Hi, We have been doing some tests here and have been absolutely amazed at how easy it is to sniff user passwords when using database server authentication with SQL. Basically, using a basic sniffer tool we were able to see all the passwords of all users just floating around in the clear and the Navision client seems to offer little to help secure the connection (i.e. provision for digital certs etc.). As an Internet security house we will now be making our own provisions to make it more secure and if I get some time I may do a little white paper of what we did and post it somehwere. Also, if anybody knows of any standard Navision docs or clever suggestions on this can you please send them to me? Many thanks Meint
Database logins are not secure, even if you enable encryption for the SQL Server network libraries, which are not controlled or enforced by Navision. Move to windows authenticated users if your are concerned about security. Its just a matter of time until the database logins become “legacy only” and thereafter not supported.
Hi Robert, Thanks for your reply. We have reviewed Windows security and found issues there as well, but it seems we can resolve those. I am just amazed that there are no more warnings in the SQL Server installation guide, because in essence once you get onto an internal workstation within an organisation it will only take 5 to 10 minutes to get your hands on usernames and passwords. Chances are that those people with network admin rights will use the same password for Navision as they do for other stuff and within 10 minutes it would be “game over”. My random guess is that 99% of all users are complete unaware of this issue. Suppose that next to knowing about functional aspects of Navision and development I know have to add security to my skills portfolio. Meint
Agreed. Did you consider obtaining client and server certificates to enable you to make use of the encryption in the net libraries? I think the logistics of this puts many users off - not extactly a point-click-done process!
Yeah, this is what we are now looking at using. When we get it up and running I will see if I can make a little document available that describes the process step-by step. I suppose that as part of the new Microsoft security drive we could also do with an “Advanced Security Guide” for Navision which explains these issues in a bit more depth. TBH, setting up users and roles in Navision is a royal pain in the backside and it is a bit painful to then find that any user can sniff another user’s password and undo all the hard work you have put in. Even with the Windows logins the process is not secure enough, passwords can still be sniffed (be it in encrypted form) and then brute forced by something like Loftcrack. It takes a bit longer but if the password is in a dictionary then it is still pretty easy. Digital certs is the way to go we think. Meint