Microsoft Dynamics CRM 2011 – Best Development Practices (Security Best Practices)

This blog describes best practices for Microsoft Dynamics CRM 2011 security. Follow these guidelines to help protect your business data.

General: Best practices for securing your implementation of Microsoft Dynamics CRM include the following

  • Assign the least privileges required when you set up your application pool.
  • Require that all users use strong passwords for their accounts. For more information, search for “strong passwords” in Windows Help.
  • Divide your organization into business units that match the organizational structure when you set up Microsoft Dynamics CRM. You can then restrict access based on roles.

Roles, Privileges, and Access Rights: Best practices for use of the Microsoft Dynamics CRM security model include the following

  • Strictly limit the number of people assigned the System Administrator role. Never remove this role.
  • Create roles according to the security best practice of least privilege, providing access to the minimum amount of business data required for the task. Assign users the appropriate role for their job.
  • Create a new role with those specific privileges and add the user to the new role if a user needs additional access levels or rights. A user’s rights are the union of all the roles to which he or she has been assigned. Do not grant the original role privileges that are needed by only one or a few members.
  • Use sharing, when appropriate, to give specific users specific rights on individual objects, rather than broader privileges on all objects of a given type.
  • Use teams to create cross-functional groups, so that specific objects can be shared with the team.
  • Train users who have sharing access rights to share the minimum information needed.

Client-Side Development: Best practices for developing customizations for the web application, Microsoft Dynamics CRM for Microsoft Office Outlook, or Microsoft Dynamics CRM for Microsoft Office Outlook with Offline Access

  • Use web resources rather than pages that require server-side processing whenever possible. If your requirements can only be achieved by using server-side processing, adhere to the requirement that your custom webpages are installed in a separate website from Microsoft Dynamics CRM. Set the trust level for your site appropriately, depending on your confidence level in the security of your code. This mitigates the threat from cross-site scripting and other threats.
  • For the best security, be sure your separate website runs on a different account from Microsoft Dynamics CRM. This account should have the minimum access possible and one that does not have direct access to the Microsoft databases. You can use an extremely complex password that does not expire because no person logs on to this account – only your application.
  • Avoid use of ActiveX controls because they have known security problems.
  • Use plug-ins to apply business logic must be applied for regardless of how the data changes are made.
  • Always use a modal confirmation dialog when deleting records or applying sensitive changes, such as adding a new user to a security role. This helps prevent techniques such as click-jacking or UI redressing where a malicious developer may embed your page within a seemingly innocuous page to trick a user into performing actions that may compromise security or perform unwanted actions on data.

Security best practices for your website include the following:

  • Do not use anonymous access.
  • Use Integrated Authorization or NTLM or Basic over Secure Sockets Layer (SSL).
  • Use SSL to avoid sending unencrypted data over the network if your website is on a different computer than Microsoft Dynamics CRM.

My above blog is based on and is a summary of Best Practices guidelines given by Microsoft.

I hope this blog about ‘Microsoft Dynamics CRM 2011 – Best Development Practices (Security Best Practices)’ was informative. Please feel free to leave your comments.

Post a comment or leave a trackback: Trackback URL.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: