How to prevent SQL Insertion attacks from Dynamics Nav

Hiii,

i need to know whether Sql Insertion attacks are possible thorugh Dynamics Nav if yes then how can we prevent it…

Thank you

Hi Kanchan,

Firstly welcome to Dynamics User Group.

What do you mean by “SQL Insertion Attacks”?

Here is a link to the wike page.

http://en.wikipedia.org/wiki/SQL_injection

The best way to find out about this is to perfrom some testing on a SQL implementation of NAV.

NAV does not allow users to execute SQL statements on the SQL database. Access is only via the application and that uses C/AL.

I think it unlikely that NAV will allow such an attack but that will depend upon the safety / security of the implementation. Security, preventing illegal access to data, on a NAV database is best managed using Windows AD log-ons with the security that is implicit.

Now waiting for an informed contibution.

I think you are mixing concepts. In development environments such as .NET you have direct access to SQL so you can have SQL injection attack are other vulnerabilities. In Navision everything control by client application and you don’t have direct SQL access so by theory you can’t have SQL attacks besides having an error in client and was far has I know there aren’t such errors in NAV client.

Hi,

as already mentioned “SQL Injection” is hardly possible with NAV.

But: usually all NAV users are assigned to the role “public” in SQL Server. All further restrictions are handled by Application Roles (either $ndo$shadow or $ndo$ar$… depending on the “Security Model”). These AR only apply when logging on through NAV. If a user is able to logon directly to the SQL Server - not using NAV, but maybe SQL Server Management Studio etc. - this user might have too many rights! [^o)]

Means: when logging on directly to SQL Server, the AR are bypassed, so no NAV restrictions apply. Only “public” is valid. If that is a problem, you could assign the Database Roles db_denydatawriter and/or db_denydatareader to “public”.

Or, of course, you could create your own DBR to define appropriate user rights outside NAV …