Export (0) Print
Expand All
This topic has not yet been rated - Rate this topic

Security and Protection for Microsoft Dynamics NAV 2013 on Windows Azure

Microsoft Dynamics NAV 2013

This topic contains the following information and recommendations about the security and protection of Microsoft Dynamics NAV on Windows Azure.

User Accounts Created by the Microsoft Dynamics NAV 2013 Provisioning Tools

When you deploy Microsoft Dynamics NAV, the example scripts of the Microsoft Dynamics NAV Provisioning Tools for Windows Azure automatically create the following user accounts on the virtual machines:

  • Windows Azure virtual machine administrator account.

  • Service account for Microsoft Dynamics NAV Server.

  • Microsoft Dynamics NAV user account.

User Name and Passwords for the User Accounts

When you deploy Microsoft Dynamics NAV by using the example scripts, you specify the user name and passwords in the Set-PartnerSettings.ps1 file. The Set-PartnerSettings.ps1 file includes a user name parameter and password parameter for every user account. If you do not provide a value for a password parameter, then the provisioning tools will automatically generate and assign a password to the account.

Like any computer, a Windows Azure virtual machine is a potential object for a security attack. When you set the password, make sure that the password meets the Windows Server password complexity requirements. For more information, see Passwords must meet complexity requirements.

Windows Azure Virtual Machine Administrator Accounts

The provisioning tools create new virtual machines on which Microsoft Dynamics NAV components are installed. On each virtual machine, the provisioning tools create a local Windows user account in the Administrator group. In the Set-PartnerSettings.ps1 file of the example scripts, you specify the user name and password for the virtual machine accounts by setting the following parameters:

  • $NAV_VMAdminUserName

  • $NAV_VMAdminPassword

  • $NAV_SqlServerMachineAdminUserName

  • $NAV_SqlServerMachineAdminPassword

Dn168996.Important(en-us,NAV.70).gifImportant
Any account that is a member of the Windows Administrator group of a virtual machine has rights to execute administrative operations on Microsoft Dynamics NAV Server instances through the Microsoft Dynamics NAV Administration Tool.

Microsoft Dynamic NAV Server Service Account

Microsoft Dynamics NAV Server is a Windows service that is configured to run under a specific Windows user account. The provisioning tools automatically create and configure a service account for the Microsoft Dynamics NAV Server. In the Set-PartnerSettings.ps1 file of the example scripts, you specify the Microsoft Dynamics NAV Server service account by setting the $NAV_WindowsServiceAccount parameter and $NAV_WindowsServiceAccountPassword parameter.

If there is more than one Microsoft Dynamics NAV Server instance on the virtual machine, then you should create a separate service account for every instance.

You should control the resources, such as files and directories, on the virtual machines that the service accounts can access by configuring Access Control Lists (ACLs) for the resources. For more information, see Access Control Lists.

Dn168996.note(en-us,NAV.70).gifNote
The service account does not have to be a member of the Administrator group.

For more information about the service account, see Provisioning the Microsoft Dynamics NAV Server Account.

Default Microsoft Dynamics NAV User

The provisioning tools create a default Microsoft Dynamics NAV user who is assigned the SUPER permission set. The user is given access to all companies in the Microsoft Dynamics NAV database. In the Set-PartnerSettings.ps1 file of the example scripts, you specify the Microsoft Dynamics NAV user by setting the $NAV_NAVAdminUserName parameter and the $NAV_NAVAdminPassword parameter.

Dn168996.note(en-us,NAV.70).gifNote
For the Microsoft Dynamics NAV user account, if you specify a user name that is already being used by a user account in the Microsoft Dynamics NAV database, then a new user is not created. Only the password of the existing user account is changed. The existing user account will not be assigned the SUPER permission set unless it is already assigned.

The first time that you try to sign in to Microsoft Dynamics NAV by using the default Microsoft Dynamics NAV user account, you will be asked to change the password.

Clients and Services

The Microsoft Dynamics NAV Provisioning Tools for Windows Azure configures several communication endpoints on Windows Azure virtual machines that support clients, services, and remote administration of Microsoft Dynamics NAV.

Microsoft Dynamics NAV Web Client

The provisioning tools install a website on IIS on the virtual machine. The website acts as a container for one or more web server instances for the Microsoft Dynamics NAV Web client. To help secure the Microsoft Dynamics NAV data transmission, the provisioning tools scripts configure Secure Sockets Layer (SSL) on the connection to Microsoft Dynamics NAV Web client according to the following:

  • Create a binding that uses HTTPS communication protocol on port 443.

  • Apply an SSL certificate to the binding. You specify the SSL certificate in the Set-PartnerSettings file of the provisioning tools.

  • Open port 443 through Windows Firewall of the virtual machine and add the port to the Windows Azure service endpoints.

For more information about SSL for the Microsoft Dynamics NAV Web client, see How to: Configure SSL to Secure the Connection to Microsoft Dynamics NAV Web Client.

Microsoft Dynamics NAV Windows Client

The provisioning tools configure a ClickOnce website from which users can install the Microsoft Dynamics NAV Windows client. To secure the ClickOnce installation, the provisioning tools implement a security certificate on the website. When you deploy Microsoft Dynamics NAV with the provisioning tools, you can specify the certificate in the Set-PartnerSetting file that is used by the example scripts. There are no specific security considerations for using the Microsoft Dynamics NAV Windows client that is deployed by the provisioning tools. The provisioning tools automatically configure the connection to Microsoft Dynamics NAV Server instance that is used by the Microsoft Dynamics NAV Windows client. The communication port that is used by a Microsoft Dynamics NAV Server instance is opened through Windows Firewall and added as an endpoint in Windows Azure.

SOAP and OData Web Services

By default, for security reasons, the provisioning tools do not automatically configure SOAP and OData web services in the Microsoft Dynamics NAV deployment on Windows Azure. If you want to implement SOAP and OData web services, you must enable the services on the Microsoft Dynamics NAV Server, and then add endpoints for the services in Windows Azure. You can do this programmatically or manually. To help secure the network, we recommend that you configure the web services to use Secure Sockets Layer (SSL).

For more information, see How to: Configure SOAP and OData Web Services for Microsoft Dynamics NAV on Windows Azure.

Remote Desktop (RDP)

The provisioning tools enable Remote Desktop connections to virtual machines on Windows Azure. We recommend that you limit scope of the IP addresses that have permission to establish a Remote Desktop connection to the virtual machine. To do this, modify the inbound rule that enables Remote Desktop connections (RDP traffic) in Windows Firewall of the virtual machine.

For more information, see Remote Desktop Services and Windows Firewall.

Windows PowerShell Remoting

To deploy Microsoft Dynamics NAV by using the provisioning tools, Window PowerShell Remoting must be enabled on the Windows Azure virtual machines. If you use a Windows Azure Gallery image when you deploy Microsoft Dynamics NAV, then Windows PowerShell Remoting is enabled by default. If you are using a custom image, then make sure that Windows PowerShell Remoting is enabled on the image. For more information, see How to: Create a Windows Azure Virtual Machine Operating System Image for Microsoft Dynamics NAV.

When provisioning tools scripts are executed at provisioning, a Windows PowerShell remote session is established from the provisioning computer to the Windows Azure virtual machine. To help secure the communication, the provisioning tools implement a Windows Remote Management (WinRM) session that uses an HTTPS listener with a SSL certificate.

After you deploy Microsoft Dynamics NAV, you can establish a Windows PowerShell remote session to the Windows Azure virtual machines and run additional Windows PowerShell cmdlets and scripts to configure the deployment. We recommend that you set up HTTPS on the Windows PowerShell remote session.

Microsoft Dynamics NAV Development Environment

When you use the Microsoft Dynamics NAV Development Environment to develop Microsoft Dynamics NAV applications on Windows Azure virtual machines, we recommended that you establish a Remote Desktop connection to the virtual machine, and then run the development environment on the virtual machine. If you open ports in Windows Firewall on the SQL Server computer to enable access the Microsoft Dynamics NAV database from a remote computer, then you introduce a potential security risk.

Custom Images for Windows Azure Virtual Machines

The provisioning tools example scripts create virtual machines based on a VHD image that you specify in the Set-PartnerSettings.ps1 file when you run the scripts. Instead of using an image from the Windows Azure Image Gallery, you can create a custom image. If you are using a custom image, then you should make sure that the image aligns with Microsoft solution accelerators. For more information, see Microsoft Solution Accelerators.

For more information about how to create an image, see How to: Create a Windows Azure Virtual Machine Operating System Image for Microsoft Dynamics NAV.

Antivirus Software

Virtual machines that are created by the provisioning tools are standard Windows machines and should be protected by using common protection mechanisms. Windows Azure provides virtual machines as an Infrastructure as a Service (IaaS), which means that you are responsible for the day-to-day protection of the virtual machine. We recommended that you use antivirus software and keep the software updated.

See Also

Did you find this helpful?
(1500 characters remaining)
Thank you for your feedback
Show:
© 2014 Microsoft. All rights reserved.