Howdy, Stranger!
Categories
- All Categories
- 73 General
- 73 Announcements
- 66.5K Microsoft Dynamics NAV
- 18.5K NAV Three Tier
- 38.4K NAV/Navision Classic Client
- 3.6K Navision Attain
- 2.4K Navision Financials
- 115 Navision DOS
- 854 Navision e-Commerce
- 1K NAV Tips & Tricks
- 772 NAV Dutch speaking only
- 615 NAV Courses, Exams & Certification
- 2K Microsoft Dynamics-Other
- 1.5K Dynamics AX
- 264 Dynamics CRM
- 109 Dynamics GP
- 10 Dynamics SL
- 1.5K Other
- 992 SQL General
- 385 SQL Performance
- 33 SQL Tips & Tricks
- 34 Design Patterns (General & Best Practices)
- Architectural Patterns
- 10 Design Patterns
- 5 Implementation Patterns
- 53 3rd Party Products, Services & Events
- 1.7K General
- 1.1K General Chat
- 1.6K Website
- 79 Testing
- 1.2K Download section
- 23 How Tos section
- 259 Feedback
- 12 NAV TechDays 2013 Sessions
- 13 NAV TechDays 2012 Sessions
Options
Dynamics NAV 2009 R2 Security Issues
myanilkumar
Member Posts: 108
Hi,
One of Client using NAV 2009 R2 Classic client. They had done penetration testing from the internal network and they use Windows Authentication. They had found few security issues. One of them is they mentioned "Inadequate access Controls in Place". It means Pentester is able to intercept TCP data and capture the SID of any user – userID is also exposed. Therefore, any login can be intercepted and also for existing users with lower level of access, they are able to elevate their access with the same process.
There are few other points but this is critical. Is there any way we can address this and whether we can implement any of the following?
1. Fix SQL injection exploit
2. Fix TCP plain text communication from client to server via TCP.
3. Fix elevation of access using SID.
I understand NAV only adds security on to top of SQL Server. It's purely not Navision issues.
Any comments? Appreciate your help.
Thank you!
Regards,
Anil
One of Client using NAV 2009 R2 Classic client. They had done penetration testing from the internal network and they use Windows Authentication. They had found few security issues. One of them is they mentioned "Inadequate access Controls in Place". It means Pentester is able to intercept TCP data and capture the SID of any user – userID is also exposed. Therefore, any login can be intercepted and also for existing users with lower level of access, they are able to elevate their access with the same process.
There are few other points but this is critical. Is there any way we can address this and whether we can implement any of the following?
1. Fix SQL injection exploit
2. Fix TCP plain text communication from client to server via TCP.
3. Fix elevation of access using SID.
I understand NAV only adds security on to top of SQL Server. It's purely not Navision issues.
Any comments? Appreciate your help.
Thank you!
Regards,
Anil
0