1. Dave Keene, CISSP, MCT, MCITP, VCP, C|EH Chief Security OfficerTexas Association of Counties1

2. Overview About Me What is Great Plains and why should I care Examine the security flaws and solutions in the following areas Application SQL Installation Attacking GP for penetration testing Summary Additional Resources Dave Keene 2012. All rights reserved2 3. About Me Information Security for 8 years IT work for 14 years Worked with Great Plains (GP) since 2000 Spent the last two years testing GP installs in a labenvironment, support production installations Manage network and security practice that provides ITsupport to the 254 counties in Texas Dave Keene 2012. All rights reserved3 4. What is Microsoft Dynamics andGreat Plains? Dynamics - ERP family from Microsoft Great Plains has 42,000 customers worldwide Accounting system, but additional uses are: Sales Manufacturing HR/Payroll Inventory Dave Keene 2012. All rights reserved4 5. Typical installation Dave Keene 2012. All rights reserved 5 6. Dave Keene 2012. All rights reserved 6 7. There is a lot of good data in GP Dave Keene 2012. All rights reserved 7 8. There is a lot of good data in GP Dave Keene 2012. All rights reserved 8 9. There is a lot of good data in GP Dave Keene 2012. All rights reserved 9 10. There is a lot of good data in GP Dave Keene 2012. All rights reserved 10 11. What be done with this data?What could happen: Compliance problems? Identity theft PII Bank fraud PHI / HIPPA Social Engineering PCI DSS Electronic Funds Just to name a fewTransfers Dave Keene 2012. All rights reserved 11 12. Application Problemsand Solutions Dave Keene 2012. All rights reserved12 13. GP Application problems No master security between different company databases No default enforcement of password policy No default built in security auditing Routine upgrades cause security problems Common file shares, code injection Fat client install is on shared folder; requires local admin Dave Keene 2012. All rights reserved 13 14. GP Application Solutions Use third party solutions for Combining security between companies Active Directory integration Auditing Engage Microsoft Partners to plan upgrades* Common files Use NTFS security for GP users only Allow full access to GP program files Dave Keene 2012. All rights reserved 14 15. Inherent problems with GPSQL installation and how to fix them Dave Keene 2012. All rights reserved 15 16. GP SQL installation problems GP on separate SQL instance in native mode SQL level security no Windows authentication ODBC ports hard coded into application DYNSA account privilege level Dave Keene 2012. All rights reserved 16 17. GP SQL installation solutions Harden SQL instance Force password policy Dave Keene 2012. All rights reserved 17 18. Dave Keene 2012. All rights reserved 18 19. GP SQL installation solutions Harden SQL instance Force password policy Hide the SQL instance Dave Keene 2012. All rights reserved 19 20. Dave Keene 2012. All rights reserved 20 21. GP SQL installation solutions Harden SQL instance Force password policy Hide the SQL instance DYNSA configure using documentation Dave Keene 2012. All rights reserved21 22. Installer Errors / Lack of Experience Dave Keene 2012. All rights reserved22 23. Installer error/lack of experience GP sold and installed through partner Business analyst installing software? Due to the lack of security, you MUST use a third partyapplication the fill in the gaps Install uses privileged service account and SA Dave Keene 2012. All rights reserved23 24. Installer Solutions Partner you choose is well versed in SQL and GP Find user group recommendations - GPUG Third party vendors to secure GP Disable SA account after install Change service account to least privilege Dave Keene 2012. All rights reserved24 25. Penetration Testing Against Great Plains Dave Keene 2012. All rights reserved25 26. Performing Reconnaissance Passive information gathering: Website CFO / Accounting / Finance Website portals that use GP Dave Keene 2012. All rights reserved 26 27. Performing Reconnaissance Dave Keene 2012. All rights reserved 27 28. Performing Reconnaissance Passive information gathering: Website CFO / Accounting / Finance Website portals that use GP Make some phone calls Software purchasing agent Head of finance Dave Keene 2012. All rights reserved 28 29. Scanning and Enumeration Find out if GP is running in the environment usingsqlninja or nmap -n -v -sC --script=broadcast-ms-sql-discover.nse SQL server Management Studio Data Sources (ODBC) in Windows Dave Keene 2012. All rights reserved29 30. Gaining Access Use sqlninja, sqlmap, to test for SA Use sqlbrute and sqldict Administrative share fat client install Last but not least Dave Keene 2012. All rights reserved30 31. Dex.ini Workstation=WINDOWS Pathname=DYNAMICS/dbo/ BuildSQLMessages=FALSE SQLLastDataSource=Dynamics GP 2010 LastYearEndUpdate=11/17/2011 LastTaxCodeUpdate=01/20/2012 Dictionary Version=11.00.1935 ShowDebugMessages=FALSE AutoInstallChunks=TRUE Dave Keene 2012. All rights reserved 31 32. Summary Dave Keene 2012. All rights reserved 32 33. Summary Security defects found in GP and possible solutions Application SQL Installation Penetration testing against GP Dave Keene 2012. All rights reserved33 34. Additional Resources Contact me for more information on: Dexterity development system Great Plains SDK GP Support Tool GP install and troubleshooting guides dave@davekeene.com Dave Keene 2012. All rights reserved34 35. Additional Resources Hardening guide for Dynamics AX none published (yet) for GPhttp://www.microsoft.com/en-us/download/details.aspx?id=232 SQL 2008 Security Best Practices http://www.microsoft.com/en-us/download/details.aspx?displaylang=en&id=15289 Configure DYNSA account http://jpdavey.blogspot.com/2011/05/sa-dynsa-and-poweruser-in-dynamics-gp.html Great Plains User Grouphttp://www.gpug.com/ dave@davekeene.com Dave Keene 2012. All rights reserved35 36. Questions? Comments?Dave Keene dave@davekeene.com@surferdave71http://www.slideshare.net/surferdave71/breaking- microsoft-dynamics-great-plains Dave Keene 2012. All rights reserved 36