One of Client using NAV 2009 R2 Classic client. They had done penetration testing from the internal network and they use Windows Authentication. They had found few security issues. One of them is they mentioned "Inadequate access Controls in Place". It means Pentester is able to intercept TCP data and capture the SID of any user – userID is also exposed. Therefore, any login can be intercepted and also for existing users with lower level of access, they are able to elevate their access with the same process.
There are few other points but this is critical. Is there any way we can address this and whether we can implement any of the following?
1. Fix SQL injection exploit
2. Fix TCP plain text communication from client to server via TCP.
3. Fix elevation of access using SID.
I understand NAV only adds security on to top of SQL Server. It's purely not Navision issues.
Any comments? Appreciate your help.