Security and Protection for Microsoft Dynamics NAV on Microsoft Azure
This topic contains the following information and recommendations about the security and protection of Dynamics NAV on Microsoft Azure.
User Accounts Created by the Microsoft Dynamics NAV Provisioning Tools
When you deploy Dynamics NAV, the example scripts of the Microsoft Dynamics NAV Provisioning Tools for Microsoft Azure automatically create the following user accounts on the virtual machines:
Azure virtual machine administrator account.
Service account for Microsoft Dynamics NAV Server.
Dynamics NAV user account.
User Name and Passwords for the User Accounts
When you deploy Dynamics NAV by using the example scripts, you specify the user name and passwords in the Set-PartnerSettings.ps1 file. The Set-PartnerSettings.ps1 file includes a user name parameter and password parameter for every user account. If you do not provide a value for a password parameter, then the provisioning tools will automatically generate and assign a password to the account.
Like any computer, an Azure virtual machine is a potential object for a security attack. When you set the password, make sure that the password meets the Windows Server password complexity requirements. For more information, see Passwords must meet complexity requirements.
Azure Virtual Machine Administrator Accounts
The provisioning tools create new virtual machines on which Dynamics NAV components are installed. On each virtual machine, the provisioning tools create a local Windows user account in the Administrator group. In the Set-PartnerSettings.ps1 file of the example scripts, you specify the user name and password for the virtual machine accounts by setting the following parameters:
Any account that is a member of the Windows Administrator group of a virtual machine has rights to execute administrative operations on Microsoft Dynamics NAV Server instances through the Dynamics NAV Administration Tool.
Microsoft Dynamic NAV Server Service Account
Microsoft Dynamics NAV Server is a Windows service that is configured to run under a specific Windows user account. The provisioning tools automatically create and configure a service account for the Microsoft Dynamics NAV Server. In the Set-PartnerSettings.ps1 file of the example scripts, you specify the Microsoft Dynamics NAV Server service account by setting the $NAV_WindowsServiceAccount parameter and $NAV_WindowsServiceAccountPassword parameter.
If there is more than one Microsoft Dynamics NAV Server instance on the virtual machine, then you should create a separate service account for every instance.
You should control the resources, such as files and directories, on the virtual machines that the service accounts can access by configuring Access Control Lists (ACLs) for the resources. For more information, see Access Control Lists.
The service account does not have to be a member of the Administrator group.
For more information about the service account, see Provisioning the Microsoft Dynamics NAV Server Account.
Default Microsoft Dynamics NAV User
The provisioning tools create a default Dynamics NAV user who is assigned the SUPER permission set. The user is given access to all companies in the Dynamics NAV database. In the Set-PartnerSettings.ps1 file of the example scripts, you specify the Dynamics NAV user by setting the $NAV_NAVAdminUserName parameter and the $NAV_NAVAdminPassword parameter.
For the Dynamics NAV user account, if you specify a user name that is already being used by a user account in the Dynamics NAV database, then a new user is not created. Only the password of the existing user account is changed. The existing user account will not be assigned the SUPER permission set unless it is already assigned.
The first time that you try to sign in to Dynamics NAV by using the default Dynamics NAV user account, you will be asked to change the password.
Clients and Services
The Microsoft Dynamics NAV Provisioning Tools for Microsoft Azure configures several communication endpoints on Azure virtual machines that support clients, services, and remote administration of Dynamics NAV.
Microsoft Dynamics NAV Web Client
The provisioning tools install a website on IIS on the virtual machine. The website acts as a container for one or more web server instances for the Microsoft Dynamics NAV Web client. To help secure the Dynamics NAV data transmission, the provisioning tools scripts configure Secure Sockets Layer (SSL) on the connection to Microsoft Dynamics NAV Web client according to the following:
Create a binding that uses HTTPS communication protocol on port 443.
Apply an SSL certificate to the binding. You specify the SSL certificate in the Set-PartnerSettings file of the provisioning tools.
Open port 443 through Windows Firewall of the virtual machine and add the port to the Azure service endpoints.
For more information about SSL for the Microsoft Dynamics NAV Web client, see How to: Configure SSL to Secure the Connection to Microsoft Dynamics NAV Web Client.
Microsoft Dynamics NAV Windows Client
The provisioning tools configure a ClickOnce website from which users can install the Microsoft Dynamics NAV Windows client. To secure the ClickOnce installation, the provisioning tools implement a security certificate on the website. When you deploy Dynamics NAV with the provisioning tools, you can specify the certificate in the Set-PartnerSetting file that is used by the example scripts. There are no specific security considerations for using the Microsoft Dynamics NAV Windows client that is deployed by the provisioning tools. The provisioning tools automatically configure the connection to Microsoft Dynamics NAV Server instance that is used by the Microsoft Dynamics NAV Windows client. The communication port that is used by a Microsoft Dynamics NAV Server instance is opened through Windows Firewall and added as an endpoint in Azure.
Remote Desktop (RDP)
The provisioning tools enable Remote Desktop connections to virtual machines on Azure. We recommend that you limit scope of the IP addresses that have permission to establish a Remote Desktop connection to the virtual machine. To do this, modify the inbound rule that enables Remote Desktop connections (RDP traffic) in Windows Firewall of the virtual machine.
For more information, see Remote Desktop Services and Windows Firewall.
Windows PowerShell Remoting
To deploy Dynamics NAV by using the provisioning tools, Window PowerShell Remoting must be enabled on the Azure virtual machines. If you use an Azure Gallery image when you deploy Dynamics NAV, then Windows PowerShell Remoting is enabled by default. If you are using a custom image, then make sure that Windows PowerShell Remoting is enabled on the image. For more information, see How to: Create a Microsoft Azure Virtual Machine Operating System Image for Microsoft Dynamics NAV.
When provisioning tools scripts are executed at provisioning, a Windows PowerShell remote session is established from the provisioning computer to the Azure virtual machine. To help secure the communication, the provisioning tools implement a Windows Remote Management (WinRM) session that uses an HTTPS listener with a SSL certificate.
After you deploy Dynamics NAV, you can establish a Windows PowerShell remote session to the Azure virtual machines and run additional Windows PowerShell cmdlets and scripts to configure the deployment. We recommend that you set up HTTPS on the Windows PowerShell remote session.
Microsoft Dynamics NAV Development Environment
When you use the Microsoft Dynamics NAV Development Environment to develop Dynamics NAV applications on Azure virtual machines, we recommended that you establish a Remote Desktop connection to the virtual machine, and then run the development environment on the virtual machine. If you open ports in Windows Firewall on the SQL Server computer to enable access the Dynamics NAV database from a remote computer, then you introduce a potential security risk.
Custom Images for Azure Virtual Machines
The provisioning tools example scripts create virtual machines based on a VHD image that you specify in the Set-PartnerSettings.ps1 file when you run the scripts. Instead of using an image from the Azure Marketplace, you can create a custom image. If you are using a custom image, then you should make sure that the image aligns with Microsoft solution accelerators. For more information, see Microsoft Solution Accelerators.
For more information about how to create an image, see How to: Create a Microsoft Azure Virtual Machine Operating System Image for Microsoft Dynamics NAV.
Virtual machines that are created by the provisioning tools are standard Windows machines and should be protected by using common protection mechanisms. Azure provides virtual machines as an Infrastructure as a Service (IaaS), which means that you are responsible for the day-to-day protection of the virtual machine. We recommended that you use antivirus software and keep the software updated.