Make this slide showing more authority, bold, better resume. Number of years supporting GP. Technical testing experience.
Dynamics is the business name Microsoft uses for various products they have purchased throughout the years for enterprise resource planning. They are basically accounting packages with various levels of complexity. GP was a product acquired in 2000 from Microsoft as a mid-market ERP. Combine these slides, dump the other products. GP is a part of the dynamics suiteWhat it does, who uses it, market penetration. Tell the background story, then lead to the security flaws. This presentation is to review some of the
Definition of data based on classificationWhat protection must be in place for GP based on compliance requirements? Disclosure?
Definition of data based on classificationWhat protection must be in place for GP based on compliance requirements? Disclosure?
Definition of data based on classificationWhat protection must be in place for GP based on compliance requirements? Disclosure?
Definition of data based on classificationWhat protection must be in place for GP based on compliance requirements? Disclosure?
The Payment Card Industry Data Security Standard (PCI DSS) is an information security standard for organizations that handle cardholder information for the major debit, credit, prepaid, e-purse, ATM, and POS cards.Defined by the Payment Card Industry Security Standards Council, the standard was created to increase controls around cardholder data to reduce credit card fraud via its exposure. Validation of compliance is done annually — by an external Qualified Security Assessor (QSA) for organizations handling large volumes of transactions, or by Self-Assessment Questionnaire (SAQ) for companies handling smaller volumes.[1]Personally Identifiable Information (PII), as used in information security, is information that can be used to uniquely identify, contact, or locate a single person or can be used with other sources to uniquely identify a single individual. The abbreviation PII is widely accepted, but the phrase it abbreviates has four common variants based on personal, personally, identifiable, and identifying. Not all are equivalent, and for legal purposes the effective definitions vary depending on the jurisdiction and the purposes for which the term is being used.Personal health information (PHI), also referred to as protected health information, generally refers to demographic information, medical history, test and laboratory results, insurance information and other data that is collected by a health care professional to identify an individual and determine appropriate care.
Our company’s GP administrator is also the head of HR, lets call her Martha. She is a very talented person when it comes to manipulating GP and training the other users. She has a long history of working with accounting principals, and understands the business processes. We have had GP in our company longer than I have been with the company, about 14 years. When I came on board, I was asked to help support this software. These are some of the problems I found with our installation and how I corrected them.
Each company has a completely different set of security rules within the application, making security administration tedious if done correctly. This can lead to a lazy security policy.Once GP is purchased from a partner, the company can opt (most of the time) to have the partner install the software (more on that later). But in a couple of cases the company started using GP years ago and simply did in place upgrades of the product. Version 9 to Version 10 made significant security changes, but may not have been implemented by onsite IT staff doing in in place upgrade. The product installs using the SA account and creates another user called DYNSA. This user is given privileges in SQL to create additional users in GP. There is no native support for windows or AD auth, or single sign on. Which leads us to…No password policy or enforcement. We all realize the problem here, no complexity or ability to force users to routinely change their passwords. In several cases, I have found the SA password to be “DynamicS” and in one case “cat”The GP application has an auditing feature to track changes within the application for GP users. The problem lies with power users; they bypass the security matrix altogether. No changes made by SA are tracked, and nothing is audited at the SQL level.GP uses dexterity runtime components to keep settings that are shared between users. Not only are these files shared, they could be used in theory to inject code into the software. An example is the software debugging tool provided to Microsoft partners. It is a code chunk that is simply dropped into a file and integrated without user intervention next time GP is launched.
The problems I found with the SQL side of the installation were almost as shocking as they were with the application side. Since the only person that has been administering the software was a HR person, SQL was overlooked. Here are some obvious problmes that I have noticed with the SQL portion of GP and some of the things I did to fix them.
Usually companies may employ a DBA to handle these things, but in a couple of installs I found the DBA created the instance and then the SA password was changed to prevent the DBA from having the “keys to the kingdom” with all the information within GP. This of course means the application owner would be responsible for securing the DB as well as all of the maintenance jobs that are required to setup. This next one may be something obscure, but I like to have the ability to change my ODBC ports to something a little less obvious to a sniffer and turn of SQL discovery. It may be security through obscurity, but I like the option.Microsoft has been working on this for a while, but they have not been able to correctly assign permissions to the DYNSA user to allow updates to tax law, finance changes, etc. The SA account has to be used for maintenance.We confirmed 7/20 that DYNSA can change user passwords and unlock accounts but it cannot add users to company databases or run updates.
Now comes the best part of all. Martha and I have been working for years together and have supported the application and worked out all of the security and application kinks. Then our executive management decided to change the chart of accounts and the way we do business. They hired a partner to install a new instance of GP, here is the story.
On several occasions, we had the person who was designing the chart of accounts, reports, etc. install the software using the next, next, finished method. Several times, the installer had full control of the SQL install as well without using any secure installation parameters.Microsoft has several vendors, called Independent Solution Vendors (ISV) that are allow access to the API to develop third party tools. These developers have products to allow single sign on, AD integration, etc. Plan on spending a lot more money to secure this product that what Microsoft gives you out of the boxMost installs any of use do are usually done with some type of privileged account, domain admin or local admin on the server. The problem with the GP service account is it needs to have domain admin rights or at least local admin rights to any server that touches GP including the SQL server. Now to switch gears to how I pen tested
Well, as you can tell everything we did prior to the new partner coming on board was unravelled. I took it upon myself to inspect the installation and report on what the problems were, as if I was on the outside looking in. Here is the basis for my findings, using a systematic approach to review security.
Bumper slide
So in the end what was the result? We fired the new partner that had been hired due to the lack of experience with installing and configuring GP. A new partner was vetted, hired on, and I closely watched the installation process proceed. Many of the problems with the application, SQL, and installer errors were avoided. Still, there are many weaknesses even when everything has been installed correctly.