Security and privacy in Microsoft Office Accounting 2009

Security in Microsoft Office Accounting 2009 is built on Windows security. It is designed to offer you control over who has access to your business data and contact information stored in your Office Accounting 2009 company database. Reports built into the product enable you to view every transaction it records. Using Windows security represents a more sound strategy than assigning another password for the application itself. The Accounting 2009 security strategy is designed to protect your data whether it resides in the product database, or in other repositories on your computer, such as Microsoft Office Excel spreadsheets or third-party applications or add-ins.

The following explanation and recommendations are based on best practices for security and privacy.

Authentication

Accounting 2009 relies on Windows authentication to verify access to information. All users must belong to a Windows user group that has access to the computer running Accounting 2009. Instructions on managing users in Windows are part of your Windows documentation.

Authorization

Accounting 2009 includes built-in roles for many of the roles occupied by small business employees. These roles help business owners and application administrators restrict access to your company's financial information, as well as to customer, employee, and vendor information.

For more information about roles in Accounting 2009, see About roles and permissions.

Auditing

Both Windows and Accounting 2009 provide ways for you to track access to and activity on your computer. These become valuable resources should you suspect suspicious activity. Most Accounting 2009 auditing is accomplished through the various built-in reports that track activity. For example, the Transaction Detail by Account report provides a detailed look at the entries posted to the Chart of Accounts. Other reports allow you to see sales, purchasing, or banking activity.

For more information about reports, see About the Reports home page.

In addition, Windows provides tools, such as Event Viewer on the Computer Management console. Event Viewer provides Application, Security, and System logs that record information about computer activity and access. For more information, consult your Windows documentation.

Data security

Accounting 2009 is designed to protect your data whether it is stored on your computer or it is transmitted over the Internet when you use the online services the product offers, such as Marketplace Services for Microsoft Accounting 2009.

Data storage

Your data, such as business transactions and contact information for customers, employees, and vendors, is stored in a file defined and managed by Microsoft SQL Server 2005. Accounting 2009 takes advantage of SQL Server security features to control how and when various user roles access the data file. Accounting 2009 handles interactions with SQL Server for you, so it is not likely that you will need to interact directly with SQL Server.

On computers running the Windows Vista operating system, you can encrypt data on your hard drive by turning on BitLocker Drive Encryption. For more information about BitLocker, see Windows Vista Help.

Data transmission

Some of the features of Accounting 2009 communicate over the Internet with third-party services to which you may subscribe, such as eBay, PayPal, Equifax, and Payroll for Microsoft Office Accounting. Accounting 2009 protects this data by using a technology called Secure Sockets Layer (SSL) and Transport Layer Security (TLS). SSL and TLS help protect your data during transmission so that malicious users cannot read or change it.

Best practices

While the security built into Accounting 2009 provides some measure of protection from many security risks, we highly recommend that you take some additional steps to enhance your security:

• Install and configure antivirus software and keep it updated by maintaining an active subscription for updated virus signature files.

• Turn on Windows Firewall, which you can access in Control Panel. You may also want to use a hardware firewall for additional protection. For more information about hardware firewalls, contact your Internet service provider (ISP).

• Keep your operating system and application software up to date by using Microsoft Update for Microsoft products and your software provider's site for non-Microsoft software.

• Run your application while logged on using a standard user account, not as a Windows Administrator. Many people run their computers while using System Administrator permissions for the sake of convenience. However, this allows malicious software and unauthorized users full control over the entire computer. Accounting 2009 is not only designed to run under a standard user account, it provides a special role, Application Administrator. This role grants a business owner the permissions and access necessary to manage the application database file, a task that ordinarily requires System Administrator permissions. Furthermore, the Application Administrator only has access to SQL Server database files used by Accounting 2009 and may not access SQL Server databases used by other applications on the computer.

• Use a strong password for your Windows account. Strong passwords help keep your account secure by making it more difficult for a malicious user to gain access. A strong password must be at least seven characters long and must contain letters, numerals, and symbols. The password should not contain recognizable words or dates, which can make a password easier for a malicious user to detect. An example of a strong password might be @sdE-.A^. For more information, see Creating strong passwords.

• Guard against social engineering. In a social engineering attack, a malicious user contacts a company to obtain information that is then used to gain unauthorized access to the company's computers. For example, someone might pose as a company employee asking for user name or password information. To prevent social engineering attacks, ensure that you never give user name or password information to anyone whom you do not know or whose identity you are unsure of.

Additional resources

To maintain the privacy and security of your computer, periodically visit the following Web sites for updates and best practices:

• Search the Support Knowledge Base

• Protect Your PC

You can also sign up to receive Microsoft Security Update e-mail alerts through the Microsoft Web site. This service is designed to notify home users and small business subscribers when Microsoft releases an important security bulletin or virus alert, and also lets subscribers know how to guard against a circulating threat. This service is currently available in U.S. English only and requires that the subscriber register with a Windows Live ID account.