The Microsoft Dynamics AX 2009 Security

Hardening Guide
Microsoft Corporation
Published: May 2008
Microsoft Dynamics is a line of integrated, adaptable business management solutions that
enables you and your people to make business decisions with greater confidence. Microsoft
Dynamics works like and with familiar Microsoft software, automating and streamlining financial,
customer relationship and supply chain processes in a way that helps you drive business
success.

U.S. and Canada Toll Free 1-888-477-7989

Worldwide +1-701-281-6500
www.microsoft.com/dynamics

This document is for informational purposes only. MICROSOFT MAKES NO WARRANTIES,

EXPRESS, IMPLIED, OR STATUTORY, AS TO THE INFORMATION IN THIS DOCUMENT.
Information in this document, including URL and other Internet Web site references, is subject to
change without notice. The entire risk of the use or the results from the use of this document
remains with the user. Unless otherwise noted, the companies, organizations, products, domain
names, e-mail addresses, logos, people, places, and events depicted in examples herein are
fictitious. No association with any real company, organization, product, domain name, e-mail
address, logo, person, place, or event is intended or should be inferred.
Complying with all applicable copyright laws is the responsibility of the user. Without limiting the
rights under copyright, no part of this document may be reproduced, stored in or introduced into a
retrieval system, or transmitted in any form or by any means (electronic, mechanical,
photocopying, recording, or otherwise), or for any purpose, without the express written permission
of Microsoft Corporation.
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual
property rights covering subject matter in this document. Except as expressly provided in any
written license agreement from Microsoft, the furnishing of this document does not give you any
license to these patents, trademarks, copyrights, or other intellectual property.

© 2008 Microsoft Corporation. All rights reserved.

Microsoft, Internet Explorer, Windows, Windows BitLocker, Windows Server, Microsoft .NET,
Microsoft SQL Server®, and Microsoft and the Microsoft Dynamics Logo are either registered
trademarks or trademarks of Microsoft Corporation, FRx Software Corporation, or Microsoft
Business Solutions ApS in the United States and/or other countries. Microsoft Business Solutions
ApS and FRx Software Corporation are subsidiaries of Microsoft Corporation.
Table of Contents
Introduction to the Security Hardening Guide 5

Reduce the attack surface of the Microsoft Dynamics AX client 7

Reduce the attack surface of the Microsoft Dynamics AX Application Object Server 16

Reduce the attack surface of the Microsoft Dynamics AX database 20

Appendix A: Table Permissions Framework Reference 24

Security Hardening Guide 3

 Microsoft Dynamics AX

Introduction to the Security Hardening Guide

This guide is intended for IT professionals who are deploying Microsoft Dynamics AX 2009 or
who want to improve the security of an existing Microsoft Dynamics AX 2009 deployment. This
guide discusses how to reduce the attack surface of the major Microsoft Dynamics AX
components (the client, the Application Object Server (AOS), and the database). This guide also
describes how to use various Microsoft Windows operating system features to improve the
security of your computing environment.
This guide does not describe how to set up or configure specific security features in Microsoft
Dynamics AX 2009, such as record-level security, domains, or user-group permissions. You can
view information about these security features in the Microsoft Dynamics AX online Help. (Click
the Help icon > System and Application Setup > System setup > Setting up and maintaining
security.)

Concepts
This guide discusses the following security concepts.

Concept Description

Attack surface In a computing environment, the attack surface is an assessment

of the potential vulnerabilities where a malicious user might gain
access to code or data in your business or organization.
Administrators want to reduce the attack surface of the computing
environment (reduce the number of potential exploits or
vulnerabilities) so that a malicious user cannot access, steal,
change, or destroy code or data. Reducing the attack surface can
involve:
 Disabling ports and processes to reduce the potential of an
attack from the Internet and the network.
 Disabling features to reduce the amount of code that executes
on the computer, thereby reducing the volume of code that can
be exploited or used to propagate an exploit.
 Enabling hardware and software security features to limit
access to computing resources.

Least privilege
To grant least privilege (also called least-privileged user accounts)
means to grant users the fewest possible permissions to software
features and data while still allowing the users to perform their job
functions. By granting least privilege, you restrict access to
features and data.

Security Hardening Guide 5

 Microsoft Dynamics AX

Concept Description
For example, users who are assigned to an HR_Users group
(Human Resources) might be granted fewer permissions than
users in an HR_Managers group or the Director of Human
Resources. By granting least privilege, you prevent members of
the HR_Users group from accessing reports or sensitive employee
information.

Defense in depth Defense in depth means to implement multiple security systems in

your business or organization to prevent security attacks and to
limit the impact of those attacks if a malicious user breaches one or
more security defenses. Most businesses or organizations
implement the following security measures as a means of defense
in depth:
 Production databases and servers are physically stored in a
secure room, and users must enter passcodes or submit
identification to enter the room.
 Internet-facing Web applications are set up with a perimeter
network (also called demilitarized zone or DMZ).
 Proxy servers prevent client computers from accessing certain
types of media or Web sites on the Internet.
 Client computers and servers are configured to access the
Internet through a firewall to prevent unsolicited requests to the
local computer.
 Client computers run antivirus software and malicious-software
detection software.
 Access to software applications and network resources is
controlled by a combination of domain authentication, user and
groups permissions, and NTFS file system permissions.

Security Hardening Guide 6

 Microsoft Dynamics AX

Reduce the attack surface of the Microsoft

Dynamics AX client
Microsoft Dynamics AX enables users to input, update, and monitor a variety of data by using the
32-bit client. Microsoft Dynamics AX users use the client to perform common tasks that include
viewing financial reports, processing orders with credit card numbers, routing payments by using
bank account numbers, and entering sensitive details about employees or customers. If the
Microsoft Dynamics AX client is not deployed with attention to security, then malicious users
might gain access to Microsoft Dynamics AX data, or users in your business or organization
might unintentionally gain access to sensitive data. Whether your business or organization runs
only a few Microsoft Dynamics AX clients or dozens of clients, you should deploy the client as
described in this section to protect your data and to reduce the overall attack surface of your
computing environment. This section includes the following information:
 Terminal Services deployment (most secure)
 Individual deployments (less secure)
 Encrypt client communications with the Application Object Server (AOS)
 Best practices for secure client deployment

Terminal Services deployment (most secure)

Terminal Services, which is a feature of the Windows Server 2008 and Windows Server 2003
operating systems, uses the Remote Desktop Protocol (RDP) to communicate between client and
server. After you deploy an application on a terminal server, clients can connect over a remote
access connection, local area network (LAN), wide area network (WAN), or the Internet. The
client computers can run Windows, Apple Macintosh, or UNIX (by using a third-party add-on).
When a user accesses an application, such as Microsoft Dynamics AX 2009 on a terminal server,
the application execution occurs on the server. Only keyboard, mouse, and display information is
transmitted over the network. Users can view only their individual sessions. Each session is
managed transparently by the server operating system, and it is independent of any other client
session.
From a security perspective, there are several benefits to running the Microsoft Dynamics AX
client on a Terminal Services cluster:
 Only keyboard strokes and images of information that is displayed on the Terminal Services
server are transmitted over the network. Microsoft Dynamics AX data is not transmitted over
the network to client computers, which reduces the threat of a malicious user acquiring data
that was stored on a user's client computer.
 No data is processed, cached, or stored on a user's local computer. All data processing,
caching, and storage occur on the Windows Server computer that is running the Microsoft

Security Hardening Guide 7

 Microsoft Dynamics AX

Dynamics AX client. If a user's client computer is misappropriated or lost, a malicious user

would not have access to Microsoft Dynamics AX data on that computer.
 If a security patch were issued for Microsoft Dynamics AX, that patch would only need to be
applied to the Terminal Services cluster computers, which means that the overall Microsoft
Dynamics AX attack surface is minimized.
Figure 1 shows an example of how you might architect Microsoft Dynamics AX to run on a
Terminal Services cluster.
Figure 1: Microsoft Dynamics AX deployed on a Terminal Services cluster

1. Users log on to their client computers and open a Remote Desktop Connection or a Remote
Desktop Web connection (if they are connecting by using the HTTP service). Or, the user
double-clicks the Microsoft Dynamics AX client icon on their computer and runs the
application as a Terminal Services session (which is a feature of Windows Server 2008 called
RemoteApp).
2. The load balancing solution routes traffic to the Terminal Services cluster based on server
availability and load.
3. Terminal Services receives the session request and communicates with the Terminal
Services Directory and Licensing Services to manage sessions and to verify that there is an
available license. If a license is available, Terminal Services starts a unique session for each
user. Depending on how you configured Terminal Services, users view a Windows desktop
Security Hardening Guide 8
 Microsoft Dynamics AX

where they can access the Microsoft Dynamics AX client from the All Programs menu, or if
they are using Terminal Services RemoteApp, the Microsoft Dynamics AX client opens and
appears to users as an application that is running on their client computer.
4. The Microsoft Dynamics AX clients running on the Terminal Services cluster communicate
with the Microsoft Dynamics AX AOS and database server through normal channels.
5. The Terminal Services cluster transmits images of information that is displayed on the
Terminal Services server over the network to client computers. No data is transmitted over
the network, and therefore no Microsoft Dynamics AX data resides on users' client
computers.

Deployment considerations
 By default, Terminal Services allows only two client sessions at one time. Business decision
makers in your business or organization will need to assess the cost of purchasing additional
Terminal Services licenses before you can deploy a Terminal Services cluster. We highly
recommend the investment because it reduces administration overhead and the attack
surface for security threats against Microsoft Dynamics AX and any other line-of-business
applications that you choose to run on the cluster.
 Each user who will connect to the Microsoft Dynamics AX client on the Terminal Services
cluster must be a member of the Remote Desktop User group in Microsoft Windows Users
and Groups.
 To enhance the security of your computing environment, deploy Group Policy and Encrypting
File System on all computers. If your business or organization uses Windows Server 2008,
Windows Vista Enterprise, or Windows Vista Ultimate deploy Windows BitLocker. Group
Policy and Encrypting File System are described in more detail in the following section.
For more information about Terminal Services, see the Windows Server 2008 Terminal Services
Technical Library or the Windows Server 2003 Terminal Service Reference.

Individual deployments (less secure)

There are several reasons why it is less secure to deploy the Microsoft Dynamics AX client on
users' computers than it is to deploy the Microsoft Dynamics AX client on a Terminal Services
deployment, as discussed earlier in this section.
 Microsoft Dynamics AX data sent between the client and the AOS is at greater risk of being
intercepted by a malicious user because there is more data being sent across the network.
 Data that is stored on individual computers is at greater risk of being accessed by a malicious
user if users are not diligent about securing their computers, or if a computer is lost or stolen.
 If users have access to the Internet, there is a greater risk of virus attacks or problems with
malicious software.
 Your computing environment is at greater risk if your business or organization does not
enforce a policy that requires users to download and install security patches as soon as they
are available.
Security Hardening Guide 9
 Microsoft Dynamics AX

You can mitigate some of these security risks by deploying the Windows security features that
are described in the following sections.

Deployment considerations
This section describes deployment practices that we recommend if you deploy the Microsoft
Dynamics AX client to multiple computers. If you deploy the client according to these
recommendations, you can improve security and mitigate some of the risks described earlier.

Deploy Group Policy

If you intend to deploy the Microsoft Dynamics AX client to individual computers in your
business or organization, you should implement Group Policy first, and then deploy Microsoft
Dynamics AX. Group Policy is a feature of Windows Server 2008 and Windows Server 2003 that
provides an infrastructure for delivering and applying configurations or policy settings to users
and computers within an Active Directory environment. Using Group Policy you can:
 Manage user settings and computers from a central location.
 Implement security settings across an enterprise.
 Implement standard computing environments for groups of users.
 Centrally manage software installations, updates, repairs, upgrades, and software removal.
 Centrally deploy, recover, restore, and replace users’ data, software, and personal settings.
 Centrally configure and customize users' computers to provide a consistent computing
environment and system settings.
Group Policy in Windows Server 2008 includes these additional benefits:
 Centrally manage and control computer power settings.
 Control device installation and access to devices, such as USB drives, CD-RW drives, DVD-
RW drives, and other removable media.
 Manage firewall and Internet Protocol security Group Policy settings together, a feature that
provides greater security for scenarios, such as securing server-to-server communications
over the Internet, limiting access to domain resources based on trust relationships or the
health of a computer, and protecting data communication to a specific server to meet
regulatory requirements for data privacy and security.
 Open and edit Internet Explorer Group Policy settings without the risk of inadvertently altering
the state of the policy settings based on the configuration of the administrative computer.
 Assign printers based on location in the business or organization or a geographic location,
and enable Group Policy settings to allows users to install printer drivers.
For more information, see Group Policy in Windows Server 2008 or Group Policy in Windows
Server 2003.

Security Hardening Guide 10

 Microsoft Dynamics AX

Deploy Encrypting File System

Encrypting File System (EFS) is a component of the NTFS file system on Windows operating
systems that is used for encrypting files and folders on client computers and remote servers. EFS
enables users to protect their data from unauthorized access by other users or malicious users.
Any individual or application that does not have the appropriate cryptographic key cannot read
the encrypted data.
By deploying EFS on the computers where you install the Microsoft Dynamics AX client, you add
another level of security for any data or files that the user might store locally.
For more information, see EFS in Windows Server 2008 or EFS in Windows Server 2003.

Deploy Windows BitLocker Drive Encryption

Windows BitLocker Drive Encryption (BitLocker) is a feature that is available in the Windows
Server 2008 operating system, Windows Vista Enterprise operating system, and Windows Vista
Ultimate operating system. This feature can help protect data that is stored on client computers,
particularly mobile ones.
BitLocker performs two functions:
 BitLocker encrypts all data that is stored on the Windows operating system volume (and
configured data volumes). This includes the Windows operating system, hibernation and
paging files, applications, and data that are used by applications.
 BitLocker is configured by default to use a Trusted Platform Module (TPM) to help ensure the
integrity of early startup components (components that are used in the earlier stages of the
startup process). BitLocker "locks" any BitLocker-protected volumes so that they remain
protected even if the computer is tampered with when the operating system is not running.
Everything written to a BitLocker-protected volume is encrypted, including the operating system
itself and all applications and data. This helps protect data from unauthorized access. While the
physical security of servers remains important, BitLocker can help protect data whenever a
computer is stolen, shipped from one location to another, or otherwise out of a user's physical
control.
Encrypting the disk helps prevent offline attacks, such as the removal of a disk drive from one
computer and its installation in another in an attempt to bypass Windows security provisions,
such as permissions enforced by NTFS access control lists (ACLs).
For more information, see Windows BitLocker Drive Encryption.

Special considerations for client computers used in

development environments
Client computers that are used for Microsoft Dynamics AX development must be isolated from the
clients, AOS, and database computers that are used in the production environment. The
consideration here is that the process of testing or developing customizations might inadvertently
impact the production environment if the environments are not properly isolated.

Security Hardening Guide 11

 Microsoft Dynamics AX

To maintain the security of the production environment, developers should not be granted access
to the Microsoft Dynamics AX production database. Client computers that are used for
development should have their own AOS and database, and the development environment
should have its own data set. To maintain security and privacy, you should not use production
data in a development environment.

Encrypt client communications with the AOS

The Microsoft Dynamics AX AOS performs business logic and data processing for all incoming
and outgoing requests from client computers. If a malicious user intercepts requests between the
client computer and the AOS, that user might gain access to data or information. You can reduce
the threat of a malicious user intercepting requests between the client computer and the AOS by
using encryption.
For information about securing the AOS, see Reduce the attack surface of the Microsoft
Dynamics AX Application Object Server.

Remote Procedure Call encryption

By default, Microsoft Dynamics AX is configured to encrypt credentials and data that are sent
across the network between the client and the AOS, and between the AOS and the database.
Microsoft Dynamics AX uses the Remote Procedure Call (RPC) to perform the encryption, which
provides the highest level of security for client-AOS communications.
We recommend that you do not disable the RPC security feature. You can verify that encryption
is enabled in the Microsoft Dynamics AX Configuration Utility. The configuration utility is
automatically installed when you install the Microsoft Dynamics AX client. If you suspect that
users or administrators disabled this security feature, then verify this setting on each Microsoft
Dynamics AX client computer in your business or organization.
1. Click Start > Control Panel > Administrative Tools > Microsoft Dynamics AX
Configuration Utility.
2. Click the Connection tab.
3. Verify that Encrypt client to server communications is selected. If this option is not
selected, select it, and then click OK.

Role Centers encryption

Role Centers provide overview information for Microsoft Dynamics AX users, including work lists,
activities, common links, and key business intelligence information. Role Centers use the
Enterprise Portal framework to deliver information on either an Enterprise Portal Web site or to a
Role Center home page in the Microsoft Dynamics AX client. If your business or organization
uses Role Centers, and if the administrator installed Enterprise Portal without Secure Sockets
Layer (SSL) encryption, then all communication between Role Centers in the Microsoft Dynamics
AX client and the AOS are sent in clear text. This means that if a malicious user intercepts
communications between a client computer that is using Role Centers and the AOS, then that
Security Hardening Guide 12
 Microsoft Dynamics AX

malicious user would see data from those communications. In this situation, RPC encryption is
not used, because the information between the Role Center page and the AOS is sent by using
the Hypertext Transfer Protocol (HTTP).
If your business or organization uses Role Centers, then you must ensure that Enterprise Portal
is configured to use SSL encryption. SSL is a feature of Internet Information Services, the Web
server software that hosts the Enterprise Portal framework. For more information about
configuring SSL, see Secure Sockets Layer encryption in IIS 7.0 or Secure Sockets Layer
encryption in IIS 6.0.

Best practices for secure client deployment

The following best practices apply to all Microsoft Dynamics AX client deployments. If your
business or organization does not have these practices in place, then you should consider
implementing these practices immediately as they are, in most cases, the first line of defense for
improving security in your computing environment.

Recommendation Description

Always specify least-
privileges when you set up
and configure Microsoft
Dynamics AX user security
features.
You can read about how to set up and configure users, user
groups, domains, and record-level security in the Microsoft
Dynamics AX online Help. (Click the Help icon > System and
Application Setup > System setup > Setting up and
maintaining security.)
Before you set up and configure least-privileges in Microsoft
Dynamics AX, consider the following:
 By default, no users or groups have access to the Application
Object Tree (AOT). This is by design. You should only grant
access to the AOT for members of a development group who
must access the AOT as a part of their specific job
requirements. If you grant regular users access to the AOT,
those users could intentionally or unintentionally compile the
application, synchronize the application, change license files,
or change module configurations, all of which can cause
problems in your business or organization. As a general rule,
you should not grant user groups access to an item unless
they specifically need access to do their job.
 Do not grant regular users permission to set up or configure
master records unless they specifically need permission to do
their job. If a regular user has permission to set up or configure
master records, that user could intentionally or unintentionally
change a master record, which can cause problems for all
users of that specific module.

Security Hardening Guide 13

 Microsoft Dynamics AX

Recommendation Description
 Only those persons who are responsible for setting up and
configuring Microsoft Dynamics AX in your business or
organization should be a member of the Administrators group
and have access to the Administration module in Microsoft
Dynamics AX. If regular users are granted access to this group
and module, they could intentionally or unintentionally cause
problems in the Microsoft Dynamics AX application.
 Do not assign users to the Windows Administrators or Power
Users groups on their local computers unless they are
explicitly required to perform administrator or power user job
functions. Members of these groups can add or remove
applications to their local computers, which can introduce
security risks. Instead, assign users to the Windows User
group (Start > Administrative Tools > Computer
Management > Local Users and Groups).

Educate users about using Strong passwords and password policies in your domain are
strong passwords and essential for maintaining a secure computing environment. We
define password policies. highly recommend that you implement Password Best Practices in
your business or organization.

Enable Windows Firewall or A firewall drops incoming traffic that does not correspond to either
another firewall device on traffic sent in response to a request of the computer (solicited
each computer. traffic) or unsolicited traffic that has been specified as allowed
(excepted traffic). A firewall adds a level of protection from
malicious users and applications that rely on unsolicited incoming
traffic to attack computers.
Windows Firewall is a Control Panel feature that is used to set
restrictions on what traffic is allowed to enter your network from the
Internet. Windows Firewall is included in Windows Vista, Windows
Server 2008, Windows XP with Service Pack 2, and Windows
Server 2003 with Service Pack 1.
For more information, see Windows Firewall.

Enable a virus scanner on The threat of virus attacks is ongoing and always changing. You
each computer. should deploy a virus scanner on each computer in your business
or organization, and configure the scanners to scan computers and
update virus signatures regularly.

Deploy smart cards in your A smart card contains a small computer chip that is used to store
business or organization. security keys or other types of personal information. The smart
card uses cryptographic technology to store the information. Some
businesses or organizations deploy smart card readers on each

Security Hardening Guide 14

 Microsoft Dynamics AX

Recommendation Description
laptop and desktop computer and require employees to insert their
smart card into the reader before the user can connect to the
corporate network. By deploying smart cards in this way, the
business or organization adds another physical layer of security to
its computing environment by ensuring that every user who
connects to its network posses a valid password and a smart card.
For more information, see the Smart Card Reference.

See Also
TechNet Security Center

Security Hardening Guide 15

 Microsoft Dynamics AX

Reduce the attack surface of the Microsoft

Dynamics AX Application Object Server
The Application Object Server (AOS) processes client requests for data and performs Microsoft
Dynamics AX business logic. If a malicious user gained access to the AOS, that user might gain
access to data, including sensitive data, such as financial information and trade secrets. You
should deploy the AOS as described in this section to protect data in your business or
organization and to reduce the overall attack surface of this core Microsoft Dynamics AX
component.

Configure the AOS to use a domain account

When you install the AOS by using Setup, you have the option to configure the service to use a
domain account (the default option) or the Network Service account. The Network Service
account is less secure than a domain account, if you set up and configure the domain account
properly. The problem with the Network Service account is that it is available to other applications
that are installed on the same server. Also, the Network Service account is translated into a
computer account if the service must communicate with a different server. For example, if you
deploy four application object servers that use the Network Service account, and these servers
communicate with a separate Microsoft SQL Server, then four different computer accounts will be
created in SQL Server. In this situation, you have four accounts where a malicious user could
potentially gain access to the AOS or the database. With a domain account, there is only one
account to secure, which reduces the attack surface of your computing environment.
Work with your domain administrator to create a new account in Active Directory. This account
should not be used for any other services or back-office operations. It must be a dedicated
account. Also, verify with the domain administrator that this account is configured as follows:
 The domain user account password is a strong password.
 The domain user account does not have interactive logon rights.
 The domain user account can log on as a service.
 The domain user account is not listed as user or a member of any groups in Microsoft
Dynamics AX.
 The domain user account is not listed as a user or a member of any groups in Windows
Users and Groups on the AOS server.

Change the default port that is used by the AOS

When you install Microsoft Dynamics AX, the AOS is configured to listen on port 2712, by default.
If you install other AOS services on the same computer, the port number increments up one
numeral per service. For example, if you run three AOS services on the same computer and you

Security Hardening Guide 16

 Microsoft Dynamics AX

do not change the default settings, those services would be configured to listen on ports 2712,
2713, and 2714.
If a malicious user learned about a vulnerability in Microsoft Dynamics AX and the user knew the
default port number, they might attempt to gain access to data by using that port number. You
can reduce the attack surface by changing the default port number. You can change the port
number by using the Microsoft Dynamics 2009 Server Configuration utility.
1. On the AOS server, click Start > Administrative Tools > Microsoft Dynamics AX 2009
Server Configuration.
2. Select an instance from the Application Object Server Instance drop-down list.
3. On the Application Object Server tab, enter a new port number in the TCP/IP port field.

Note:
Choose a port number between 1024 and 65000. You can view a list of ports that are
currently being used on the server if you open the services file in a text editor, such
as Microsoft Notepad (<system root>\WINNT\system32\drivers\etc).
4. Click OK.
5. Repeat this process, if necessary, for each instance.
6. You must also specify the new port number on each client that connects to the AOS. You can
change the port number by using the Microsoft Dynamics 2009 Configuration utility.
7. On a client computer, click Start > Administrative Tools > Microsoft Dynamics AX 2009
Configuration.
8. In the Configuration target drop-down list, select Local client.
9. Click Manage > Create configuration.
10. Enter a name, and then select Copy from Active configuration.
11. On the Connection tab, select the appropriate instance in the text box, and then click Edit.
12. Enter the new port number, and then click OK.
13. To expedite the process of configuring multiple client computers, you can export this
configuration to a file and then import the configuration to all other client computers. For more
information, see "Manage a client configuration" in the Microsoft Dynamics 2009
Configuration utility Help.

Isolate a Microsoft Dynamics AX application file

share
If you configured your system so that several AOS computers access Microsoft Dynamics AX
application files on a central file share, then we recommend that you configure the share as
follows to isolate the server while ensuring that other AOS computers can access files on the
share.
 The file share computer must be configured to use the File Server role in Windows Server
(Start > Administrative Tools > Manage your server > File Server role).
Security Hardening Guide 17
 Microsoft Dynamics AX

 The shared directory must be configured so that the AOS service account (the domain
account or the Network Service account) has Full Control permissions.
 Use Internet Protocol security (IPsec) to secure communications between the servers.

Note:
IPsec is described in the next section.

Use Windows features to reduce the attack

surface
Microsoft Windows operating systems include security features to help you reduce the attack
surface of your computing environment. We recommend that you implement and use the
following features on the AOS.

Internet Protocol Security (IPsec)

IPsec is a feature of Microsoft Windows Server 2008 and Microsoft Windows Server 2003 that
helps protect networks from active and passive attacks by using packet filtering, cryptographic
security services, and trusted communications.
IPsec helps provide defense-in-depth against:
 Network-based attacks from unknown computers.
 Denial-of-service attacks.
 Data corruption.
 Data theft.
 User-credential theft.
For more information, see IPsec.

Windows Firewall
Windows Firewall is a Control Panel feature that is used to set restrictions on what traffic is
allowed to enter your network from the Internet. Windows Firewall is included in Windows Vista,
Windows Server 2008, Windows XP with Service Pack 2, and Windows Server 2003 with Service
Pack 1.
For more information, see Windows Firewall.

The Microsoft Security Configuration Wizard

The Microsoft Security Configuration Wizard reduces the attack surface of the Microsoft Windows
Server 2008 operating system and the Microsoft Windows Server 2003 with Service Pack 1
operating system by determining the minimum feature-set required for a server's role or roles,
and then disabling features that are not required. The Security Configuration Wizard:
 Disables unneeded services.
 Blocks unused ports.
 Allows further address or security restrictions for ports that are left open.
Security Hardening Guide 18
 Microsoft Dynamics AX

 Prohibits unnecessary Internet Information Services (IIS) Web extensions, if applicable.

 Reduces protocol exposure to server message block (SMB), LanMan, and Lightweight
Directory Access Protocol (LDAP).
 Defines a high signal-to-noise audit policy.
To access the Security Configuration Wizard, click Start > Administrative Tools > Security
Configuration Wizard. We recommend that you read the Help for this tool before you make
changes to your system. For more information about services, ports, and protocols on your
Windows operating system, see Service overview and network port requirements for the
Windows Server system.

Microsoft Security Baseline Analyzer

The Microsoft Baseline Security Analyzer scans your computer to detect unsecure configurations
and to identify missing security updates. The analyzer then recommends changes and updates to
improve the security of the computer.
For more information, see Microsoft Security Baseline Analyzer.

Security Hardening Guide 19

 Microsoft Dynamics AX

Reduce the attack surface of the Microsoft

Dynamics AX database
If a malicious user gained access to the Microsoft Dynamics AX database, that user might gain
access to data, including sensitive data, such as credit card numbers, bank account numbers,
and personal identification numbers. You should deploy the database as described in this section
to protect data in your business or organization and reduce the overall attack surface of this core
Microsoft Dynamics AX component.

Encrypt sensitive data

We recommend that you implement database encryption, as provided by your database software,
to enhance the security of data, including sensitive data, such as credit card numbers, bank
account numbers, and personal identification numbers. If your business or organization
processes and stores credit card information, then we recommend that you adhere to the
standards set by the PCI Security Standards Council for securing cardholder data. The PCI Data
Security Standard requires the following:

Security standard Requirement

Build and Maintain a Secure 1. Install and maintain a firewall configuration to protect cardholder
Network data.
2. Do not use vendor-supplied defaults for system passwords and
other security parameters.

Protect Cardholder Data 3. Protect stored cardholder data.

4. Encrypt transmission of cardholder data across open, public
networks.

Maintain a Vulnerability 5. Use and regularly update antivirus software.

Management Program 6. Develop and maintain secure systems and applications.

Implement Strong Access 7. Restrict access to cardholder data.

Control Measures 8. Assign a unique ID to each user with computer access.
9. Restrict physical access to cardholder data.

Regularly Monitor and Test 10. Track and monitor all access to network resources and
Networks cardholder data.
11. Regularly test security systems and processes.

Maintain an Information 12. Maintain a policy that addresses information security.

Security Policy

Security Hardening Guide 20

 Microsoft Dynamics AX

Enabling database encryption directly addresses the needs of requirement three: Protect stored
cardholder data. Microsoft® SQL Server™ 2008 includes a new encryption feature called
Transparent Data Encryption (TDE). TDE is designed to provide protection for the entire
database at rest without affecting existing applications. Implementing encryption in a database
traditionally involves complicated application changes, such as modifying table schemas,
removing functionality, and significant performance degradations. For example, to use encryption
in Microsoft SQL Server 2005, the column data type must be changed to varbinary; ranged and
equality searches are not allowed; and the application must call built-ins (or stored procedures or
views that automatically use these built-ins) to handle encryption and decryption, all of which slow
query performance. These issues are not unique to Microsoft SQL Server 2005; other database
management systems face similar limitations. Custom schemes are often used to resolve equality
searches and ranged searches often cannot be used at all. Even basic database elements, such
as creating an index or using foreign keys often do not work with cell-level or column-level
encryption schemes because the use of these features inherently leak information. TDE solves
these problems by encrypting everything, including all data types, keys, and indexes. For more
information, see Database Encryption in SQL Server 2008 Enterprise Edition. For information
about encryption with Oracle 10, see Oracle Database 10g Security and Identity Management.
If your business or organization uses Microsoft SQL 2005, you can address the needs of PCI
Data Security Standard requirement three by using Encrypting File System (EFS). EFS is a
component of the NTFS file system on Windows operating systems that is used for encrypting
files and folders on client computers and remote servers. Any user or application that does not
have the appropriate cryptographic key cannot read the encrypted data. With EFS, we
recommend that you encrypt the folder where the SQL Server database is stored. If your
business or organization creates views in SQL Server, and a view is created for a specific table in
the database, such as a credit card number table, you can configure the view to point to a
different database file and then enable EFS encryption on that file.
For more information, see EFS in Windows Server 2008 or EFS in Windows Server 2003.

Set authorization requirements on database tables

by using the Table Permissions Framework
The Table Permissions Framework (TPF) enables administrators to add an additional level of
security to tables that store sensitive data. TPF adds table-level security that verifies access
rights no matter the origin of the request. For example, consider the following scenario:
1. Contoso Corporation implemented Microsoft Dynamics AX and allows users to access data
by using the Microsoft Dynamics AX client, Enterprise Portal, the Application Integration
Framework, and a third-party application that connects to Microsoft Dynamics AX by using
the .NET Business Connector.
2. The administrator configured a Microsoft Dynamics AX user group called Senior Leadership,
and members of this group have access to sensitive data about financial information and
trade secrets. One of the database tables that stores this sensitive information is called

Security Hardening Guide 21

 Microsoft Dynamics AX

FinancialResults. This table was added as part of a customization done by a partner after
Microsoft Dynamics AX was installed.

Note:
TPF can be enabled on any table in the Microsoft Dynamics AX database. For the
sake of time and efficiency, however, administrators assign TPF to tables that are
considered to be sensitive or to be of critical business value.
3. In the Application Object Tree (AOT), the administrator configures the FinancialResults table
so that the Application Object Server (AOS) must authorize all operations for that table. The
administrator specifies the value CreateReadUpdateDelete for the
AOSAuthorizationProperty.
4. Soon thereafter, a malicious user discovers a vulnerability in Contoso's third-party application
that connects to Microsoft Dynamics AX by using the .NET Business Connector. The
malicious user connects to the database as a member of the CRM_users group and attempts
to read the data in the FinancialResults table.
5. Before allowing the read operation, the AOS checks to see if the user is a member of the
Senior Leadership user group and if members of the group have permission to read the data.
The malicious user is not a member of the Senior Leadership group, so the AOS denies the
read operation.
To enable TPF, an administrator specifies a value for the AOSAuthorizationProperty on a specific
table in the AOT. The AOSAuthorizationProperty authorizes Create, Read, Update, and Delete
operations. For some tables, it is important to authorize all operations because the data is
sensitive. For other tables, you might find it suitable to specify a subset of operations, such as
Create, Update, and Delete. In the case when you have specified a subset, the AOS authorizes
the Create, Update, and Delete operations, but allows users to perform View operations if they
have access to Microsoft Dynamics AX.
Appendix A: Table Permissions Framework Reference lists all tables that are TPF-enabled by
default and which operations require authorization. You can change or add TPF for a table, but
we recommend that you perform TPF changes in a test environment so that you can study the
impact of TPF changes on user groups that access that table.
To enable TPF on database table:
1. In the AOT, expand Data Dictionary > Tables.
2. Right-click a table, and then click Properties.
3. Click AOSAuthorizationProperty and select a new value by using the drop-down list.
4. Click Save All.

Security Hardening Guide 22

 Microsoft Dynamics AX

If you added TPF to a table, you might need to specify or expand permissions for user groups
that access that table. You can view which objects access a table by using the Used-by
command in the AOT:
1. In the AOT, expand Data Dictionary > Tables.
2. Right-click a table, and then click Add-ins > Cross-reference > Update.
3. Right-click a table, and then click Add-ins > Cross-reference > Used by. The Used by form
is displayed. This form shows all objects that access the selected table and what permissions
(the Reference column) are required when accessing the table. You might need to adjust
user group permissions if you set tighter restrictions on a table.

Encrypt and restrict database communications

You can further enhance data security by encrypting and restricting database communications by
using Internet Protocol security (IPsec). IPsec is a feature of Microsoft Windows Server 2008 and
Microsoft Windows Server 2003 that helps protect networks from active and passive attacks by
using packet filtering, cryptographic security services, and trusted communications. We
recommend that you create an IPsec rule that encrypts communication between the AOS and the
database. We also recommend that you create an IPsec rule that restricts communications so
that only incoming requests from the AOS are allowed. For more information, see IPsec.

Physically isolate the database server

As a general rule and best practice for maintaining security, you should physically isolate servers,
including database servers, in a locked room that requires a passcode or card key to enter. By
physically isolating servers, you limit the opportunity for a malicious user to access, damage, or
steal the server.

Security Hardening Guide 23

 Microsoft Dynamics AX

Appendix A: Table Permissions Framework

Reference
The Table Permissions Framework (TPF) enables administrators to set restrictions on tables that
store data, including sensitive data. To enable TPF, an administrator specifies a value for the
AOSAuthorizationProperty on a specific table in the Application Object Tree (AOT). The
AOSAuthorizationProperty authorizes Create, Read, Update, and Delete operations. When the
Application Object Server (AOS) attempts to perform an operation on a table that is TPF enabled,
the AOS is required to check Microsoft Dynamics AX user group permissions to verify that
members of the group have permission to perform the operation. If members of the group do not
have the appropriate permissions, the AOS does not complete the operation.
For more information, see "Set authorization requirements on database tables by using the Table
Permissions Framework" earlier in this guide.

Tables
This section lists all database tables that are TPF-enabled by default in Microsoft Dynamics AX
and the authorization requirements for those tables.

Important:
These tables store sensitive data. We recommend that you do not adjust these
authorization requirements unless told to do so by management. We also recommend
that you do not adjust these requirements in a production environment. Test your
changes in a test environment so that you can study the impact on user-group
permissions and make adjustments as necessary.

Application Integration Framework (AIF)

Table name Authorization required for

AifValueSubstitutionComponentConfig Create, Read, Update, Delete

AifChannel Create, Update, Delete

Security Hardening Guide 24

 Microsoft Dynamics AX

Business Intelligence and Reporting

Table name Authorization required for

BIAnalysisServer Create, Read, Update, Delete

BIConfiguration Create, Read, Update, Delete

BICurrencyDimension Create, Read, Update, Delete

BIExchangeRates Create, Read, Update, Delete

BIPerspectives Create, Read, Update, Delete

BITimeDimension Create, Read, Update, Delete

BIUdmRoles Create, Read, Update, Delete

BIUdmTranslations Create, Read, Update, Delete

SRSAnalysisEnums Create, Read, Update, Delete

SRSEnabledLanguages Create, Read, Update, Delete

SRSLanguages Create, Read, Update, Delete

SRSModelEntityCache Create, Read, Update, Delete

SRSModelFieldCache Create, Read, Update, Delete

SRSModelFieldFolderCache Create, Read, Update, Delete

SRSModelFieldRoleSortCache Create, Read, Update, Delete

SRSModelFolderCache Create, Read, Update, Delete

SRSModelForeignKeyCache Create, Read, Update, Delete

SRSModelIndexCache Create, Read, Update, Delete

SRSModelOptions Create, Read, Update, Delete

SRSModelPerspectiveCache Create, Read, Update, Delete

SRSModelPerspectiveEntityCache Create, Read, Update, Delete

SRSModelPerspectiveFieldCache Create, Read, Update, Delete

SRSModelPerspectiveForeignKeyCache Create, Read, Update, Delete

SRSModelPerspectiveRoleCache Create, Read, Update, Delete

SRSModelRoleCache Create, Read, Update, Delete

SRSModelRoleGroupsCache Create, Read, Update, Delete

Security Hardening Guide 25

 Microsoft Dynamics AX

Table name Authorization required for

SRSModelSecurityKeyCache Create, Read, Update, Delete

SRSServers Create, Read, Update, Delete

SRSUpdateOptions Create, Read, Update, Delete

SRSUserConfiguration Create, Read, Update, Delete

SysSRSTablePermissions Create, Read, Update, Delete

Developer and Partner Tools

Table name Authorization required for

SysMapParameters Create, Read, Update, Delete

SysClusterConfig Create, Update, Delete

SysOccConfiguration Create, Update, Delete

UtilElements Create, Update, Delete

UtilIdElements Create, Update, Delete

Enterprise Portal

Table name Authorization required for

SysUserInfo Create, Delete

UserInfo Create, Delete

EPStateStore Create, Read, Update, Delete

CuesQuery Create, Update, Delete

EPCompanyParameters Create, Update, Delete

EPDocuParameters Create, Update, Delete

EPGlobalParameters Create, Update, Delete

EPServerStateCleanupSettings Create, Update, Delete

EPStateStoreSettings Create, Update, Delete

EPWebSiteParameters Create, Update, Delete

SysBCProxyUserAccount Create, Update, Delete

Security Hardening Guide 26

 Microsoft Dynamics AX

Table name Authorization required for

SysEncryptionKey Create, Update, Delete

SysPerimeterNetworkParams Create, Update, Delete

SysSecurityFormControlTable Create, Update, Delete

SysSecurityFormTable Create, Update, Delete

UserGroupInfo Create, Update, Delete

UserGroupList Create, Update, Delete

Expense Management

Table name Authorization required for

TrvCreditCards Create, Read, Update, Delete

TrvCashAdvance Create, Update, Delete

Financials

Table name Authorization required for

BankAccountTable Create, Read, Update, Delete

CreditCardADNSetup Create, Read, Update, Delete

CreditCardCust Create, Read, Update, Delete

CreditCardCustNumber Create, Read, Update, Delete

CreditCardMicrosoftSetup Create, Read, Update, Delete

CreditCardProcessorsSecurity Create, Read, Update, Delete

CustBankAccount Create, Read, Update, Delete

LedgerBalancesDimTrans Create, Read, Update, Delete

LedgerBalancesTrans Create, Read, Update, Delete

LedgerTrans Create, Read, Update, Delete

ShipCarrierCODPackage Create, Read, Update, Delete

ShipCarrierPackage Create, Read, Update, Delete

ShipCarrierShippingRequest Create, Read, Update, Delete

Security Hardening Guide 27

 Microsoft Dynamics AX

Table name Authorization required for

ShipCarrierSQLRoleUser Create, Read, Update, Delete

ShipCarrierStaging Create, Read, Update, Delete

ShipCarrierTracking Create, Read, Update, Delete

VendBankAccount Create, Read, Update, Delete

CompanyDomainList Create, Update, Delete

GDL

Table name Authorization required for

BankCodaAccountStatement Create, Read, Update, Delete

BankCodaAccountStatementLines Create, Read, Update, Delete

BankIBSLog_BE Create, Read, Update, Delete

BankIBSLogArchive_BE Create, Read, Update, Delete

Tax1099IRSPayerRec Create, Read, Update, Delete

TaxEvatParameters_NL Create, Read, Update, Delete

VendStateTaxID Create, Read, Update, Delete

Human Resources (HRM)

Table name Authorization required for

EmplTable Create, Read, Update, Delete

HRCComp Create, Read, Update, Delete

HRCCompGrid Create, Read, Update, Delete

HRCCompLevel Create, Read, Update, Delete

HRCCompRefPointSetup Create, Read, Update, Delete

HRCCompRefPointSetupLine Create, Read, Update, Delete

HRCCompTmpGrid Create, Read, Update, Delete

HRMADARequirement Create, Read, Update, Delete

HRMCompEligibility Create, Read, Update, Delete

Security Hardening Guide 28

 Microsoft Dynamics AX

Table name Authorization required for

HRMCompEligibilityLevel Create, Read, Update, Delete

HRMCompEvent Create, Read, Update, Delete

HRMCompEventEmpl Create, Read, Update, Delete

HRMCompEventLine Create, Read, Update, Delete

HRMCompEventLineComposite Create, Read, Update, Delete

HRMCompEventLineFixed Create, Read, Update, Delete

HRMCompEventLinePointInTime Create, Read, Update, Delete

HRMCompFixedAction Create, Read, Update, Delete

HRMCompFixedBudget Create, Read, Update, Delete

HRMCompFixedEmpl Create, Read, Update, Delete

HRMCompFixedPlanTable Create, Read, Update, Delete

HRMCompFixedPlanUtilMatrix Create, Read, Update, Delete

HRMCompJobFunction Create, Read, Update, Delete

HRMCompJobType Create, Read, Update, Delete

HRMCompLocation Create, Read, Update, Delete

HRMCompOrgPerf Create, Read, Update, Delete

HRMCompPayFrequency Create, Read, Update, Delete

HRMCompPayrollEntity Create, Read, Update, Delete

HRMCompPerfAllocation Create, Read, Update, Delete

HRMCompPerfAllocationLine Create, Read, Update, Delete

HRMCompPerfPlan Create, Read, Update, Delete

HRMCompPerfPlanEmpl Create, Read, Update, Delete

HRMCompPerfRating Create, Read, Update, Delete

HRMCompProcess Create, Read, Update, Delete

HRMCompProcessLine Create, Read, Update, Delete

HRMCompProcessLineAction Create, Read, Update, Delete

HRMCompSurveyCompany Create, Read, Update, Delete

HRMCompVarAwardEmpl Create, Read, Update, Delete

Security Hardening Guide 29

 Microsoft Dynamics AX

Table name Authorization required for

HRMCompVarEnrollEmpl Create, Read, Update, Delete

HRMCompVarEnrollEmplLine Create, Read, Update, Delete

HRMCompVarPlanLevel Create, Read, Update, Delete

HRMCompVarPlanTable Create, Read, Update, Delete

HRMCompVarPlanType Create, Read, Update, Delete

HRMCompVesting Create, Read, Update, Delete

HRMi9Document Create, Read, Update, Delete

HRMi9DocumentList Create, Read, Update, Delete

HRMPartyEmployeeRelationship Create, Read, Update, Delete

HRMVirtualNetworkAccommodation Create, Read, Update, Delete

HRMVirtualNetworkTable Create, Read, Update, Delete

KMKnowledgeTable Create, Read, Update, Delete

KMKnowledgeTrans Create, Read, Update, Delete

Inventory Management

Table name Authorization required for

InventItemSampling Create, Read, Update, Delete

InventNonConformanceHistory Create, Read, Update, Delete

InventNonConformanceOrigin Create, Read, Update, Delete

InventNonConformanceRelation Create, Read, Update, Delete

InventNonConformanceTable Create, Read, Update, Delete

InventProblemType Create, Read, Update, Delete

InventProblemTypeSetup Create, Read, Update, Delete

InventQualityOrderLine Create, Read, Update, Delete

InventQualityOrderLineResults Create, Read, Update, Delete

InventQualityOrderTable Create, Read, Update, Delete

InventQualityOrderTableOrigin Create, Read, Update, Delete

InventQuarantineZone Create, Read, Update, Delete

Security Hardening Guide 30

 Microsoft Dynamics AX

Table name Authorization required for

InventTestArea Create, Read, Update, Delete

InventTestAssociationTable Create, Read, Update, Delete

InventTestCertOfAnalysisLine Create, Read, Update, Delete

InventTestCertOfAnalysisLineResults Create, Read, Update, Delete

InventTestCertOfAnalysisTable Create, Read, Update, Delete

InventTestCorrection Create, Read, Update, Delete

InventTestDiagnosticType Create, Read, Update, Delete

InventTestEmplResponsible Create, Read, Update, Delete

InventTestGroup Create, Read, Update, Delete

InventTestGroupMember Create, Read, Update, Delete

InventTestInstrument Create, Read, Update, Delete

InventTestItemQualityGroup Create, Read, Update, Delete

InventTestMiscCharges Create, Read, Update, Delete

InventTestOperation Create, Read, Update, Delete

InventTestOperationItems Create, Read, Update, Delete

InventTestOperationMiscCharges Create, Read, Update, Delete

InventTestOperationTimeSheet Create, Read, Update, Delete

InventTestQualityGroup Create, Read, Update, Delete

InventTestRelatedOperations Create, Read, Update, Delete

InventTestReportSetup Create, Read, Update, Delete

InventTestTable Create, Read, Update, Delete

InventTestVariable Create, Read, Update, Delete

InventTestVariableOutcome Create, Read, Update, Delete

WMSReservationCombinationLine Create, Read, Update, Delete

WMSReservationCombinationTable Create, Read, Update, Delete

WMSReservationSequenceLine Create, Read, Update, Delete

WMSReservationSequenceTable Create, Read, Update, Delete

SysSignatureSetup Create, Update, Delete

Security Hardening Guide 31

 Microsoft Dynamics AX

Project Accounting

Table name Authorization required for

ProjControlPeriodCostGroup Create, Read, Update, Delete

ProjControlPeriodTable Create, Read, Update, Delete

ProjControlPeriodTableColumn Create, Read, Update, Delete

ProjControlPeriodTrans Create, Read, Update, Delete

ProjCostTrans Create, Read, Update, Delete

ProjEmplTrans Create, Read, Update, Delete

ProjInvoiceCost Create, Read, Update, Delete

ProjInvoiceEmpl Create, Read, Update, Delete

ProjInvoiceJour Create, Read, Update, Delete

ProjInvoiceOnAcc Create, Read, Update, Delete

ProjInvoiceRevenue Create, Read, Update, Delete

ProjInvoiceTable Create, Read, Update, Delete

ProjItemTrans Create, Read, Update, Delete

ProjItemTransCost Create, Read, Update, Delete

ProjJournalTable Create, Read, Update, Delete

ProjJournalTrans Create, Read, Update, Delete

ProjOnAccTrans Create, Read, Update, Delete

ProjProposalCost Create, Read, Update, Delete

ProjProposalEmpl Create, Read, Update, Delete

ProjProposalJour Create, Read, Update, Delete

ProjProposalOnAcc Create, Read, Update, Delete

ProjProposalRevenue Create, Read, Update, Delete

ProjRevenueTrans Create, Read, Update, Delete

ProjTransPosting Create, Read, Update, Delete

SyncProjTransaction Create, Read, Update, Delete

Security Hardening Guide 32

 Microsoft Dynamics AX

Server and Tools

Table name Authorization required for

SqlSyncInfo Create, Read, Update, Delete

SysRemoveConfig Create, Read, Update, Delete

SysRemoveFields Create, Read, Update, Delete

SysRemoveLicense Create, Read, Update, Delete

SysRemoveTables Create, Read, Update, Delete

AccessRightsList Create, Update, Delete

DataArea Create, Update, Delete

DatabaseLog Create, Update, Delete

DomainInfo Create, Update, Delete

SqlDictionary Create, Update, Delete

SqlParameters Create, Update, Delete

SysClientSessions Create, Update, Delete

SysExpImpField Create, Update, Delete

SysExpImpTable Create, Update, Delete

SysRecordLevelSecurity Create, Update, Delete

SysRecordTemplateSystemTable Create, Update, Delete

SysServerConfig Create, Update, Delete

SysServerSessions Create, Update, Delete

SysSetupCompanyLog Create, Update, Delete

SysSortOrder Create, Update, Delete

SystemSequences Create, Update, Delete

TableCollectionList Create, Update, Delete

TimeZonesList Create, Update, Delete

TimeZonesRulesData Create, Update, Delete

VirtualDataAreaList Create, Update, Delete

SysDataBaseLog Update, Delete

Security Hardening Guide 33

 Microsoft Dynamics AX

Setup and Upgrade

Table name Authorization required for

BatchGlobal Create, Read, Update, Delete

BatchGroup Create, Update, Delete

BatchServerConfig Create, Update, Delete

BatchServerGroup Create, Update, Delete

SysConfig Create, Update, Delete

SysSetupLog Create, Update, Delete

Workflow

Table name Authorization required for

ExpressionTable Create, Update, Delete

WorkflowConfigurationTable Create, Update, Delete

WorkflowConfigurationTableNotes Create, Update, Delete

WorkflowElementTable Create, Update, Delete

WorkflowMessageText Create, Update, Delete

WorkflowStepTable Create, Update, Delete

WorkflowSubWorkflowTable Create, Update, Delete

SysWorkflowElementTable Update, Delete

SysWorkflowFaultTable Update, Delete

SysWorkflowInstanceTable Update, Delete

SysWorkflowTable Update, Delete

WorkflowMessageTable Update, Delete

WorkflowTrackingArgumentTable Update, Delete

X++ Development

Table name Authorization required for

xRefNames Create, Read, Update, Delete

Security Hardening Guide 34

 Microsoft Dynamics AX

Table name Authorization required for

xRefPaths Create, Read, Update, Delete

xRefReferences Create, Read, Update, Delete

xRefTableRelation Create, Read, Update, Delete

xRefTmpReferences Create, Read, Update, Delete

xRefTypeHierarchy Create, Read, Update, Delete

Security Hardening Guide 35