Before securing the application in Microsoft Dynamics AX, we have to secure the environment.
The Microsoft Dynamics AX system requires Active Directory services, a network with firewall configured with one or two domain controllers, for the purpose of installing and configuring Enterprise Portal.
Microsoft Dynamics AX is based on the client/server model, so it is necessary to know how to secure both the client that makes the service request and the server that fulfills the request.
The following figure shows the high-level architect of Dynamics AX:
Source: Microsoft MSDN
We are going to take a look at the necessary instructions that should be considered when securing the Dynamics AX server:
- Application file server: The application files should be restricted to the application object server domain account and the administrator.
- Database server: The database server should be secured using the recommended SQL server security practices.
- Application object server (AOS): AOS should be restricted to the log directory (
installationdirectorylog) for only the AOS account directory and the administrators. For the domain account of the AOS, the account should be granted rights as follows:- Log on as a service
- No positive privileges should be granted.
- Enterprise portal: Securing an enterprise portal begins with securing Microsoft Internet Information Services (IIS) by using Secure Sockets Layer (SSL) so that it is the only mechanism for a secure Internet login.
- Business connector: This function is used by Enterprise Portal for external users, and the recommended account setup is as follows:
- Password doesn't expire
- No interactive logon rights
It is better to have a complex password for the .NET business connector.
We are going to take a look at the necessary instructions that should be considered when securing the Dynamics AX client:
- Client desktop: Set up the appropriate permissions for the shared folders and drivers
- Business connector proxy user: This function is used by Enterprise Portal for external users, and the recommended account setup is as follows:
- Password doesn't expire
- No interactive logon rights
- Other procedures must be specified for the computer accounts that are used to communicate with the server connection:
- Between the database server and the local system, the MSSQL service must be running on the client machine (local system)
- The domain account or network service account that is associated with the AOS service must communicate with the database server and grant a local user the appropriate rights as a user in the database
We have seen the high-level architecture of Dynamics Products and also the application security fundamentals. So, are you ready for the new security features in Microsoft Dynamics AX 2012? Let's go!