Overview
As a CIMcloud customer, you can use this ERP Sync Security Checkup to verify you are following recommended practices related to the operations of the ERP Driver Sync Tool that syncs data between CIMcloud and your ERP system.
This article includes the following checklists:
- Checklist #1 Remove Remote Access
- CIMcloud does not need or want remote access to your systems to run and support the ERP Sync Tool.
- Use this checklist (and additional articles) to insure you have removed remote access to your server / network.
- Checklist #2: Use Designated Users & Strong, Unique Passwords
- Use designated users (for Windows, SQL, and the ERP system login) with strong, unique passwords on the users that the ERP Sync Tool uses.
- Warning: Be sure to follow the steps outline before making a password change to avoid a stoppage in data syncing.
- Checklist #3: Uninstall The Sync Tool If It’s Not In Use on A Server
- This only applies (to the old server) if you had us reinstall (and move) the Sync Tool to a new server
Instructions
Complete the applicable checklists below and work with your internal IT resources to close any gaps identified.
Want Help?
If you want some expert help, for a fixed fee, a member of the CIM professional services team can walk your team through the below checklists and guide you through making any changes needed.
Checklist #1: Remove Remote Access
Use this checklist to make sure you have removed any remote access path and windows user that was set up for your ERP Sync Tool install process.
In general, CIMcloud does not need or want remote access to your systems to run and support the ERP Sync Tool. If we need to log in to the server to help trouble-shoot a problem (this should be rare if at all), we will arrange an attended access session with you. This access would typically be a step taken after you try the ERP Driver Sync Tool Reboot Steps.
This applies to all CIMcloud customers except those few who are in the middle of a deployment project where the CIMcloud team is actively installing the sync tool on your system. This only happens for a short period of time (typically 1 to 3 weeks) for brand new customers, customers starting a classic-to-current migration, and customers who are undergoing a server change / server move on their ERP system (perhaps while upgrading your ERP system version):
- [ ] Remove remote access windows user
- This is covered in Step #1 of this Removing Remote Access (To Your ERP Server) article.
- This is the windows user that was used by the CIMcloud deployment specialist to log into the server remotely (using either GoToAssist or some other remote access strategy as described above) to install or service the ERP Driver sync tool.
- Note: Do NOT confuse this with the windows user that is required to run ERP Driver. Removing or changing the windows user that ERP Driver uses to run will stop all data syncing.
- [ ] Remove the GoToAssist client (that allows remote access) from your server
- This is covered in Step #2 of this Removing Remote Access (To Your ERP Server) article.
- This applies if you originally installed the GoToAssist client to allow CIMcloud deployment specialists to log in and install the ERP Driver sync tool.
- [ ] Remove any other type of remote access provided to CIMcloud
- This applies if you opted to not install GoToAssist, but instead provided another means of remote access (i.e. remote desktop, etc) to your server to a CIMcloud deployment specialist.
- [ ] Make sure the windows user (or users if you have multiple sync tool installs which is rare) that ERP Driver uses can not be accessed remotely (from outside your network)
- You can do this by enabling a “no remote access” group policy
Checklist #2: Use Designated Users & Strong Passwords
Use this checklist to make sure that the logins required to run the ERP Sync Tool use designated users (for Windows, SQL, and the ERP system login) and each user has a strong, randomly generated, unique password.
This checklist applies regardless of whether you are in an implementation project or already live on the CIMcloud platform.
Note: If you think you need to change one or more of your password, contact CIMcloud via a published phone number on our website or via our ticketing system in Extranet to get assistance with the change. The passwords must be updated in the ERP Sync Tool at the same time that you change them or the sync process will stop working (until they are changed… at which point it will catch back up).
- [ ] Verify the ERP Sync tool is using designated users for Windows, your ERP System, and your ERP’s MS SQL Server (if applicable)
- ERP Driver should not use your primary / admin user
- ERP Driver should not share a user with a person on other applications
- This applies to the following 3 users
- Windows users (that the sync tool uses)
- ERP user (that the sync tool uses)
- [if the ERP runs on SQL] SQL Server user (that the sync tool uses)
- [ ] Make sure your passwords (for the above logins) follow use strong, unique passwords
- Password strength
- Good
- Minimum of 12 characters
- Combination of letters, numbers, and special characters
- Randomly generated (i.e. by a password generator)
- Unique to this user (i.e. do not use the same password for multiple logins)
- Best
- Minimum of 25 characters
- All of the above
- Good
- Password storage
- Store these in a secure place (i.e. a password manager)
- Password strength
- [ ] Sage 100 premium only | Verify the SQL database user has read-only access as follows:
- Map this user to these database files:
- MAS_System
- MAS_<production_company_db>
- Map this user to this database role membership:
- public
- db_datareader
- Verify that no other roles are granted
- Map this user to these database files:
Process to Change Passwords
If username or password changes are needed, following this process to insure that you do not temporarily stop the data syncing between CIMcloud and your ERP system.
- Note: You will NOT need to show us or provide us with any passwords during this process. We will log into the tool (on the shared session) and you will enter new passwords directly into the application after we open it (on the screen sharing session).
- Notify us & schedule the change (call the number on our website or post a ticket through your Extranet login)
- Provide us with attended access (a joint call)
- Stop/pause ERP Driver (is this needed?)
- Make the change(s) to the credentials
- We log into the access GUI
- You post the change to the credentials
- Restart ERP Driver
- We both test / verify to make sure it worked
- We end the attended call
Checklist #3: Uninstall The Sync Tool If It’s Not In Use on A Server
This applies to servers that were running the ERP Driver Sync Tool, but are not longer running it (because your more your ERP and/or the ERP Sync Tool service to another / new servers). This only applies to CIMcloud customers that 1) completed a classic-to-current migration (this removes the old install of the sync tool), or 2) changed the server that their ERP driver sync tool was running on (but that server is still in use running other things).
- [ ] Follow the steps in the ERP Driver Uninstall Process