Accpac security review

[johnhugh]

Hello,

I'm currently spending some time thinking about how to secure Accpac for unauthorized access.
Actually not only Accpac itsself but also the terminal server it is running on.

What are the minimum user rights an Accpac user needs to run Accpac in a domain environment? Poweruser or is User sufficient? Is it enough for users to just have read access to the Accpac program + data folder?

What steps have you undertaken to secure your ERP system?

 

[ettienne]

I suppose you want to secure against unauthorized access?
It always helps if you include information about the Accpac version and which database you use, otherwise we may not give relevant information.

Users need read, write, modify access to the program files, users do not need Power User permissions as long as you have run REGACC on the TS.

The question about database access depends on the version of Accpac you are running and which database you are using.

 

[johnhugh]

Sorry, forgot the version.
SQL 2005 Standard, Accpac 5.5A

And yes, against unauthorized access.

 

[johnhugh]

Server 2008

 

[Jay Converse]

Then you are correct, they only need Read access to the program files folder. When I do Accpac installs, I create separate folders - ..\Accpac\Programs and ..\Accpac\Shared, so setting the read permissions on the Programs folder is easy.

As far as SQL goes, as long as they don't know the SQL password, they can't get at the data.

 

[johnhugh]

Thanks for your replies.

I have my Accpac programs and data folder separate.
A specific problem I just had recently was that one user deleted all custom reports under my data folder.

You mentioned the program folder can be set to read only.
So the data folder needs to be read/write?

If that's the case I can't think of a way to prevent users from deleting custom reports.

 

[Jay Converse]

Put custom reports in the Programs folder, where only you have write access.