Sage Software has recently posted a security bulletin regarding a potential “folder permissions” problem for users of Sage 50 2016 and earlier. This announcement has come on the heels of the release of Sage 50 2018.2, which is designed to address the “Sage 50 has stopped working” issue caused by a recent Microsoft update to Windows 10, which caused a key DLL file to fail when running certain functions within Sage 50.

Here is the text of the Sage 50 security bulletin from Sage Software:

The following potential security risks have been identified with folder permissions. Failure to update your folder permissions exposes your information to increased security risks.

• During the installation process, users of Windows 7 and Windows Server 2008 R2 had permissions applied to some installation folders that have now been identified as posing a potential security risk.
  • Granting full permission of shared data files to the group “Everyone” presents another potential security risk for all multi-user installations (including Windows 7/Windows Server 2008 R2). To address the security risk related to shared data files and folder permissions, please reference the following article in the Sage Knowledgebase: KB 10211.
  • To address the potential security risk related to installation, we have created a utility which must be run on all Windows 7/Windows Server 2008 R2 computers with Sage 50 installed that will adjust those permissions. In certain instances, it may be preferable to manually set permissions on the Sage 50 program path folders as an alternative to running the utility. Please reference the Sage Knowledgebase article,  KB 89438, for instructions on accessing and running this utility, as well as manually setting folder permissions.
  • Note: For either security risk to be exploited, an unauthorized user would need to have access to either your computer or to your local area network.

We were caught unawares about the release of this bulletin, and are unclear as to whether or not this security bulletin was released as a direct result of a security breach reported by one or more Sage 50 users. To date we have had no reports of security compromises in the Sage 50 databases for any of our hundreds of Sage 50 clients.

As we are comfortable with our own internal security protocols (we use a Dell SonicWALL to restrict unauthorized access to our internal servers), we have not made this change to our own internal Windows 2008 R2 server that houses Sage 50.

At this time we suggest that you forward this information to your IT service provider to discuss the pros and cons of making the recommended changes to your Sage 50 folder permissions. If you do not have a working relationship with an IT service provider, feel free to email us at [email protected] or give us a call at 610-941-2116 to discuss further or be referred to an IT service provider.