SAGE 100 SECURITY BEST PRACTICES

Sage 100 Security
Practical Security Guidance for Sage 100 Customers

Sage 100 security requires more than reviewing users inside the software. Depending on how Sage 100 is deployed, security may also involve your Windows server, workstations, remote access tools, hosting provider, backups, SQL Server, third-party integrations, and internal IT policies.

This page is designed to help Sage 100 customers understand the key areas they should review to help protect their system, data, and users.

The goal is not to turn your accounting team into network engineers. That would be rude. The goal is to help identify the right security questions and make sure the right people are reviewing them.

 

Start with Your Sage 100 Environment

The first step is understanding how your company accesses Sage 100.

 

On-Premise Sage 100

If Sage 100 is installed on your own server, your internal IT team or managed service provider should help review:

  • Windows Server security
  • User access to the server
  • Network permissions
  • Workstation setup
  • Antivirus and endpoint protection
  • Server patching
  • Backup and restore procedures
  • Remote access controls

ACC can help review Sage 100 application security, but the server and network environment should also be reviewed by your IT provider.

 

Hosted Sage 100

If Sage 100 is hosted by a third-party provider, many server-level protections may be handled by the hosting company. However, your company should still validate what is being managed and what remains your responsibility.

Questions to ask your hosting provider include:

  • Is multi-factor authentication required for remote access?
  • How are users added and removed?
  • How quickly can former employee access be disabled?
  • Are backups performed daily?
  • How long are backups retained?
  • Are backups tested for restoration?
  • Who has administrator access to the hosted server?
  • How are ACC, consultant, or third-party support users granted access?

Hosted does not mean “nothing to review.” It means the review includes the hosting provider, because apparently responsibility likes to hide in contracts.

 

Review Sage 100 Users and Roles

Sage 100 allows companies to create roles and assign those roles to users. Roles can control access to companies, modules, menus, tasks, and security permissions.

A good security review should include:

  • Active Sage 100 users
  • Former employee access
  • Administrator access
  • User roles by job function
  • Access to sensitive modules
  • Users assigned to multiple roles
  • Access to create, modify, remove, update, print, or view records
  • Access to company maintenance and security settings

Roles should match actual job responsibilities. For example, Accounts Payable, Sales Order Entry, Warehouse, Purchasing, Controller, and Read-Only Reporting users should not all have the same access.

 

Limit Administrator Access

Administrator access should be limited to a small number of trusted users.

Companies should review:

  • Who has administrator access
  • Whether administrator access is still needed
  • Whether shared administrator accounts are being used
  • Whether former employees or consultants still have access
  • Whether administrative access is being used for daily processing

Administrator access should not be assigned casually. “They are good with computers” is not a security policy. It is how chaos gets a login.

 

Secure Remote Access

Many Sage 100 customers access the system through Remote Desktop Services, Citrix, or a hosted desktop. Remote access should be reviewed carefully because it is often the front door into the system.

Recommended areas to review include:

  • Multi-factor authentication for remote login
  • Named user accounts instead of shared logins
  • Former employee access removal
  • Remote desktop permissions
  • Idle session timeout policies
  • Copy/paste or file transfer controls
  • Consultant and support access
  • Hosting provider access policies

Sage’s documentation includes specific considerations for Remote Desktop Services and Citrix environments, including workstation setup and server configuration considerations.

 

Validate Backups and Disaster Recovery

Backups are part of security. If data is damaged, deleted, encrypted, or lost, your recovery plan becomes just as important as access control.

Companies should confirm:

  • Sage 100 data is backed up
  • The MAS90 folder is included where appropriate
  • Custom reports and forms are backed up
  • Sage Intelligence repositories are backed up if used
  • SQL Server databases are backed up for Sage 100 Premium
  • Third-party integration folders are included
  • Backups are stored off the production server
  • Restore testing is performed periodically

A backup that has never been tested is just a very confident guess.

 

Review Third-Party Integrations

Sage 100 environments often include third-party tools for EDI, shipping, credit card processing, reporting, warehouse management, custom scripts, and other integrations.

Each integration should be reviewed to confirm:

  • What system it connects to
  • What access it requires
  • Whether it uses a dedicated account
  • Whether it has ODBC or SQL access
  • Whether it is still actively used
  • Whether it is included in upgrade planning
  • Whether it is included in backup planning

Unused integrations and old access points should be removed or disabled.

 

Stay Current and Supported

Running unsupported software can increase security and operational risk.

Companies should review:

  • Current Sage 100 version
  • Supported Windows Server version
  • Workstation compatibility
  • Third-party enhancement compatibility
  • Payroll, credit card, and reporting requirements
  • Sage 100 2026 64-bit readiness
  • Upgrade testing requirements

Sage’s 2026 installation guide notes that Sage 100 2026 is 64-bit only and includes specific upgrade planning considerations for customers with older 32-bit versions installed.

 

Quick Sage 100 Security Checklist

Use this as a starting point:

  • Review all Sage 100 users
  • Disable former employee access
  • Limit administrator access
  • Review roles by job function
  • Confirm hosted or on-premise responsibilities
  • Validate remote access security
  • Confirm MFA where available
  • Review server and workstation access
  • Confirm backups are running
  • Test backup restoration
  • Review third-party integrations
  • Confirm Sage 100 is on a supported version
  • Include Sage 100 in employee offboarding procedures

 

How ACC Can Help

ACC Software Solutions can help Sage 100 customers review application-level security and identify areas that should be discussed with internal IT or a hosting provider.

ACC can assist with:

  • Reviewing Sage 100 users and roles
  • Reviewing administrator access
  • Identifying inactive users
  • Reviewing access by company, module, menu, and task
  • Discussing hosted versus on-premise responsibility areas
  • Coordinating review items with your IT provider or hosting company
  • Reviewing upgrade readiness and 64-bit planning
  • Helping document a recurring security review process

 

Need Help Reviewing Your Sage 100 Security Settings?

ACC Software Solutions can help your team review Sage 100 user access, roles, administrator permissions, hosted environment questions, remote access concerns, and other security best practices.

Contact ACC Support
Email: support@4acc.com
Website: www.4acc.com/support

 

Resources

Solutions by Industry

Manufacturing
Read More
Distribution
Read More
Medical
Read More
Financial
Read More
Services
Read More

What's New

The Hidden Cost of “We’ve Always Done It This Way”

Read More

Submitted by Stephanie Dean on Tue, 04/28/26 - 9:26

Sage 100 Updates: Why Staying Current Is Critical

Read More

Submitted by Stephanie Dean on Fri, 04/17/26 - 14:19

Eliminating Manual Processes with Modern ERP Tools

Read More

Submitted by Stephanie Dean on Mon, 04/13/26 - 11:49

Whatever Your ERP Needs, We Have the Solution!

Or call us for a free consultation 866-379-3799