and maintain a firewall configuration to protect cardholder
Network
data.
2. Do not use vendor-supplied defaults for system passwords and
other security parameters.
Protect Cardholder Data
Maintain a Vulnerability
Management Program
Maintain an Information
Security Policy
Security Hardening Guide
20
Microsoft Dynamics AX
Enabling database encryption directly addresses the needs of requirement three: Protect stored
cardholder data. Microsoft SQL Server 2008 includes a new encryption feature called
Transparent Data Encryption (TDE). TDE is designed to provide protection for the entire
database at rest without affecting existing applications. Implementing encryption in a database
traditionally involves complicated application changes, such as modifying table schemas,
removing functionality, and significant performance degradations. For example, to use encryption
in Microsoft SQL Server 2005, the column data type must be changed to varbinary; ranged and
equality searches are not allowed; and the application must call built-ins (or stored procedures or
views that automatically use these built-ins) to handle encryption and decryption, all of which slow
query performance. These issues are not unique to Microsoft SQL Server 2005; other database
management systems face similar limitations. Custom schemes are often used to resolve equality
searches and ranged searches often cannot be used at all. Even basic database elements, such
as creating an index or using foreign keys often do not work with cell-level or column-level
encryption schemes because the use of these features inherently leak information. TDE solves
these problems by encrypting everything, including all data types, keys, and indexes. For more
information, see Database Encryption in SQL Server 2008 Enterprise Edition. For information
about encryption with Oracle 10, see Oracle Database 10g Security and Identity Management.
If your business or organization uses Microsoft SQL 2005, you can address the needs of PCI
Data Security Standard requirement three by using Encrypting File System (EFS). EFS is a
component of the NTFS file system on Windows operating systems that is used for encrypting
files and folders on client computers and remote servers. Any user or application that does not
have the appropriate cryptographic key cannot read the encrypted data. With EFS, we
recommend that you encrypt the folder where the SQL Server database is stored. If your
business or organization creates views in SQL Server, and a view is created for a specific table in
the database, such as a credit card number table, you can configure the view to point to a
different database file and then enable EFS encryption on that file.
For more information, see EFS in Windows Server 2008 or EFS in Windows Server 2003.
21
Microsoft Dynamics AX
FinancialResults. This table was added as part of a customization done by a partner after
Microsoft Dynamics AX was installed.
Note:
TPF can be enabled on any table in the Microsoft Dynamics AX database. For the
sake of time and efficiency, however, administrators assign TPF to tables that are
considered to be sensitive or to be of critical business value.
3. In the Application Object Tree (AOT), the administrator configures the FinancialResults table
so that the Application Object Server (AOS) must authorize all operations for that table. The
administrator specifies the value CreateReadUpdateDelete for the
AOSAuthorizationProperty.
4. Soon thereafter, a malicious user discovers a vulnerability in Contoso's third-party application
that connects to Microsoft Dynamics AX by using the .NET Business Connector. The
malicious user connects to the database as a member of the CRM_users group and attempts
to read the data in the FinancialResults table.
5. Before allowing the read operation, the AOS checks to see if the user is a member of the
Senior Leadership user group and if members of the group have permission to read the data.
The malicious user is not a member of the Senior Leadership group, so the AOS denies the
read operation.
To enable TPF, an administrator specifies a value for the AOSAuthorizationProperty on a specific
table in the AOT. The AOSAuthorizationProperty authorizes Create, Read, Update, and Delete
operations. For some tables, it is important to authorize all operations because the data is
sensitive. For other tables, you might find it suitable to specify a subset of operations, such as
Create, Update, and Delete. In the case when you have specified a subset, the AOS authorizes
the Create, Update, and Delete operations, but allows users to perform View operations if they
have access to Microsoft Dynamics AX.
Appendix A: Table Permissions Framework Reference lists all tables that are TPF-enabled by
default and which operations require authorization. You can change or add TPF for a table, but
we recommend that you perform TPF changes in a test environment so that you can study the
impact of TPF changes on user groups that access that table.
To enable TPF on database table:
1. In the AOT, expand Data Dictionary > Tables.
2. Right-click a table, and then click Properties.
3. Click AOSAuthorizationProperty and select a new value by using the drop-down list.
4. Click Save All.
22
Microsoft Dynamics AX
If you added TPF to a table, you might need to specify or expand permissions for user groups
that access that table. You can view which objects access a table by using the Used-by
command in the AOT:
1. In the AOT, expand Data Dictionary > Tables.
2. Right-click a table, and then click Add-ins > Cross-reference > Update.
3. Right-click a table, and then click Add-ins > Cross-reference > Used by. The Used by form
is displayed. This form shows all objects that access the selected table and what permissions
(the Reference column) are required when accessing the table. You might need to adjust
user group permissions if you set tighter restrictions on a table.
23
Microsoft Dynamics AX
Tables
This section lists all database tables that are TPF-enabled by default in Microsoft Dynamics AX
and the authorization requirements for those tables.
Important:
These tables store sensitive data. We recommend that you do not adjust these
authorization requirements unless told to do so by management. We also recommend
that you do not adjust these requirements in a production environment. Test your
changes in a test environment so that you can study the impact on user-group
permissions and make adjustments as necessary.
Application Integration Framework (AIF)
Table name
AifValueSubstitutionComponentConfig
AifChannel
24
Microsoft Dynamics AX
Business Intelligence and Reporting
Table name
BIAnalysisServer
BIConfiguration
BICurrencyDimension
BIExchangeRates
BIPerspectives
BITimeDimension
BIUdmRoles
BIUdmTranslations
SRSAnalysisEnums
SRSEnabledLanguages
SRSLanguages
SRSModelEntityCache
SRSModelFieldCache
SRSModelFieldFolderCache
SRSModelFieldRoleSortCache
SRSModelFolderCache
SRSModelForeignKeyCache
SRSModelIndexCache
SRSModelOptions
SRSModelPerspectiveCache
SRSModelPerspectiveEntityCache
SRSModelPerspectiveFieldCache
SRSModelPerspectiveForeignKeyCache
SRSModelPerspectiveRoleCache
SRSModelRoleCache
SRSModelRoleGroupsCache
25
Microsoft Dynamics AX
Table name
SRSModelSecurityKeyCache
SRSServers
SRSUpdateOptions
SRSUserConfiguration
SysSRSTablePermissions
SysMapParameters
SysClusterConfig
SysOccConfiguration
UtilElements
UtilIdElements
Enterprise Portal
Table name
SysUserInfo
Create, Delete
UserInfo
Create, Delete
EPStateStore
CuesQuery
EPCompanyParameters
EPDocuParameters
EPGlobalParameters
EPServerStateCleanupSettings
EPStateStoreSettings
EPWebSiteParameters
SysBCProxyUserAccount
26
Microsoft Dynamics AX
Table name
SysEncryptionKey
SysPerimeterNetworkParams
SysSecurityFormControlTable
SysSecurityFormTable
UserGroupInfo
UserGroupList
Expense Management
Table name
TrvCreditCards
TrvCashAdvance
Financials
Table name
BankAccountTable
CreditCardADNSetup
CreditCardCust
CreditCardCustNumber
CreditCardMicrosoftSetup
CreditCardProcessorsSecurity
CustBankAccount
LedgerBalancesDimTrans
LedgerBalancesTrans
LedgerTrans
ShipCarrierCODPackage
ShipCarrierPackage
ShipCarrierShippingRequest
27
Microsoft Dynamics AX
Table name
ShipCarrierSQLRoleUser
ShipCarrierStaging
ShipCarrierTracking
VendBankAccount
CompanyDomainList
GDL
Table name
BankCodaAccountStatement
BankCodaAccountStatementLines
BankIBSLog_BE
BankIBSLogArchive_BE
Tax1099IRSPayerRec
TaxEvatParameters_NL
VendStateTaxID
EmplTable
HRCComp
HRCCompGrid
HRCCompLevel
HRCCompRefPointSetup
HRCCompRefPointSetupLine
HRCCompTmpGrid
HRMADARequirement
HRMCompEligibility
28
Microsoft Dynamics AX
Table name
HRMCompEligibilityLevel
HRMCompEvent
HRMCompEventEmpl
HRMCompEventLine
HRMCompEventLineComposite
HRMCompEventLineFixed
HRMCompEventLinePointInTime
HRMCompFixedAction
HRMCompFixedBudget
HRMCompFixedEmpl
HRMCompFixedPlanTable
HRMCompFixedPlanUtilMatrix
HRMCompJobFunction
HRMCompJobType
HRMCompLocation
HRMCompOrgPerf
HRMCompPayFrequency
HRMCompPayrollEntity
HRMCompPerfAllocation
HRMCompPerfAllocationLine
HRMCompPerfPlan
HRMCompPerfPlanEmpl
HRMCompPerfRating
HRMCompProcess
HRMCompProcessLine
HRMCompProcessLineAction
HRMCompSurveyCompany
HRMCompVarAwardEmpl
29
Microsoft Dynamics AX
Table name
HRMCompVarEnrollEmpl
HRMCompVarEnrollEmplLine
HRMCompVarPlanLevel
HRMCompVarPlanTable
HRMCompVarPlanType
HRMCompVesting
HRMi9Document
HRMi9DocumentList
HRMPartyEmployeeRelationship
HRMVirtualNetworkAccommodation
HRMVirtualNetworkTable
KMKnowledgeTable
KMKnowledgeTrans
Inventory Management
Table name
InventItemSampling
InventNonConformanceHistory
InventNonConformanceOrigin
InventNonConformanceRelation
InventNonConformanceTable
InventProblemType
InventProblemTypeSetup
InventQualityOrderLine
InventQualityOrderLineResults
InventQualityOrderTable
InventQualityOrderTableOrigin
InventQuarantineZone
30
Microsoft Dynamics AX
Table name
InventTestArea
InventTestAssociationTable
InventTestCertOfAnalysisLine
InventTestCertOfAnalysisLineResults
InventTestCertOfAnalysisTable
InventTestCorrection
InventTestDiagnosticType
InventTestEmplResponsible
InventTestGroup
InventTestGroupMember
InventTestInstrument
InventTestItemQualityGroup
InventTestMiscCharges
InventTestOperation
InventTestOperationItems
InventTestOperationMiscCharges
InventTestOperationTimeSheet
InventTestQualityGroup
InventTestRelatedOperations
InventTestReportSetup
InventTestTable
InventTestVariable
InventTestVariableOutcome
WMSReservationCombinationLine
WMSReservationCombinationTable
WMSReservationSequenceLine
WMSReservationSequenceTable
SysSignatureSetup
31
Microsoft Dynamics AX
Project Accounting
Table name
ProjControlPeriodCostGroup
ProjControlPeriodTable
ProjControlPeriodTableColumn
ProjControlPeriodTrans
ProjCostTrans
ProjEmplTrans
ProjInvoiceCost
ProjInvoiceEmpl
ProjInvoiceJour
ProjInvoiceOnAcc
ProjInvoiceRevenue
ProjInvoiceTable
ProjItemTrans
ProjItemTransCost
ProjJournalTable
ProjJournalTrans
ProjOnAccTrans
ProjProposalCost
ProjProposalEmpl
ProjProposalJour
ProjProposalOnAcc
ProjProposalRevenue
ProjRevenueTrans
ProjTransPosting
SyncProjTransaction
32
Microsoft Dynamics AX
Server and Tools
Table name
SqlSyncInfo
SysRemoveConfig
SysRemoveFields
SysRemoveLicense
SysRemoveTables
AccessRightsList
DataArea
DatabaseLog
DomainInfo
SqlDictionary
SqlParameters
SysClientSessions
SysExpImpField
SysExpImpTable
SysRecordLevelSecurity
SysRecordTemplateSystemTable
SysServerConfig
SysServerSessions
SysSetupCompanyLog
SysSortOrder
SystemSequences
TableCollectionList
TimeZonesList
TimeZonesRulesData
VirtualDataAreaList
SysDataBaseLog
Update, Delete
33
Microsoft Dynamics AX
Setup and Upgrade
Table name
BatchGlobal
BatchGroup
BatchServerConfig
BatchServerGroup
SysConfig
SysSetupLog
Workflow
Table name
ExpressionTable
WorkflowConfigurationTable
WorkflowConfigurationTableNotes
WorkflowElementTable
WorkflowMessageText
WorkflowStepTable
WorkflowSubWorkflowTable
SysWorkflowElementTable
Update, Delete
SysWorkflowFaultTable
Update, Delete
SysWorkflowInstanceTable
Update, Delete
SysWorkflowTable
Update, Delete
WorkflowMessageTable
Update, Delete
WorkflowTrackingArgumentTable
Update, Delete
X++ Development
Table name
xRefNames
34
Microsoft Dynamics AX
Table name
xRefPaths
xRefReferences
xRefTableRelation
xRefTmpReferences
xRefTypeHierarchy
35