Recomendados
Recomendados
Más contenido relacionado
La actualidad más candente
La actualidad más candente (10)
Destacado
Similar a Breaking Microsoft Dynamics Great Plains
Similar a Breaking Microsoft Dynamics Great Plains (20)
Último
Último (20)
Breaking Microsoft Dynamics Great Plains
- 1. Dave Keene, CISSP, MCT, MCITP, VCP, C|EH Chief Security Officer Texas Association of Counties 1
- 2. Overview About Me What is Great Plains and why should I care Examine the security flaws and solutions in the following areas Application SQL Installation Attacking GP for penetration testing Summary Additional Resources © Dave Keene 2012. All rights reserved 2
- 3. About Me Information Security for 8 years IT work for 14 years Worked with Great Plains (GP) since 2000 Spent the last two years testing GP installs in a lab environment, support production installations Manage network and security practice that provides IT support to the 254 counties in Texas © Dave Keene 2012. All rights reserved 3
- 4. What is Microsoft Dynamics and Great Plains? Dynamics - ERP family from Microsoft Great Plains has 42,000 customers worldwide Accounting system, but additional uses are: Sales Manufacturing HR/Payroll Inventory © Dave Keene 2012. All rights reserved 4
- 5. Typical installation © Dave Keene 2012. All rights reserved 5
- 6. © Dave Keene 2012. All rights reserved 6
- 7. There is a lot of good data in GP © Dave Keene 2012. All rights reserved 7
- 8. There is a lot of good data in GP © Dave Keene 2012. All rights reserved 8
- 9. There is a lot of good data in GP © Dave Keene 2012. All rights reserved 9
- 10. There is a lot of good data in GP © Dave Keene 2012. All rights reserved 10
- 11. What be done with this data? What could happen: Compliance problems? Identity theft PII Bank fraud PHI / HIPPA Social Engineering PCI DSS Electronic Funds Just to name a few… Transfers © Dave Keene 2012. All rights reserved 11
- 12. Application Problems and Solutions © Dave Keene 2012. All rights reserved 12
- 13. GP Application problems No master security between different “company” databases No default enforcement of password policy No default built in security auditing Routine upgrades cause security problems Common file shares, code injection Fat client install is on shared folder; requires local admin © Dave Keene 2012. All rights reserved 13
- 14. GP Application Solutions Use third party solutions for Combining security between companies Active Directory integration Auditing Engage Microsoft Partners to plan upgrades* Common files – Use NTFS security for GP users only Allow full access to GP program files © Dave Keene 2012. All rights reserved 14
- 15. Inherent problems with GP SQL installation and how to fix them © Dave Keene 2012. All rights reserved 15
- 16. GP SQL installation problems GP on separate SQL instance in native mode SQL level security – no Windows authentication ODBC ports hard coded into application DYNSA account privilege level © Dave Keene 2012. All rights reserved 16
- 17. GP SQL installation solutions Harden SQL instance Force password policy © Dave Keene 2012. All rights reserved 17
- 18. © Dave Keene 2012. All rights reserved 18
- 19. GP SQL installation solutions Harden SQL instance Force password policy Hide the SQL instance © Dave Keene 2012. All rights reserved 19
- 20. © Dave Keene 2012. All rights reserved 20
- 21. GP SQL installation solutions Harden SQL instance Force password policy Hide the SQL instance DYNSA – configure using documentation © Dave Keene 2012. All rights reserved 21
- 22. Installer Errors / Lack of Experience © Dave Keene 2012. All rights reserved 22
- 23. Installer error/lack of experience GP sold and installed through partner Business analyst installing software? Due to the lack of security, you MUST use a third party application the fill in the gaps Install uses privileged service account and SA © Dave Keene 2012. All rights reserved 23
- 24. Installer Solutions Partner you choose is well versed in SQL and GP Find user group recommendations - GPUG Third party vendors to secure GP Disable SA account after install Change service account to least privilege © Dave Keene 2012. All rights reserved 24
- 25. Penetration Testing Against Great Plains © Dave Keene 2012. All rights reserved 25
- 26. Performing Reconnaissance Passive information gathering: Website – CFO / Accounting / Finance Website – portals that use GP © Dave Keene 2012. All rights reserved 26
- 27. Performing Reconnaissance © Dave Keene 2012. All rights reserved 27
- 28. Performing Reconnaissance Passive information gathering: Website – CFO / Accounting / Finance Website – portals that use GP Make some phone calls Software purchasing agent Head of finance © Dave Keene 2012. All rights reserved 28
- 29. Scanning and Enumeration Find out if GP is running in the environment using sqlninja or… nmap -n -v -sC --script=broadcast-ms-sql-discover.nse SQL server Management Studio Data Sources (ODBC) in Windows © Dave Keene 2012. All rights reserved 29
- 30. Gaining Access Use sqlninja, sqlmap, to test for SA Use sqlbrute and sqldict Administrative share – fat client install Last but not least… © Dave Keene 2012. All rights reserved 30
- 31. Dex.ini Workstation=WINDOWS Pathname=DYNAMICS/dbo/ BuildSQLMessages=FALSE SQLLastDataSource=Dynamics GP 2010 LastYearEndUpdate=11/17/2011 LastTaxCodeUpdate=01/20/2012 Dictionary Version=11.00.1935 ShowDebugMessages=FALSE AutoInstallChunks=TRUE © Dave Keene 2012. All rights reserved 31
- 32. Summary © Dave Keene 2012. All rights reserved 32
- 33. Summary Security defects found in GP and possible solutions Application SQL Installation Penetration testing against GP © Dave Keene 2012. All rights reserved 33
- 34. Additional Resources Contact me for more information on: Dexterity development system Great Plains SDK GP Support Tool GP install and troubleshooting guides dave@davekeene.com © Dave Keene 2012. All rights reserved 34
- 35. Additional Resources Hardening guide for Dynamics AX – none published (yet) for GP http://www.microsoft.com/en-us/download/details.aspx?id=232 SQL 2008 Security Best Practices http://www.microsoft.com/en-us/download/details.aspx?displaylang=en&id=15289 Configure DYNSA account http://jpdavey.blogspot.com/2011/05/sa-dynsa-and-poweruser-in-dynamics-gp.html Great Plains User Group http://www.gpug.com/ dave@davekeene.com © Dave Keene 2012. All rights reserved 35
- 36. Questions? Comments? Dave Keene dave@davekeene.com @surferdave71 http://www.slideshare.net/surferdave71/breaking- microsoft-dynamics-great-plains © Dave Keene 2012. All rights reserved 36
Notas del editor
- Hello!Can everyone hear me?
- Make this slide showing more authority, bold, better resume. Number of years supporting GP. Technical testing experience.
- Dynamics is the business name Microsoft uses for various products they have purchased throughout the years for enterprise resource planning. They are basically accounting packages with various levels of complexity. GP was a product acquired in 2000 from Microsoft as a mid-market ERP. Combine these slides, dump the other products. GP is a part of the dynamics suiteWhat it does, who uses it, market penetration. Tell the background story, then lead to the security flaws. This presentation is to review some of the
- Definition of data based on classificationWhat protection must be in place for GP based on compliance requirements? Disclosure?
- Definition of data based on classificationWhat protection must be in place for GP based on compliance requirements? Disclosure?
- Definition of data based on classificationWhat protection must be in place for GP based on compliance requirements? Disclosure?
- Definition of data based on classificationWhat protection must be in place for GP based on compliance requirements? Disclosure?
- The Payment Card Industry Data Security Standard (PCI DSS) is an information security standard for organizations that handle cardholder information for the major debit, credit, prepaid, e-purse, ATM, and POS cards.Defined by the Payment Card Industry Security Standards Council, the standard was created to increase controls around cardholder data to reduce credit card fraud via its exposure. Validation of compliance is done annually — by an external Qualified Security Assessor (QSA) for organizations handling large volumes of transactions, or by Self-Assessment Questionnaire (SAQ) for companies handling smaller volumes.[1]Personally Identifiable Information (PII), as used in information security, is information that can be used to uniquely identify, contact, or locate a single person or can be used with other sources to uniquely identify a single individual. The abbreviation PII is widely accepted, but the phrase it abbreviates has four common variants based on personal, personally, identifiable, and identifying. Not all are equivalent, and for legal purposes the effective definitions vary depending on the jurisdiction and the purposes for which the term is being used.Personal health information (PHI), also referred to as protected health information, generally refers to demographic information, medical history, test and laboratory results, insurance information and other data that is collected by a health care professional to identify an individual and determine appropriate care.
- Our company’s GP administrator is also the head of HR, lets call her Martha. She is a very talented person when it comes to manipulating GP and training the other users. She has a long history of working with accounting principals, and understands the business processes. We have had GP in our company longer than I have been with the company, about 14 years. When I came on board, I was asked to help support this software. These are some of the problems I found with our installation and how I corrected them.
- Each company has a completely different set of security rules within the application, making security administration tedious if done correctly. This can lead to a lazy security policy.Once GP is purchased from a partner, the company can opt (most of the time) to have the partner install the software (more on that later). But in a couple of cases the company started using GP years ago and simply did in place upgrades of the product. Version 9 to Version 10 made significant security changes, but may not have been implemented by onsite IT staff doing in in place upgrade. The product installs using the SA account and creates another user called DYNSA. This user is given privileges in SQL to create additional users in GP. There is no native support for windows or AD auth, or single sign on. Which leads us to…No password policy or enforcement. We all realize the problem here, no complexity or ability to force users to routinely change their passwords. In several cases, I have found the SA password to be “DynamicS” and in one case “cat”The GP application has an auditing feature to track changes within the application for GP users. The problem lies with power users; they bypass the security matrix altogether. No changes made by SA are tracked, and nothing is audited at the SQL level.GP uses dexterity runtime components to keep settings that are shared between users. Not only are these files shared, they could be used in theory to inject code into the software. An example is the software debugging tool provided to Microsoft partners. It is a code chunk that is simply dropped into a file and integrated without user intervention next time GP is launched.
- The problems I found with the SQL side of the installation were almost as shocking as they were with the application side. Since the only person that has been administering the software was a HR person, SQL was overlooked. Here are some obvious problmes that I have noticed with the SQL portion of GP and some of the things I did to fix them.
- Usually companies may employ a DBA to handle these things, but in a couple of installs I found the DBA created the instance and then the SA password was changed to prevent the DBA from having the “keys to the kingdom” with all the information within GP. This of course means the application owner would be responsible for securing the DB as well as all of the maintenance jobs that are required to setup. This next one may be something obscure, but I like to have the ability to change my ODBC ports to something a little less obvious to a sniffer and turn of SQL discovery. It may be security through obscurity, but I like the option.Microsoft has been working on this for a while, but they have not been able to correctly assign permissions to the DYNSA user to allow updates to tax law, finance changes, etc. The SA account has to be used for maintenance.We confirmed 7/20 that DYNSA can change user passwords and unlock accounts but it cannot add users to company databases or run updates.
- Now comes the best part of all. Martha and I have been working for years together and have supported the application and worked out all of the security and application kinks. Then our executive management decided to change the chart of accounts and the way we do business. They hired a partner to install a new instance of GP, here is the story.
- On several occasions, we had the person who was designing the chart of accounts, reports, etc. install the software using the next, next, finished method. Several times, the installer had full control of the SQL install as well without using any secure installation parameters.Microsoft has several vendors, called Independent Solution Vendors (ISV) that are allow access to the API to develop third party tools. These developers have products to allow single sign on, AD integration, etc. Plan on spending a lot more money to secure this product that what Microsoft gives you out of the boxMost installs any of use do are usually done with some type of privileged account, domain admin or local admin on the server. The problem with the GP service account is it needs to have domain admin rights or at least local admin rights to any server that touches GP including the SQL server. Now to switch gears to how I pen tested
- Well, as you can tell everything we did prior to the new partner coming on board was unravelled. I took it upon myself to inspect the installation and report on what the problems were, as if I was on the outside looking in. Here is the basis for my findings, using a systematic approach to review security.
- Bumper slide
- So in the end what was the result? We fired the new partner that had been hired due to the lack of experience with installing and configuring GP. A new partner was vetted, hired on, and I closely watched the installation process proceed. Many of the problems with the application, SQL, and installer errors were avoided. Still, there are many weaknesses even when everything has been installed correctly.