PG - Breaking Microsoft Dynamics Great Plains - An Insider's Guide - David Keene

alright well go ahead and get started shawnee can you hear me back there okay all right make sure this is loud enough because there I guess piping it to the other rooms so we're going to talk a little bit about Microsoft Dynamics and in particular great plains today so let's jump right in so let's go over what we're actually going to be talking about today so we'll talk a little bit about me and and what I do and and why I know this information and what great plains is as everyone familiar with great plains no okay good then we'll go in there we'll talk a little bit about what great plains is and why you should

care about great plains we're going to take a look at the security flaws that i found in the years that I've been doing great plains work and and some of the solutions they're not perfect solutions by far but we are talking about a Microsoft product so most of us are aware of an hour cognizant of having to wire around Microsoft products so we're look at the application level itself great plains as an application we're going to take a look at what Great Plains does to the sequel server as installs and we're going to take a look at the install problems some of the problems that are inherent with the actual install of Great Plains and then

we'll take a look at switch gears will take a look at how to attack it from a pen testing standpoint then we'll wrap everything back up again in this summary I haven't some additional resources so as we go through this some of this might be something that you want to follow up on some research so I've got this slideshare it's going to be up and then some additional contact information some some additional resources if you want to to do some additional research on your own so Who am I well I'm the information or the chief security officer for the Texas Association of counties and I've been doing information security now for about eight years on an IT work for

about 14 and I started working with Great Plains about teeth and this is the time that microsoft acquired them back in two thousand and actually introduced them into their family of enterprise resource planning software and in the last two years I've really been ramped back up in engaged in Great Plains not only to support it in my own environment we work with a lot of the counties in Texas who also have great plains installed and I'm also active in the user community for Great Plains so my day job I manage the network and security practice for the texas station counties and we provide services to hopefully help secure the 254 counties in Texas so let's answer

this question what is microsoft dynamics and what is great plains well dynamics is the enterprise resource planning software suite from microsoft and compasses multiple different types across multiple different business lines dynamics being one of the bigger ones in the mid-level market there's about 42,000 customers that use Great Plains worldwide right now some of the ones that come to mind caribou coffee UNICEF several of the United Way's use Great Plains so it's not necessarily a small level administrative piece of software it's being used by quite a quite a large market it's initially when it was created back in in the early 90s it was a piece of accounting software but in typical Microsoft fashion they added

features and functionality throughout the year so now you can do sales through it you could do manufacturing through it if you have staff that you need to process payroll or HR issues like workers come you can use that for it as well or even inventory so there's a lot of good stuff in GP now this is just a few slides of the employee master table that I came across so what do we have here we've got employee first name last name and their addresses okay so so that's that's good start alright so now we build on top of that we've got some personally identifiable information driver's license numbers and their genders okay all right now we can

get an even better stuff direct deposit bank accounts so now we've got their address their name direct deposit bank accounts and driver's license so what could be better than all of those course social security numbers so there's a lot of good stuff in GP and this is just one table we're not we didn't even look at any of the sales processing tables where we're taking credit card information or any of the tables that deal with workers comp claims a lot of good stuff in there so what could what could possibly happen with this data well identity theft comes to mind pretty easily bank fraud now we've got enough information to for checks social engineering we've got

plenty information for a nice spear phishing attack against any one of those employees or even electronic friends transfers we didn't look at one of the specific tables but when your payroll processing most companies now require direct deposit so all of that information is in another table there's plenty of good stuff I wish I could show you more that but we just boring looking at all the data that's in GP so how do you stay compliant with all this information if you got PII and pH I or even PCI stuff in there a lot of compliance issues that that just came to mind and we could talk about compliance in GP on a completely separate track so

your typical installation looks kind of like this it's a very simple install it's not a very complicated piece of software it gets installed onto an application server that connects back to like Microsoft sequel back end and there's a fact client that gets installed on the workstations and then you get this nice beautiful fisher-price desktop that all accountants love because they know how to navigate around things so at the beginning of last year our executive staff at the Texas Association counties changed hands and they wanted to completely redo the entire way we did business now this kind of spurned on all this research in this presentation ultimately having thrown out what we've been doing for years and having to

change gears and some of the things we've seen so we're going to dive into the application itself Great Plains and actually look at some of the security weaknesses that I've seen and some of the ways to just to secure it now the way the Great Plains works it calls each company I use that company as being a database so say you have an administrative / overreaching corporation and each line of business has its own separate employees and so on separate inventory and so on separate it needs to be spaced out separate from the parent organization so say you have sales and you have field services each one of those companies is actually a database nothing more than that so in

sequel when you look at it in sequel you're going to see each of those companies as a separate database no master security means there's no way as the Great Plains administrator to go into each one of those separate databases and say all right and has this access to this company in this company and she doesn't have access to this you have to go into each individual company and set it up so there's no way to easily do that we've got 16 different companies company databases where I work so to go in and it have to log in and manually administer this is a nightmare once again Microsoft I don't know what you're doing here but there's no

password policy enforcement by default we're going to talk about this a little bit more in sequel but everything that Great Plains leverages for security is done in sequel there's nothing really in Great Plains that is used to secure it we're going to look at it's only native authentication there is no windows Active Directory Integration I mean what are we doing in this day and age and Microsoft can't get us an application that hooks into active directory there's no auditing there's no built-in security auditing but before you you want to think of it another way Great Plains has auditing it's obviously it has to be compliant by law so if a user logs in and they make transactions and and post

things that is tracked the problem is if that user is a power user or if you log in as the SI account nothing's tracked that way so you can completely skip all of that auditing there and then on the back end on sequel there's no auditing done so if you wanted to go and manipulate the tables directly there's nothing stopping you and nothing to say that someone was even in there the routine upgrades the Microsoft put out they in a in particular I'm thinking of when version 9 went to version 10 I'm talking about major service packs and upgrades what happened was Microsoft didn't tell anybody that when he went from version 9 to 10 that all of the

security that you had set up in 9 like normally most applications will automatically take that those permissions over it stripped that completely down because they change the security matrix one hundred percent and now they left it open for everybody so if you ran an upgrade path and then you went from version 9 to 10 now you have no security it fells open instead of closed so now you if you just went through and routinely did this update yourself you left yourself open your security wide open now we mentioned before I mentioned before about Great Plains itself is basically a Ministry of server it has an administrative file share on it this is because Microsoft uses dictionary files

to be shared amongst different workstations so each user will have a common set of dictionary files also Microsoft's loves love of any files shows for it here too is that every user has to have access to any files and we're going to look at one later on and see what that has in it code injection Great Plains is built on Microsoft's dexterity runtime and microsoft said well we want to make sure that people can update this software and make it real simple so we'll give them a code chunk that literally to install it you take the chunk and you put it in the folder and the Program Files directory in that shared directory and the next

time Great Plains is launched that code chunk it's automatically integrated into Great Plains now it's it's good for for some things like there's a sequel security tool that allows you once you install it in there if a user has a window that they don't have access to and they do you know if they need to tell the administrator then that's beneficial but to have it install and and run without any kind of user permissions or intervene doesn't even tell you it's been installed that's that's going to be problem especially if you know how to program anything in dexterity runtime now I asked for the latest version of this tool from our partner our microsoft partner and he

gave me the cavi I sike well I know you know what you're doing with this but I gotta tell you that this tool allows you to manipulate sequel in Great Plains without having to go to sequel so you've got to be careful with it so here you go have fun with the tool so yes so the question was you have to be a partner to have access to that tool yes a partner would have to but at the end I'll have my information up and if you want any of the those resources they are locked in customer source if you want some we can have a discussion about you know how to get that stuff on the shared

folder on the Great Plains server itself on that administrative share the fat client is usually right there because everyone has to share the same files each versions have to be the same a lot of times what they'll do is they'll take that that install from a fat client copy it there and then literally take that exact same set of files and copy it to each workstation so I mean if you want a copy of Great Plains if it's in the organization then you just go to that file share and and pick up a copy and then this one requires local administrative rights I mean why in the world is Microsoft still running software that requires local admin

rights on the workstation if you want to run that fat client it will not operate unless you have local administrative rights on that workstation you know finance people that love to click on nice pictures and nice links and they have local admin rights and then they have this installed on top of it that's just a nightmare waiting to happen okay so here's some of the solutions that I found there more of workarounds than really solutions because Microsoft's ultimately going to be responsible for fixing this stuff microsoft works with and they call them independent solution vendors and they gave these guys a little bit more access to the codes so that they can actually breach some of

these gaps and i do not think and I've had some conversations with summit developers of Great Plains that they're actually going to make any real changes the application they're going to kind of funnel this off to their partners so their partners can make money as well so you want to have to use them for integrating that security like I mentioned before like we have 16 different companies databases where I work we had to purchase their party software so that we can administer that from one lace as well as the integrating active directory and making sure that Active Directory policies are being applied to two Great Plains and then for auditing not only on the Great Plains side but

hooks into sequels so that if any one manipulates the data directly in sequel that it's actually audited and compliant now I put a little star next to this because it's going to sound like i contradict myself later but really when you're doing any kind of upgrades to Great Plains because they do not really give you enough information to understand the changes between and a lot of times the partners aren't even sure but it's important to engage a partner that is familiar with what updates are going to be happening so you don't end up grading or updating your software and it rips out all the security that you already have set up and then on the

common files basically empty NTFS security is work great for us so we only allow people that absolutely have to have access to those folders and those shared dictionary files and that does client installs to be able to get there and then as far as local administrative a local administrator rights being the initial install on the fat client when you install it initially you have to be local administrator to set up the odbc connection but I found if you go into program files and actually allow all those users to be able to write to those files you can take local admin rights away to secure that that fat client so that hopefully no virus would end up

owning someone's computer alright so we're switching gears here and talk about some of the problems it's not necessarily problems with sequel itself it's how Great Plains installs itself onto sequel and then some of the things that you're going to have to go back and fix after the install is completed now it's not unusual for Great Plains to or for any application legacy application to be installed on a separate instance of sequel especially if you're running in compatibility mode I mean this day and age why are we still having anything running in in native mode why is not everything Active Directory authentication I don't understand it's not like Microsoft's trying to fix this problem because Great

Plains 2013 right around the corner same thing local native mode sequel installation so no windows authentication means you have to manage each user in sequel itself so now if you've got hundreds of users in Great Plains you open up your security logins on sequel and you've got all those users you have to manually maintain no way to do through active directory now this one might you know be me me being a stickler about it that the ODBC ports I like to have a little variety if possible be able to change instead I have in 1433 which is very common everyone knows to listen on to be able to switch that to a different port so that you know

obviously it's still going to be advertised across the network but at least it's not going to be advertised on the port where it's supposed to be now the dainese account is a particularly a fiendish character in Great Plains dainese is the dynamics sa account that gets created during the initial install and its intention was to allow Great Plains administrators to add users to make changes if the person locks themselves out of sequel to not have to go into sequel and do it they can actually do it in the application problem is and we tested some of this last Thursday they dine estate could create a user but it cannot assign it to a company database or change its

password or unlock its account so that install that guy's pretty much worthless other than what Great Plains use the hooks uses that to hook in the sequel so the privilege level on that is completely wrong so we would talk about this does anybody have a sequel instance is still running in native mode secret native mode is everyone using like Active Directory authentication I don't think there's many applications out today that still run it in native mode so hardening the sequel instance is going to be an important step now in the resources guide I've got a step-by-step guide for Microsoft on how to do that now the problem we've had in our organization is that we did not want our DBA to have

access to any information in Great Plains because you've got payroll information in there you've got all this information that you don't want a low level DBA having access to so what we did what they did they they had him create the instance gave them the sa password and immediately changed it so now our DBA couldn't even come in and take a look at it so he couldn't come in and harden the sequel instance so you have to have some level of trust with either your DBA or your partner to be able to go in and do these types of things if you're not familiar with hardening sequel you can actually force password policy and if you're in the

sequel administrator in Great Plains I'll basically if you're the administrator you can say enforce password policy and it will transfer that or write that down to sequel but as the if you're a sequel administrator you can go in here and here's a basic sequel login and you could check on in fact in force password policy and enforce password expiration so you can bypass that by default Great Plains gets installed with all this turned off so be good to go in and check that you can hide the sequel instance it's not broadcasting it's going to be a little harder to find now when I go after anything I usually look for the low-hanging fruit so if I don't actually

hear anything on 1433 then I generally don't keep looking forward so you can go into the protocols for for that GP instance itself and turn it off the dainese account there is a an article about how to configure that guy correctly so that he does you can actually disable it sa account and use him to administer Great Plains internally alright so back to what I was mentioning before with with our company and making changes and the new boss is wanting to redo Great Plains the problem was the company the partner we hired where they're great on the business annalynne analytics and they were able to come in and say okay well you guys want to do this you want your chart of

accounts to do this and we can take all that information and we can put that into Great Plains and now your business processes are set up the way you want there's a major problem though if the person that the analyst comes in and actually does the Great Plains install and doesn't even know how to log into a server so on a couple of occasions we've seen lack of experience being a problem and and actually errors with the install itself so let's take a look at that and some of the resolutions behind how to fix some of these errors Great Plains is sold and installed through a partner there's no way around it it's a microsoft business solutions you have to

go to a partner you can't go to best buy and pick it up off the shelf you have to go through them that's how they're the partners make money and and they keep funneling money back to Microsoft so the question you want to ask you some why would I like and why would I allow a business analyst somebody that knows the business side but not the technical side install any of this install this software and we've mentioned this before third-party products you can have to make sure that I know during our installation we didn't purchase third-party products to secure the application and then we had to come and find like 45 thousand dollars more after

the fact to buy the softer come to come back and secure the application do you have to use these third-party products to fill the gaps and then it's typical to have a service account for services running on the servers or the inserts equal instances the problem was the installs were being done they wanted the main admin rights on the service account why would a service account need so many rights and you usually install with sa I understand that but once you do the install you can't go back and change sa password it will break Great Plains so you can't change it after you've installed it so some of those solutions to those problems now our partners it's like a

typical partners just like any consulting group you're going to have good ones and you have bad ones you have two guys who come in and tell you the moon and stars but they don't even know how to operate a computer and that's one of the problems we have we had guys that came in they knew the business card really well but when it came to the install and actually getting the application running correctly they just did next next finish so you're going to have to find some people that actually no partners Great Plains user group I mentioned that before that I'm active in that community great group of people that can tell you this partner is great

and this partner is not it's really going to have to kind of way those things out it's a standard procedure there you have to use those third parties to secure Great Plains there's no way around that and while SI does own doesn't need to be active after the install so you can you can disable it so what we've been doing we've been disabling sa and only re-enabling it when we need to run service pack updates and those things that that Dyna say account should have the access to so disabling essay itself doesn't leave that footprint open something them and then after the install I mean really does it need to have the service account doesn't need to have so many privileges

you can change that down to the least amount of privilege it needs to do its job there's articles on how to do that as well alright so pen testing against Great Plains now I'm not like this incredibly awesome uber elite like pen tester i use the simplest things possible so that i can find out the information on you quick so we're just going to step through a couple of things that we've been able to to do not only with my organization but working with other organizations to help them secure Great Plains so whenever I get engaged to help somebody I always do my reconnaissance first step if you had some information gathering and I found a

lot of times that on everyone's website the CEO or CFO or the accounting or finance director and have a nice bio and it makes it really nice and convenient to have a little background before you give them a ring or shoot them an email also you can find out pretty easy if Great Plains is running because you're going to see something similar to this it's a very similar to SharePoint but it's called business portal business portal is Microsoft's web portal that hooks back into Great Plains so the people out in the field or people on a manufacturing floor can do that so if you happen upon a website that has something similar to this you're going

to know that Great Plains is running in the environment so one of the easiest things I'm big on social engineering is making phone calls accounting people love to talk about how they account and how they work and what software they use so call either the software purchasing agent or call finance head of finance now you know who they are because the website accountants also like free stuff so do a survey monkey say we're taking a 10 minute survey on what accounting software is and how you like it and we'll send you an amazon gift card and you'll have tons of information afterwards let's work pretty well for me I almost gotten to the point where they

give me the password afterwards if you're if you're good enough so now we're to talk about some scanning and enumeration and we're looking at the sequel sequel side of things whether whether there's an instance there sequel ninja if you are familiar with the backtrack sweet sequel ninjas something you could run or an end nap and maps got a nice little discover script you can run it'll actually return all the sequel servers in the environment all the instances with service pack levels there are things that sequel is broadcasting out the sequel server management studio if you've got a copy of sequel server you can slowed that up and that allows you to connect to different did you have a

question

the question was if sequels not broadcasting none of these would work I think that's correct I don't know of any other way I'm sure sequels got to be talking somehow I just I don't have I'm not I'm not sure I can't really speak to that that's why one of my solutions was to actually hide the instance and not let let it broadcast right you'd have to find additional information so that if you wanted to connect directly to that instance you have to find it out another way what will actually we only get to the deck Sinai file i'll show you how you could possibly a possibility on how you could find where that that sequel

server connection is even if it is hidden so i mentioned the management studio so that allows you to connect to the different instances or if you've already popped the box somewhere the local data sources the odbc connections and windows will give you wear those those different instances are gaining access sequel ninja sequel map basically brute force and dictionary attacks we mentioned before that the password policies are not enforced I found one instance the password was cat c80 and so like okay well this is bad you guys haven't changed this you guys need to go in and make a secure more secure password so I'll come back in a couple weeks so came back and the password was

dynamics I'm like okay that's you're not getting the idea behind it so using those I found it to be relatively easy to easy to find that information because we're talking about people that aren't familiar with in making a secure installation we're talking about people that come in its business people and they're installing this product the administrative share you got the fat client I'm not a sequel ninja so I don't go in on the sequel side and do any kind of real manipulation there other than stealing other people's scripts so I just go in and load Great Plains myself connect using the credentials I found and now I've got the fisher-price desktop when the nice reports and I can

get all that information and I convince you before that deck Sinai file got some great information on it now this guy's sitting in that administrative share so you get a little bit of information here build sequel messages equals false by defaults turned off so if you're making any changes on to the building of to the build itself to the software build it doesn't parse it doesn't return any error messages so you don't know if something's been changed that's equal last data source equals Dynamics GP 2010 if you do have access to one of the existing fat client installs now you've got that odbc connections are going to point you to that instance that might that might be hidden so if you know of

someone that's a GP user you can attack that and there's plenty of documentation on how to attack that in windows XP especially last year an update and last tax code update those are the two most recent service packs and tax patches that have been installed in the system and the dictionary version actually is the version number so if you google that number you'll see that that's like GP 2010 service pack 3 these last two are great show debug messages equals false so if you're installing anything nothing's going to be returned if the next one is true I'm sorry that sounded confusing so I remember I mentioned that the the dexterity chunk files that you can install like that's GP support tool

well by default index I and I it says auto install those trunk files and by default it says show debug messages equals false so there's nothing to return any kind of instant that any kind of installations happen and that Dex any one time alright so let's wrap everything back up again so we found some of the problems or I express some of the problems that I found in Great Plains and some of the solutions within the Great Plains application itself and took a look at how to actually secure against some of the problems with the sequel installation like password policy and the local instance well they look at installer errors and installation errors and and how to go and correct those took

a look at some of the quick and dirty methods of doing some pen testing against GP and so see your some additional resources so if you're interested in any of this stuff the dexterity development system is how to actually write those dexterity runtimes I spoke with one of the developers that said well you know that vulnerability you mentioned I don't know if that actually could be true because there's only a handful of dexterity runtime developers in the world like well how hard is that to learn it's a Microsoft product great the Great Plains developer kit and the support tool and install and troubleshooting guides all of these are locked away in customer source so there's my info and I can get you some

more information about that we'll just say and the hardening guide for dynamics ax now ax is another product similar to Great Plains and Great Plains dynamics I mentioned before as a suite of products ax has a lot of similar problems that Great Plains does on the installation itself in fact two of the other products in the suite you can actually apply that guide so if you're wanting to harden it Great Plains you can actually use that as a baseline and nothing's been published for GP yet so i'm not sure if anyone even is interested in listening to that but i might actually go from make a run for that one sequel 2008 security best practices is how to harden

a sequel instance the diné sa account i mentioned before how to give that guy permission to be able to do his job and then the Great Plains user group it's a really good community of people to get any kind of resources you can actually speak with the developers and ask questions and and and find out if you need it find a partner that that's better suited for your needs all right that's my spiel is anyone got some questions or want to throw some tomatoes yes yes

you know the question is whether or not the the user created in sequel can log into GP correct or the other way around okay okay yeah so if the question is if you reset the password in sequel will it also be reset in GP yes because all the GP does if you go into the security tool it literally just passes everything onto sequel that dainese account is is supposed to be configured to that but actually we found that doesn't work and if you're going to be adding a user you have to actually use si si you can either set it up on since equal or you can set it up in the client itself I

mean the client itself just makes it easier for for people that aren't familiar with sequel but literally to go in there if you wanted to say give someone permissions to a particular company database it would be just a matter of assigning that that user a roll into that database itself and it will work fine so if you change someone's sequel log in its sequel itself and then when to log into GP that's I mean that's what GP is actually going to change that password anyway

no it's it just passes those passwords get past immediately on to sequel and everything is handled in sequel there's no there's no master database that controls user passwords everything's past were controlled native in the native instance so all those every one of those users is a local user on that sequel instance so if you go in and you broke if you opened up sequel and you looked at the logins you would see all of the Great Plains users in there and you know administering 100 some users is pretty difficult when you go through and have to do it through sequel pain in the neck it down answer your question

huh

we'll put it in GP I'll have to take a look at that because well because me for what I've been doing is administration I have I don't log in to GP I go into sequel and actually and been unlocking accounts and resetting passwords there oh really

that's cool i'll have to take a look at that because actually I know one of the developers in Fargo they're all up there in North Dakota so I'll have to bring that up because i'd be interested in knowing that answer too because i can't think I can't think definitively if i reset someone's password in sequel or if it's just being unlocked an account being unlocked yeah I'd agree i'd like to look at that some more and i've got several labs set up and we can go and break stuff if anyone wants to I mean not by far this is not like the most extensive research ever and I'm I am I I'm not the most extensive security

researcher I hope to be at some point so this is a baseline I'd like some some feedback if anyone's got sand some cool stuff for something I can use to to progress this I really like to because i'd like to go microsoft and say look now more people are aware of some of this stuff so could please fix it now anyone else questions yes

so the question is if that update the last year and update that it's actually the last when you close out a year for fiscal or a calendar year you close that out there's going to be tax changes that usually happen at end of year so it will apply say when you close your books outside like our fiscal year runs from january to december so for us it's not a problem because the year-end updates fine and we close our books somewhere in in February but if your fiscal year is different it's going to be you know so that's that's those tax updates that were done that needs to be applied to that year and closing yes everything

everything great plains or any kind of updates are all manual there's no automatic updating for Great Plain

no there's no update notification if you've got a good partner they will already call you and tell you we haven't had a good partner for a long time so I used to go in and actually subscribe to the RSS feed and customer source that would say this new type this new updates available but would you like to apply it and that's where I've got myself into trouble applying a tax update that changed some security afterwards we had to go back and actually reset some security after doing that and any tax update should be a real quick thing I mean federal withholdings it shouldn't be super complicated but you have to be logged in his essay and to run those

updates and kick everyone out and it literally updates every table it goes through and looks through it and for 16 companies for us it takes a long time so usually my users are out for at least five six hours while it's updating all those those databases

now the year the year-end updates and tax updates are just federal withholdings or sales tax updates or so on and so forth it doesn't it doesn't make any changes there now if there's a version change or a service pack yeah it can't have an impact on on how things are done and that's what also we're seeing changes in security that's aren't consistent with you know what it should be Microsoft when you when you upgrade something you shouldn't mess around with any of the security or if you do it should be the same as when you started the upgrade and we've seen problems where it's been inconsistent will have some companies have the security transfer properly and some not so you

actually have to go back to each one of those and make sure that the security was applied correctly

okay right so after changing the password the sa password after the install is completed things break because Great Plains is supposed to use that Dinah say account to do everything and I don't know if I don't think Microsoft blatantly said you know why this happens and or where it was it's stored I mean I be nice to find out I'd like to maybe do some additional research and find out where that's stored so I found out it when you changed that sa password and then go to run an update it doesn't have permissions to update all the tables well running GP utilities doesn't go in and it errors out if you've changed the sa password and i'm not sure why I'm not

sure you why did the security level is there I know it breaks it so that beat something also that I'm I'd like to take a look at and see because when I talk to developers a lot of the guys aren't sure why it does it by does it either it's kind of like having facebook on your mobile phone why does facebook have to have access to everything on your phone well it just does because the guys are too lazy that wrote the app to actually make sure that it's got least privilege and set of most I suspect lazy program

yeah using mixed mode also because everybody does the install for the most part the partner has the sa password and they're not really familiar with y si has so much privilege level they'll use that in for the ODBC connections on the local fat clients I've seen that like nine times out of ten so what we've done is gone in and actually create a user with enough privileges to make the connection to sequel that's not the essay so that actually can do its job without having to have so many elevated privileges especially using windows XP popping an ODBC password is pretty simple this

you

well it's been 12 years now and it's still not up to speed and and I can't get an official answer having I had drinks one night with one of the developers and their kind of stance I think I mentioned a little bit before is that now that they've got all these partners that have done run circles around the application done stuff that Microsoft's not been able to do and their solution is pay these guys lots of more money to actually do this because I'm looking at we just went through his last November went through 2013 I was kind of like the the release and I snuck into a partner's meeting and actually listened to all the stuff and none of

its change it's still the same underlying application it's got some more whiz-bang stuff but I mean nothing on the back ends were fixed hopefully Microsoft will wise up at some point but i think that they like giving all their solution vendors the guys that are paying them money to have access to the api's give them the money so that they can have this relationship and you end up getting screwed in the process he's 45 Grand we had to spend in addition to Great Plains install when we went back and actually bought the tools needed to secure it and even then it's still it's still native mode authentication the way that the Active Directory piecework it

is set as a separate application database that when you log into Great Plains it goes and then it checks against active directory but afterwards it goes back to sequel and says this guy's good there's still a sequel level login for every user just check check siggins active directory anyone else