The first step toward helping to secure Microsoft Dynamics AX is to make sure that it is deployed in a secure environment. For a network connected to any other network, including the Internet, extranets, and other internal networks, this means making sure that sufficient measures are taken to keep the network secure from external threats.
Additionally, whenever you make a change to the system, part of your planning should include attention to helping make the new system secure. For more information, see the Microsoft Dynamics AX Installation Guide.
For the latest information about security, see the TechNet Security Center
. It provides security tools, security response information, such as security bulletins and virus alerts, and the most prescriptive security guidance Microsoft has to offer to help IT Professionals in securing their systems.
Microsoft Dynamics AX requires Active Directory to support its user structure. The Active Directory should be configured correctly to make sure it complies with your company’s security policies regarding user access. The computers that are running Microsoft Dynamics AX must have access to computers in the same domain running Active Directory configured in native mode. It may be the case that not all network users need access to Microsoft Dynamics AX. Therefore, it is more secure to simply not grant them access in Active Directory. For more information about how Microsoft Dynamics AX integrates with Active Directory for security, see Working with users from Active Directory
. For the latest recommendations for configuring Active Directory, see the Microsoft Windows Server 2003 Active Directory Technology Center
For deployments that include the Enterprise Portal component, there are additional environmental security issues to address. The network should have a firewall. It should also have one or two domain controllers. When there are two domain controllers, one should be in the internal network and the other in the perimeter network.
This configuration is performed with Active Directory. For more information about how to set up security for Enterprise Portal, see Configuring Enterprise Portal security
in the Enterprise Portal Administration Guide.
When the Application Object Server (AOS) is installed, the user for the AOS service is set to either the Network Service account or a domain account. If you decide to use a domain account for the AOS service, you should make sure that the new account has the lowest (most restrictive) possible privileges, to help reduce the risk of processes that could cause harm to the server. For more information, see the Microsoft Dynamics AX Installation Guide.
Database logs can contain sensitive data. By default, any database log that is created can be queried by any user who has access to the database. Users can query the log by using Business Connector, X++, alerts, or by using direct access to the database. To protect data, restrict the permissions on the sysdatabaselog table. For detailed information, see Table Properties in the Microsoft Dynamics AX SDK.
Use the following security best practices to prevent users from submitting to batch groups that are processed with a higher permission level:
To help prevent denial of service attacks on your Enterprise Portal, you can adjust the values of the following configuration commands in the configuration file of the Application Object Server (AOS):
- MaxConcurrentGuestSessions – This value controls the maximum number of concurrent Guest (anonymous user) sessions. The default value is 65535. By decreasing this value, you can reduce the number of sessions that an attacker can hold. After you set this value, you must restart the AOS for the change to be applied.
- MaxConcurrentWebSessions – This value controls the maximum number of concurrent Enterprise Portal sessions that includes Guest sessions. The default value is 65535. By decreasing this value, you can reduce the number of sessions that an attacker can hold. After you set this value, you must restart the AOS for the change to be applied.
- MaxMemLoad – This value controls the maximum amount of memory usage (the maximum percentage of physical memory that is used on the computer). The default value is 100. By decreasing this value, you can reduce the number of sessions that an attacker can start. After you set this value, you must restart the AOS for the change to be applied.
The following are best practices for administering security of your Microsoft Dynamics AX environment: