Microsoft Dynamics CRM security best practices
Internet Information Services (IIS) is a mature Web service that is included with Windows Server. Microsoft Dynamics CRM depends on an efficient and secure IIS Web service. Consider the following:
In the machine.config and web.config configuration files you can determine whether debugging is enabled, and also if detailed error messages are sent to the client. You should make sure that debugging is disabled on all production servers, and that a generic error message is sent to the client if a problem occurs. This avoids unnecessary information about the Web server configuration being sent to the client.
We recommend that the Internet Information Services (IIS) Web root is installed on a non-system NTFS partition for file system-level security. A non-system partition is other than the partition that contains the operating system files. (For example, C:\Inetpub is on a typical system partition, whereas D:\Inetpub is not.)
Make sure that the latest operating system and IIS service packs and updates are applied. For the latest information, see the Microsoft Security Web site.
Microsoft Dynamics CRM Server Setup creates application pools called CRMAppPool and CRMDeploymentServiceAppPool that operate under user credentials that you specify during Setup. To facilitate a least-privileged model, we recommend that you specify separate domain user accounts for these application pools instead of using the Network Service account. Additionally, we recommend that no other ASP.NET-connected application be installed under these application pools. For information about the minimum permissions required for these components, see “Minimum permissions required for Microsoft Dynamics CRM Setup, services, and components” in Security considerations for Microsoft Dynamics CRM 2011 in this guide.
Service Principal Name Management in Microsoft Dynamics CRM 2011
The Service Principal Name (SPN) attribute is a multivalued, nonlinked attribute that is built from the DNS host name. The SPN is used during mutual authentication between the client and the server hosting a particular service. The client finds a computer account based on the SPN of the service to which it is trying to connect.
The Microsoft Dynamics CRM Server 2011 installer deploys role-specific services and Web application pools that operate under user credentials specified during setup. To review the complete list of these roles and their permission requirements, see “Minimum permissions required for Microsoft Dynamics CRM Setup, services, and components” in Security considerations for Microsoft Dynamics CRM 2011 in this guide.
When deploying a hosted Microsoft Dynamics CRM infrastructure, two of these roles may require additional consideration:
Deployment Web Service
In web farm scenarios, as is the case for a hosted offering, the recommendation is to leave kernel-mode authentication enabled. In addition, you should closely consider using separate domain user accounts to run these services because:
Having separate service accounts for these server roles facilitates being able to implement hardware load balancing.
The CRM Deployment Web Service server role requires elevated permissions to provision organizations in the CRM database. If you want to adhere to a least-privileged model, the safest approach for implementing SPNs in a hosted Microsoft Dynamics CRM infrastructure involves having the Deployment web service run under a different domain user account than the Application Service.
If you follow this suggestion to use separate domain accounts for these server roles, you should check to make sure that the SPN is correct for each account before you start Microsoft Dynamics CRM Server Setup. This will make it easier for you to set the correct SPN when necessary.
If Kernel Mode Authentication is enabled, the SPNs will be defined for the machine account, regardless of the specified service account. When implementing a web farm, Kernel Mode Authentication should be enabled and the local ApplicationHost.config file should be modified accordingly.
If application and deployment web services are running on the same system, and Kernel-mode authentication is disabled, you could configure both services to run under the same domain user account to prevent duplicate SPN issues. If Kernel-model authentication cannot be enabled, install the Application and Deployment web services on separate systems. The SPNs may still need to be created manually since Kernel-mode authentication is disabled.
For more information about SPNs and how to set them, see Service Principal Name (SPN) checklist for Kerberos authentication with IIS 7.0/7.5
Send comments about this article to Microsoft.
© 2012 Microsoft Corporation. All rights reserved.