Known risks and vulnerabilities

 

Applies To: Dynamics CRM 2013

This topic describes the risks and vulnerabilities that may exist when you use Microsoft Dynamics CRM. Mitigations and workarounds are also described when applicable.

In This Topic

Risks when users connect to CRM over an unsecured network

Security recommendations on server role deployments

Anonymous authentication

Isolate the HelpServer role for Internet-facing deployments

Claims-based authentication issues and limitations

Secure the web.config file

Outbound Internet calls from custom code executed by the Sandbox Processing Service are enabled

Secure server-to-server communication

DNS rebinding attacks

Risks when users connect to CRM over an unsecured network

Issues that can occur when you run Microsoft Dynamics CRM without using Secure Sockets Layer (SSL) (HTTPS) are as follows:

  • Microsoft Dynamics CRM user provided data, including Visual chart definitions, can be altered over an unsecured HTTP connection by using "man in the middle" type attacks. To mitigate this vulnerability, configure Microsoft Dynamics CRM to only use SSL. For more information about how to configure Microsoft Dynamics CRM Server 2013 to use SSL, see Make CRM client-to-server network communications more secure.

Security recommendations on server role deployments

The following recommendations can help make your Microsoft Dynamics CRM deployment more reliable and secure.

Server role

Recommendation

Sandbox Processing Service

Install this role to a dedicated server on a separate virtual LAN (VLAN) from other computers that are running Microsoft Dynamics CRM roles. Then, if there is a malicious plug-in running in the sandbox that exploits the computer, the network isolation from a separate VLAN can help protect other CRM resources from being compromised.

Help Server

Install this role on a separate computer for both IFD and internally-facing deployments. For more information, see Isolate the HelpServer role for Internet-facing deployments later in this topic.

Anonymous authentication

Microsoft Dynamics CRM Internet-facing deployment (IFD) requires anonymous authentication enabled on IIS for claims-based authentication. Notice that the claims-based authentication token doesn’t contain raw credentials or the connection string to Microsoft Dynamics CRM Server. However, the web.config file does contain configuration information about the authentication mode. For more information, see Secure the web.config file later in this topic. To secure the Microsoft Dynamics CRM website, use SSL.

Isolate the HelpServer role for Internet-facing deployments

Microsoft Dynamics CRM Internet-facing deployment (IFD) require anonymous authentication. Because anonymous website authentication is used, the virtual directory used by the Microsoft Dynamics CRM Help site can be targeted for denial of service (DoS) attacks.

To isolate the Microsoft Dynamics CRM Help pages, and help protect the other Microsoft Dynamics CRM 2013 roles from potential DoS attacks, consider installing the Help Server role on a separate computer.

For more information about the options for installing Microsoft Dynamics CRM roles on separate computers, see Microsoft Dynamics CRM server roles.

For more information about reducing the risk of DoS attacks, see Improving Web Application Security: Threats and Counter-measures.

Claims-based authentication issues and limitations

This topic describes issues and limitations when you use claims-based authentication with Microsoft Dynamics CRM.

Verify that the identity provider uses a strong password policy

When you use claims-based authentication, we recommend that you verify that the identity provider that is trusted by the security token service (STS) and, in turn, Microsoft Dynamics CRM, enforces strong password policies. Microsoft Dynamics CRM itself doesn’t enforce strong passwords. By default, when it is used as an identity provider, Active Directory enforces a strong password policy.

AD FS federation server sessions are valid up to 8 hours even for deactivated or deleted users

By default, Active Directory Federation Services (AD FS) server tokens allocate a web single sign-on (SSO) cookie expiration of eight (8) hours. Therefore, even when a user is deactivated or deleted from an authentication provider, such as AD FS 2.0, as long as the user session is still active the user can continue to be authenticated to secure resources.

To work around this issue, choose from the following options.

  • Disable the user in Microsoft Dynamics CRM and in Active Directory. For information about how to disable a user in Microsoft Dynamics CRM, see Enable or disable a user record. For information about how to disable a user in Active Directory, see the Active Directory Users and Computers Help.

  • Reduce the web SSO lifetime. To do this, see the Active Directory Federation Services (AD FS) Management Help.

Secure the web.config file

The web.config file that is created by Microsoft Dynamics CRM does not contain connection strings or encryption keys. However, the file does contain configuration information about the authentication mode and strategy, ASP.NET view state information, and debug error message display. If this file is modified with malicious intent it can threaten the server where Microsoft Dynamics CRM is running. To help secure the web.config file, we recommend the following:

  • Grant permissions to the folder where the web.config file is located to include only those user accounts that require it, such as administrators. By default, the web.config file is located in the <drive:>Program Files\Microsoft Dynamics CRM\CRMWeb folder.

  • Limit the number of users who have interactive access to CRM servers, such as console logon permission.

  • Disable directory browsing on the CRM website. By default, this is disabled. For more information about how to disable directory browsing, see Internet Information Services (IIS) Manager Help.

Outbound Internet calls from custom code executed by the Sandbox Processing Service are enabled

By default, outbound calls from custom code executed by the Microsoft Dynamics CRM Sandbox Processing Service that access services on the Internet are enabled. For high-security deployments of Microsoft Dynamics CRM, this could pose a security risk. If you do not want to allow outbound calls from custom code, such as CRM plug-ins or custom workflow activities, you can disable outbound connections from custom code executed by the Sandbox Processing Service by following the procedure here.

Instead of blocking all outbound calls, you can enforce web access restrictions on sandboxed plug-ins. More information: Plug-in isolation, trusts, and statistics

Notice that disabling outbound connections for custom code includes disabling calls to cloud platforms such as Microsoft Azure and Microsoft Azure SQL Database.

Disable outbound connections for custom code on the computer that is running the sandbox processing service

  1. On the Windows Server computer where the Microsoft Dynamics CRM Sandbox Processing Service server role is installed, start Registry Editor and locate the following subkey:
    HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\MSCRM

  2. Right-click MSCRM, point to New, click DWORD Value, type SandboxWorkerDisableOutboundCalls, and then press ENTER.

  3. Right-click SandboxWorkerDisableOutboundCalls, click Modify, type 1, and then press ENTER.

  4. Close Registry Editor.

  5. Restart the Sandbox Processing Service. To do this, click Start, type services.msc, and then press ENTER.

  6. Right-click Microsoft Dynamics CRM Sandbox Processing Service, and then click Restart.

  7. Close the Microsoft Management Console (MMC) Services snap-in.

Secure server-to-server communication

By default, Microsoft Dynamics CRM server-to-server communication, such as communication between the Web Application Server role and the server that is running Microsoft SQL Server, isn’t executed over a security channel. Therefore, information that is transmitted between servers may be susceptible to certain attacks, such as man-in-the-middle attacks.

We recommend that you implement Internet Protocol security (IPsec) to help protect information that is transmitted between servers in your organization. IPsec is a framework of open standards for protecting communications over Internet Protocol (IP) networks through the use of cryptographic security services. More information: IPsec

DNS rebinding attacks

Like many web-based applications, Microsoft Dynamics CRM may be vulnerable to DNS rebinding attacks. This exploit involves misleading a web browser into retrieving pages from two different servers thereby trusting that the servers are from the same domain and subsequently breaking the Same Origin Policy. Using this technique, an attacker can tamper with CRM data by using the victim’s identity through cross-site scripting attacks on CRM pages.

For more information about how to help protect against such attacks, see Protecting Browsers from DNS Rebinding Attacks.

See Also

Security considerations for Microsoft Dynamics CRM 2013
Network ports for Microsoft Dynamics CRM
Microsoft Dynamics CRM 2013 supported configurations

© 2016 Microsoft Corporation. All rights reserved. Copyright