Hardening Business Central server security
Business Central Server is a .NET-based Windows Service application that works exclusively with SQL Server and Azure SQL Server databases. Business Central Server provides an extra layer of security between clients and the database. It applies the authentication features of the Windows Communications Framework to provide another layer of user authentication. It uses impersonation to ensure that business logic is executed in a process that is instantiated by the user who submitted the request. Authorization and logging of user requests are performed on a per-user basis.
Login account
The Business Central Server is configured with a login account, which is referred to as the service account. The service account is used by Business Central clients to log on to the Business Central Server instance. The Business Central Server then uses the service account to log on to the Business Central database.
The default configuration is for the service to log on using the NT Authority\Network Service account. If Business Central Server and SQL Server are on different computers, then we recommend that you configure Business Central Server to log on using a dedicated Windows domain user account instead. This account shouldn't be an administrator either in the domain or on any local computer. A dedicated domain user account is considered more secure because no other services and therefore no other users have permissions for this account. Learn more about using a domain account and configuring the recommended permissions in Provisioning the Business Central Server Service Account.
Authentication
We recommend that your solution uses Microsoft Entra ID for authentication, especially when a solution must access both cloud and on-premises resources. Microsoft Entra ID is a managed identities service that offers various security measures, like:
- Multifactor Authentication (MFA): Adds an extra layer of security beyond passwords.
- Passwordless sign-ins: Users can sign in using methods such as authentication apps, reducing reliance on traditional passwords.
Caution
Microsoft recommends that you don’t use NavUserPassword authentication. Microsoft Entra ID and Windows authentication are more secure alternatives. You should only use NavUserPassword authentication when Microsoft Entra ID and Windows authentication aren't viable.
Disk quotas
Client users can send files to be stored on Business Central Server, so we recommend that administrators set up disk quotas on all computers running Business Central Server. This quota can prevent users from uploading too many files, which can make the server unstable. Disk quotas track and control disk space usage for NTFS volumes, which allows administrators to control the amount of data that each user can store on a specific NTFS volume. For more information about disk quotas, see the Disk Quotas Technical Reference on Microsoft TechNet.
Limiting client services port access
The client services port is used for communication between the Business Central Server and Business Central Web Server. By default, this port is 7085.
Ensure that this port is blocked from external networks, allowing communication only between the Business Central Server and Business Central Web Server.
When the Business Central Server and Business Central Web Server are on different machines, an inbound rule in Windows Firewall is required to allow communication on the port. To improve security, limit access to this port to a specific subnet. One way is to use
netsh
, which is a command-line tool for configuring and monitoring Windows-based computers at a command prompt. The specific version of this command that you would use isnetsh firewall set portopening
. For example, the following command limits access to port 7085 to the specified addresses and subnets:netsh firewall set portopening protocol=TCP port=7085 scope=subnet addresses=LocalSubnet
Data Encryption Between Business Central Server and SQL Server
When SQL Server and Business Central Server are running on different computers, you can make this data channel more secure by encrypting the connection with IPSec. (Other encryption options aren't supported.) Learn more at Enable Encrypted Connections to the Database Engine.
Related information
Configuring Business Central Server
Security and Protection
How to Use the Netsh.exe Tool and Command-Line Switches