Customers who use on premise versions of Microsoft Dynamics NAV and Microsoft Dynamics 365 Business Central need to be aware that there are currently number of issues affecting on premise versions of both products:
- A NAV vulnerability, detected by Microsoft, that can allow malicious code to be executed on the server.
- A number of our clients are currently using versions of SQL Server which are out of mainstream support and some are also out of extended support. This means that Microsoft will no longer provide any updates.
- Windows 2012R2 is going out of support on 10 October 2023.
Details of each of these issues can be found here.
What do I need to do?
To help NAV and BC customers affected by one or more of these issues, TVision Technology is offering the following:
- Watch the webinar with our technical expert discussing options/next steps.
- Following this, if required, you can schedule a 30-minute call with our technical expert to discuss your individual requirements and establish what immediate actions are required. Unless the patch can be applied and work completed in a further 30 minutes, any required work will be carried out as a standard chargeable Change Request.
- Book one of our Performance Review programmes, which takes place over the course of a month (pricing on request). This will involve weekly diagnostic activities to understand how we can improve system performance. This option will be of particular interest to clients on older systems and/or SQL servers.
Transcript
0:00
Thank you for joining us today. Hopefully you can see my screen and everybody else, as well. So, today, we’re going to be talking about the issues affecting our on prem NAV and BC clients.
0:11
I’m going to be talking through the options, what we can do and how we can help you.
0:16
My name is Danusia Jolliffe, I’m the Marketing and Customer Service Director here at TVision, I’ve been with the business for about six years now. I’m also joined by Mike. You, can you just give me, give us all a quick introduction. And the work you have done previously.
0:32
Hi there, so I’m Mike, IT consultant at TVision. I’ve been working with TVision for 20 ish years. So quite a long time now.
0:44
So, you see, I’m, I’m here as a consultant to, to talk to you about the technical issues.
0:52
OK, so we have the three issues that we’d like to discuss, the on-premise security vulnerability, the SQL Server End of Life information, and also the Windows Server 2012R2 end of life. This was all included in a blog, and the links there, and we will be sending this out to you afterwards.
1:12
So, Mike, over to you. Can I get you to talk those, through those three issues that are affecting, potentially affecting our clients? Yeah, sure.
1:20
So, as you’re probably aware from, from reading the blog, back in December, last year, Microsoft realised that there was a security vulnerability that’s affecting NAV and BC, and has been there since 2009.
1:38
So, it’s yeah, it’s it’s been around a while, it’s just been identified. The vulnerability itself is fairly low risk.
1:49
It lowers the risk, even more depending on, on how your, your setup. If your clients are in a secure network behind a firewall, or a VPN, that, that, that really goes, goes down quite a bit. It’s, what the vulnerability can do, via the windows client. If an attacker can connect onto a machine that’s got, that’s on your network, that’s got the Windows client running.
2:22
And that windows client is also authenticated, then the attacker could exploit some, some vulnerability which potentially could let them takeover using the service account.
2:37
So again, it really is, if your network is secure, you’re sitting behind a firewall. Or you’re using a VPN for your, for your client, that vulnerability is pretty low. But it’s just something that we’ve got to make you aware of, as Microsoft found out in December. As far as I know, nobody has actually reported having this exploited.
3:02
And the vulnerability has been around, as I say, for 13 years.
3:06
Someone has actually asked the question, saying, doesn’t affect affect the web client as well.
3:12
No, it purely affects the full fat Windows client that’s installed on the laptops or desktops, and say it has to be authenticated as well for that vulnerability to be exploited.
3:27
OK, the versions of NAV go way back to, I think it’s 2013, so it was in 2013, which version seven?
3:38
This hasn’t been affected for that version, but it’s everything going forward. So it’s 2013 R2 to 2015, 2016, 2017, 2018.
3:50
And then all the Business Central versions right through. Um, Microsoft have released a cumulative update for the fix, and that goes back to, say, 2013 R2. They released a cumulative update, is a technical update.
4:07
So it’s effectively is just just the files or DLLs executables that need to be installed on graded on the server. And also every every client machine. So depending on the number of client machines you’ve got, it can be a pretty big job. So, weigh that up really with the risk, if your network is secure, etcetera, etcetera, then um it’s really, it’s up to you guys how you want to proceed with that.
4:31
And it’s the same with Business Central. There’s been wave updates released to fix it, as well.
4:41
Can you cover off the SQL server for me? Yes, so, Microsoft obviously end of life, on my notes, on SQL. Obviously, SQL 2005 went end of life back in April 2016, and then SQL Server 2008, which some customers I know are running. That went out end of Life 2019.
5:10
And then most recently, SQL Server 2012, which is still quite heavily used, that went end of last year, in July.
5:19
And then the next version is coming out to the end of life, is 2014, and that’s going to be in July next year. So at that point, Microsoft will stop. Any service packs, any updates. Security updates, things like that for those versions.
5:34
So, if that’s a business-critical risk that you need to be on the latest version, or patched, or updated, then that’s something you will need to think about.
5:47
Generally speaking, every every case would be individual we need to look at. But generally speaking, the SQL Server version isn’t an issue.
5:57
Depending on the version of NAV you’re running. I think pretty much, and maybe Rob can correct me if he’s in ear shot. But I think pretty much any database will quite happily run on any SQL server version.
6:10
Um, the problem can, can, can be around the operating systems. And what versions of SQL will actually be supportive, installable on that operating system. And then, also, you’ve got operating system issues with older versions of NAV.
6:25
Which I’ll come on to. The SQL Server version is really, will support pretty much any any database going, going back.
6:35
We have another question saying, if you upgrade SQL Server, does NAV need to be upgraded as well at the same time. OK, so, so, SQL itself? No.
6:47
However, if you are updating, for example, if you’ve got a Windows 2008 Server, um, there will be limitations on the versions of SQL you can update to. So, I don’t think you can put a new version of SQL on a 2008 Server.
7:05
So, so, you would have to upgrade your operating system to be able to install a new version of SQL, and then that will have complications. Potentially, if you’re running an older version of NAV, that might not be supported running on the operating system. So you’d have to update all three.
7:27
Anything to add on the Windows server or? So 2012 R2 and 2012, which coming end of life, in October this year, there’s still heavily used. We’ve got a lot of lot of clients. And a lot of the world is still using 2012 R2.
7:46
But it’s really just just to make people aware that it is becoming end of life.
7:51
Obviously, as a server, there will be no security updates will be coming down the line when that goes end of life in October. So, again, for some businesses that do need to keep everything secure, and up to date and patched for various, various reasons, that’s actually something that people need to think about.
8:11
Great, Thank you. Another question has come in that I missed earlier. It was, does it make a difference if we use Windows authentication versus user and passwords, which I’m assuming relates to the first section that we were talking about.
8:24
Um, so, I may need Rob to answer that specific question on the security. I believe it’s a, potentially, it will be, any any authenticated user. However, it could be that it needs to be domain authentication. So I don’t know whether the Rob can possibly answer that question.
8:45
Yeah, we’ve got Rob here in the room as well for some of these more technical questions. Rob, it should work, the attack could be with any authentication.
8:56
It does depend on, on the authentication being … before the attack can be mapped.
9:04
Somebody actually has to authenticate through the service. And then the attack …… So it has to be an authenticated user on the, on the machine that’s already been attacked and taken over, but, but then, yeah, and any, any connection into into NAV, whether it’s using Windows authentication or username, password.
9:29
OK, anything else to add on those three? That cover those, mainly, as well, I mean, it’s highlighted within the blog. I think it’s important to hear it from you.
9:39
I mean, I mean, 2012 R2 is, is widely used, and that’s also coming out to end of life. Previous to that, the Windows 2008 went end of life January 2020. Some people still that, but obviously not too many. And then, before that, we go back to Windows 2000, which went end of life 2010. So it’s a really, it’s just to highlight the 2012 coming up for end of life.
10:07
OK, great, thank you.
10:11
So I’m just trying to advance the slides, so when I sent the information out, obviously, to outline the options in the relation to the blog that was sent.
10:20
Obviously, we’ve got this first online Q&A session for you to highlight, and for anyone else to ask any questions as we’re going along.
10:27
So after this, we were offering a half hour call with yourself Mike, so if anyone wants to take us up on that, and then we’re quite happy to arrange that for you. Just contact us directly and we’ll get that sorted out. And then if that is able to resolve, and you work out what next steps are, that would be great. And then just as a final option, we’re talking about a performance review. I think that’s going to be specific, and very relevant to each individual client. Can I ask for a real a high-level overview from you Mike, in case someone wants to get that organised? Yeah, yeah, absolutely.
11:01
So high-level performance overview. We’ll be looking at, obviously looking at things like your operating system, versions, SQL version, et cetera, and highlighting any vulnerabilities that might be around SQL or patching, et cetera. And then really it’s more of a deeper dive into SQL itself, and see how that’s performing. So we would install some some monitoring. We will be recording logs. Generally, we would maybe record logs, have a week’s worth of logs, and then take a review and look at table sizes, if any tables need reducing, truncating etcetera. We will be looking at, if there’s any deadlocks and locking and we will be pulling the logs out from there and then reviewing on a weekly basis and may be doing this over several weeks. Each, each week, once we discover, if there’s any indexing, this may be needed, those indexes will be applied. And then they would be reviewed again a week later.
12:00
We will be looking at disk space, backups, maintenance plans around SQL.
12:05
So that’s kind of a high level. What the sort of thing that we do, we can do?
12:09
Great. Thank you. Sorry my screen was glitching just there.
12:13
So, do you think that would be covered within four to six weeks would you say? Yeah absolutely. So, so really that the, the, the quite a bit of work at the start installing the monitoring tools, setting up the logging, and then really is a week by week looking at those logs and analysing the data and seeing where we can make some recommendations on performance.
12:36
And then again, the next week, the next week, also reviewing. So, over a four to six-week period. OK I just wanted to see if we’ve had any more questions come in. I haven’t had many more yet.
12:55
Yup. Very quiet audience, today. We were expecting a few more question. Unless anyone has anything else to ask. This was only intended to be a short session, highlighting the key areas, the vulnerabilities, the servers, ……make sure it’s as secure as possible. And then obviously outline ….
13:23
Unless Mike, you have anything to add, I think we can wrap up. Yeah, no, no, there’s nothing further from me.
13:31
OK, well, thank you so much. Short session will be contacting everybody after this call, those who attend and those who didn’t, and will offer the video. You can review the content and also try and arrange a call for you. Thank you, Mike so much for your time today. Alright, thanks, guys. Thank you, everyone.
