Administration best practices for on-premises deployments of Microsoft Dynamics CRM
Applies To: CRM 2016 on-prem
By following some simple rules of administration, you can significantly improve the security of your Microsoft Dynamics CRM on-premises deployment.
Typically, there is no need for CRM users to have administrative privileges over the domain. Therefore, all CRM user accounts should be restricted to Domain Users membership. Also, following the principle of least-privilege, anyone who uses the CRM system should have minimal rights. This starts at the domain level. A domain user account should be created and used to run CRM. Domain Administrator accounts should never be used to run CRM.
Limit the number of Microsoft Dynamics CRM Deployment Administrator and System Administrator roles to a few people who are responsible for rule changes. Others who are SQL Server, Microsoft Exchange Server, or Active Directory administrators do not have to be members of the CRM users group.
Make sure that at least two or three trusted people have the Deployment Administrator role. This avoids system lockout if the primary Deployment Administrator is unavailable.
In some organizations it is a common practice to reuse passwords across systems and domains. For example, an administrator responsible for two domains may create Domain Administrator accounts in each domain that use the same password, and even set local administrator passwords on domain computers that are the same across the domain. In such a case, a compromise of a single account or computer could lead to a compromise of the entire domain. Passwords should never be reused in this manner.
It is also common practice to use Domain Administrator accounts as service accounts for common services such as back-up systems. However, it is a security risk to use Domain Administrator accounts as service accounts. The password can easily be retrieved by anyone who has administrative rights over the computer. In such a case, the compromise could affect the entire domain. Service accounts should never be Domain Administrator accounts, and they should be limited in privilege as much as possible.
A domain user account that is specified to run a Microsoft Dynamics CRM service must not also be configured as a CRM user. This can cause unexpected behavior in the application.
Send comments about this article to Microsoft.
© 2015 Microsoft. All rights reserved.