Everyone is worried about security these days, and GP users are no exception. Clients often ask me and my team about best practices for keeping bad actors out of their systems. This is a good thing; however, their questions tend to focus on outside threats and ignore internal issues when it comes to Dynamics GP security.
The good news is, there are simple steps that finance team members can take. You can reduce the ability and the temptation for an unhappy team member, or an outsider wandering through your department, to do something untoward.
- Don’t walk away from your computer without locking it, so that a password is required to access the data. In Windows 10, you lock your computer by clicking on the Windows icon in the lower left corner of the monitor. Then, click on the “person” icon and choose Lock.
- Don’t keep your password on a Post-It note on the monitor or in your desk drawer. I know this one should be a “no-brainer,” yet, I still see this when I visit client offices.
- Take the time to sort out User Security by role and user. Set up additional roles if needed. We all know that sometimes, GP security can be a little frustrating. Nevertheless, resist the temptation to set up everyone as a POWERUSER. Doing so defeats the purpose of having User Security available to you. Consider using GP Power Tools from Winthrop Development Consultants to troubleshoot user security issues. Also, talk with your auditor about recommended separation of duties, and put a plan in place.
- Have the person in charge of setting up new GP users check the boxes for Enforce Password Policy in the User setup window. This will force users to have GP passwords that follow the network group policies for length and complexity.
- Your security administrator should also choose to Enforce Password Expiration. This forces GP users to change their passwords after a certain number of days. Your Windows server domain configuration determines the exact number of days until password expiration.
- If you have more than one company in your GP system, you can choose to restrict user access by company. Navigate to Tools – Setup – System – User Access to make sure users only have access to the companies they need.
- Keep access to test companies turned off except when a user is actively testing. Consider restricting access to payroll or payables check printing in your test companies, even for users who have those privileges in the live company.
- Consider audit trail products such as the ones offered by FastPath or Rockton Software. These products can track who is logging into GP. They also can track when GP master records change and who changed them. For example, you can set up a track to show if a user changes a vendor address in GP.
- Do a quarterly review of GP users. Delete user records for anyone who is no longer with the company. Also ask your IT team to disable Windows logins for users who are no longer with your group.
- For remote access to the GP system, ask your IT team if they have a VPN in place. Allowing access to the server directly via Remote Desktop, with no additional security measures, is not best practice. We also recommend users not remote directly to the SQL server. Set up a separate remote desktop server for access to GP.
- Don’t allow finance or accounting team members to have the ‘sa’ password for daily use of the system. The temptation to do this is strong because of the need to set up new users. The best practice is to work with your database administrator to set up those users in GP. You can give your dba guidance on what company access and roles each GP user needs. Alternatively, you can set up a GP user with the SQL roles for db_accessadmin and db_security, to be used for user setup.
- Don’t share passwords with other GP users. Most of the suggestions above are negated if users are not logging in as themselves. Set up each user with his own password when they are hired. Discourage users from sharing passwords “just to get the work done.”
While there are many steps your IT professionals can take to secure your system, following these guidelines will help prevent your team from sabotaging their efforts to keep your system safe.
Have any questions about Dynamics GP security? Please contact us at any time!