As I'm certain you've noticed, the MSDN blog platform got a "makeover" this weekend, as we now have an updated platform that provides some new avenues for sharing our blog content across multiple channels and platforms. Along with this new platform, it appears as though some of our most recent posts have gone missing! Besides working on getting these blogs re-posted, we also have some formatting work to do it appears.  All will come in due time, so thanks for your patience and we hope you like the new format!

AndyW

Contrary to earlier reports which have since been corrected on this Blog there is not a security vulnerability in Microsoft Dynamics GP.  Further detail can be found on this blog site http://blogs.msdn.com/gp/

We’ve had some questions today about how the Dynamics GP System Application Password is stored within the database, and whether that method is sufficiently secure. Let’s take a look and clear up any misconceptions about the safety and security of the business application data.  The Microsoft Dynamics GP application provides a very clear and complete security model in conjunction with SQL Server.  The biggest risks to any SQL Server or database, regardless of its content, are improper management of the SQL Server system account password and inappropriate management of Windows Authenticated user accounts.  Following good password- and account-management standards is the best way to protect any SQL server or database system from harm.

While it is true that behind the successful passing and validation of the Dynamics GP System Password, you can get to things such as User Account Creation, Security Task/Roles and other application-based setup items, you have to be a validated user already logged into Dynamics GP in order to take advantage of those features.  The ability to simply translate a single stored piece of data using a custom database function that you wrote is not available to a standard Dynamics GP user and would require a higher level of access to the SQL Server itself (at least dbo level or higher) to create and execute the custom function.

Stepping back to take a look at the bigger picture, there are two different and separated levels of security that are applied and used within Dynamics GP.  The first level of security is at the SQL Server itself.  Because the Dynamics GP application does not use Windows Authenticated accounts to gain access to the SQL Server -- a Dynamics GP login can’t be used to log into SQL Server directly, in other words -- any attempt to gain access to that business application data using that access model will not be successful, unless the SQL Administrator were to specifically grant access to the SQL Server and then to the databases themselves.

The Dynamics GP access method to the SQL Server is based on SQL Login accounts.  These user accounts are typically created within Dynamics GP.  In order to create these types of accounts, the user must be logged into Dynamics GP using the SQL Server system account, or a separate SQL Login account that possesses the appropriate SQL Server permissions, to create SQL Logins and grant access to database roles. So why would the newly created Dynamics GP user account be granted access to the Dynamics database at creation? There are, in fact, specific and secure reasons.

When creating a user account within Dynamics GP, not only do you need to have the correct SQL Server permissions to take such an action, the Dynamics GP application takes advantage of the SQL Server password enforcement policies.  These password policies, if enforced on the customer’s domain, enforce rules for password expiration, password strength (which includes required characters, length and/or blank passwords) and changing next password on login. So as an administrator with the appropriate access to the SQL Server, an administrator can create the appropriate Dynamics GP user accounts and also provide a password for those users. 

When the user accounts are created within Dynamics GP, the password entered in the Create User window passes through two levels of encryption.  The first level of encryption is the Dynamics GP encryption algorithm ( it should be noted,  the substitution -cipher method is not used), and is encrypted through our Dexterity runtime engine -- not the business application code.  When a user account is created at the SQL Server level, the password then goes through an additional password encryption.  This user account password is only stored in the SQL server and not within the Dynamics GP related databases.

If a SQL Server Administrator chooses to create the Dynamics GP SQL logins outside of the application (which is an available option but not recommended), the user account passwords will only contain the SQL Server level of encryption.  If the SQL Server Administrator chooses that option they are indeed putting their SQL data at risk, because this account can be used to gain access to the SQL Server (outside of Dynamics GP) and the appropriate databases would be available through any type of ODBC or .Net connection.  This would be an area of concern that should be closely monitored and considered a security risk. 

That said, if user accounts are created outside of Dynamics GP, the application is aware of and can detect what we would call “invalid” password states, which occur whenever an externally created SQL user account might be used to login into Dynamics GP. During the login process for Dynamics GP, the application detects if the password that was entered by the end user is “blank” or “plain text,” which translates to “accounts created in SQL Server only” or prior to Dynamics GP 9.0.  If this situation is detected, the end user is immediately prompted with a Change User Password dialogue box and is forced to reset their password.  By doing so, Dynamics GP places its own security encryption on the password and then sends the change down to SQL Server for updating.  Using this method keeps the access to the business data secure and intact from access outside of Dynamics GP.  In addition, because of the double encryption that takes place at the password reset, you are no longer able to use a Dynamics GP user account to create a connection to the SQL Server.]

The second level of security applied and used is the application security setup and, specifically, the business application setup that is required within Dynamics GP. The primary design behind this setup is to allow:

1. A separation of duties and administration between the SQL Server and Dynamics GP application (if required by company policy) 

2. Administration capability for a single person or team

This design can provide business application administrators – the people who manage Dynamics GP --with the capabilities  to create application users, grant access to company databases and build/maintain the access to Dynamics GP application modules, functional windows and reports that are contained within the application without having to involve the SQL Server Administrator in those tasks.  In order to administer these features and functions while keeping the functions separate from the rest of the application, an Application System Password is required. The intent behind this System Password was never to provide true data encryption services, but to provide the ability to lock down the Dynamics GP setup and configuration options. Because of this, the password isn’t using the strongest encryption method available -- and if the password were to be compromised, it would offer no access to the SQL Server or to a Dynamics GP user account. 

So in order to be a threat, a would-be attacker would have to first gain access to the SQL Server with the appropriate security access, and have access to the Dynamics database, and have the ability to create the user defined function -- just to crack the Dynamics GP System password.  After assessing all of these requirements, the issue paints a picture of larger security issue in managing the SQL Server than the simple encryption algorithm used on the application system password.

Thanks for listening!

The Dynamics GP Team

Microsoft Learning is creating some fantastic content in a new format:  Learning Snacks.  They are little interactive presentations on specific topics, most are 15 minutes or less.  We invested into this new format for Dynamics GP 2010 hopeful that it will make it easier for people to learn one bite at a time.

 A few snacks are already available for Dynamics GP and more will be posted, so keep checking back.  The link below is the main page, so you can see the other products as well that have snacks like Office, SharePoint and Windows Server. 

http://www.microsoft.com/learning/en/us/training/format-learning-snacks.aspx#dynamicsgp10

Please check out the snacks and let us know what you think. 

Happy Snacking!

Pam

 Our celebrity blogger, David Musgrave has updated the support debugging tool for Dynamics GP 2010 and has added new enhancements, increased performance and has made it more usable.  Check it out.

http://blogs.msdn.com/developingfordynamicsgp/archive/2010/05/13/support-debugging-tool-build-13-released.aspx

Pam

I’m getting ready to head over to the UK for their Dynamics GP 2010 Launch Event.  I always enjoy these types of events because our partners and customers are so passionate about their solutions.  The UK always does a good job engaging their partners and customers and this will be no exception.  We will be featuring one of our TAP customers from the UK, YMCA of London.  And of course we will have the Welsh humor of Will McIntee to keep things fresh and lively.  I might even do my famous Extender demo where I build a Pub Inspection application right now stage.  But I’ll have to add the new List Builder feature to the demo.  Cheers!

http://blogs.msdn.com/ukgp/archive/2010/03/10/save-the-date-18th-may-gp2010-launch.aspx

Errol

Hello everyone.

Management Report has released and is available to download.  You can get it from the Dynamics GP 2010 download area.

For updated information on Management Reporter view this site.  It includes the current roadmap, fact sheets and other information. 

http://www.microsoft.com/en-us/dynamics/products/management-reporter.aspx

Thanks,

Pam

Hello everyone.  We've had numberous requests at Dynamics GP Product Management asking about registration keys for Dynamics GP 2010, which is great.  People are excited to get their hands on this release.

Every release it takes several weeks to generate all of the keys for customers and partners, this launch is no different.

Partners are mostly complete with a few specific partners still needing changes.  Customer will be starting shortly.  I am hopeful everyone will have updated keys in the next week or so.  If you have any questions, please email mbsgp@microsoft.com.

 Take care,

Pam Misialek

We are very happy to announce the availability of the Microsoft Dynamics CRM Connector Feature Pack #3 for Microsoft Dynamics GP.   It will be available on Partner Source today!

The most important aspect of this release is the support for integration between Microsoft Dynamics CRM 4.0/Microsoft CRM Online  and Microsoft Dynamics GP 2010!!!

It is also important to note that this new Connector will also be compatible with Microsoft Dynamics GP 10.0 and Microsoft CRM 4.0/Microsoft CRM Online.

This Feature Pack #3 also includes:

• Registration Keys Support (When Installing the Connector)
• Support for Distributed Discovery and Deployment of Microsoft Dynamics CRM servers
• Additional Microsoft Dynamics GP Object Providers: Vendor, Applicant and Purchase Order
• PickListSync Utility – The Ability to Choose Source and Destination Adapters and Source and Destination Sites

Thanks to Jeff Hensel’s Team for their fantastic work and quick turn-around on building a Connector between Microsoft Dynamics CRM 4.0/Microsoft CRM Online and Microsoft Dynamics GP 2010!

Please remember to have your Microsoft Dynamics GP Partners order the Connector for their new customers (0$ SKU on the Microsoft Dynamics GP Price List.)  Even though we are not charging license fees for the Connector, it is imperative that Microsoft Dynamics GP Partners order the Connector for their new customers because they will receive registration keys (once ordered) that will now be required when installing the Connector.  Partners of existing customers can simply download the new Connector and install it over the top of their existing  installation.  (It is always a good practice to export your maps out before installing J…so you can re-import them if you need to.)  Once installed, existing customers can then re-enter the registration keys they received when they previously ordered the Connector.

Microsoft Dynamics CRM Partners are still required to have a Microsoft Dynamics GP Partner order the Connector for them as it is not available on the Microsoft Dynamics CRM pricelist.

Here is the PartnerSource link for the Connector: 

PartnerSource Link:

Thanks,

Ben

It is an exciting time in the Microsoft Dynamics GP world.  The buzz all started back in January with our TAP program and beta release.  Then Microsoft field and partner readiness events started in February and March building more buzz in our community.  Now after an energized Convergence with Dynamics GP 2010 being introduced to our customers and the world, many in our community have praised this release.  Exciting!

Microsoft Dynamics GP 2010 is available for download on CustomerSource and PartnerSource in International and US English!

Important Notes:

·        Partner and Customer accounts are being updated at the moment.  If you do not see your account updated, please check back in a day or so, eventually it will be.  It may take a couple weeks to get all the keys updated.

·        Customers and Partners will not be receiving media automatically.  They can request media to be shipped for a small fee to cover costs in a couple months.  We are moving a green software distribution, pushing it to online download.

·        Hardware requirements have changed.  System Requirements and  Web Application System Requirements .

The Microsoft Dynamics GP 2010 Landing Page includes all of the information related to Dynamics GP 2010 including:

·        Technical Readiness & Demo Resources (Demo Images, Presentations)

·        Sales & Marketing (Thru-Partner Event Materials, Messaging Highlights, Collateral including What What’s New and Top 10)

·        Pricing & Licensing (Announcements and FAQ’s)

Thanks to everyone who contributed to this fantastic release.  Congratulations!

Pam M

Hey Everyone! Well, with GP 2010 officially out the door this week and available for our existing and new Customers, I thought I would make an additional exciting announcement about new integration capabilities with Concur Travel & Expense!  Partners, you can read all about this over on PartnerSource (click here), but I wanted to offer my own view on this through here. First off, those of you who might be Dynamics GP Customers or Prospects, I should tell you that we’ve teamed up to offer integration with Concur for customers who want to better manage their employee expenses (of the Travel & Entertainment type).

The Concur Travel & Expense service truly streamlines the entire employee expense report submission and approval process, through an entirely online, browser-based service.  When combining Concur Travel & Expense with Microsoft Dynamics GP, we can offer a very seamless experience for your employees from the point of booking travel through your own travel portal, to creating expense reports for their completed trips and expenses, to approving and processing the expense reports, all the way to automatically importing the data into Microsoft Dynamics GP so you can quickly pay your employees, corporate cards, and vendors.

Enough of the marketing speak though. This solution can save your organization both TIME and MONEY. At Convergence last week, I had an opportunity to co-host an Interactive Discussion with over 50 Dynamics GP customers that were either using the Concur solutions today OR were interested in using them. Some of the current customers in the room spoke of their ACTUAL benefits after going live on the service.  One said they’ve cut expense report processing time by over 60%! Another said they’ve had a number of times where the Concur service identified employee expense fraud, and another described how it has helped them reduce expenses by better managing the travel policy with their employees.

I’ve seen a number of demos of the Concur Travel & Expense service, and each time I come away impressed by how easy the system is to use, and how incredibly feature rich it is! There are tons of great features, but my personal favorite has to be the Concur Mobile app. If you are out to eat with a client and don’t feel like grabbing that paper receipt for your expense report, just whip out your mobile phone and snap a picture of the receipt.  The next time you create your expense report, an entry for your dinner and a picture of the receipt are waiting for you to add it to the report! I hate coming back from a business trip with a wallet full of paper receipts…this little app (which is included for no extra charge from Concur!) would totally eliminate that and make filling out my expense reports SO much easier.

That little feature just scratches the surface though. There are a ton of other features as well that will save your company real dollars and your employees real time. Wouldn’t you rather have your sales people selling, or your other employees actually working on improving the business, as opposed to submitting and approving expense reports?!  If so, contact your Dynamic GP Partner today for more information on this great new service and integration!

AndyW