In the broadest sense, security involves planning and considering tradeoffs. For example, a computer can be locked in a vault and available only to one system administrator. This computer may be secure, but it is not very usable because it is not connected to any other computer. If your business users need access to the Internet and your corporate intranet, you must consider how to make the network both secure and usable.
The following sections contain links to information about how you can make your computing environment more secure. Ultimately, Microsoft Dynamics CRM data security largely depends on the security of the operating system and software components that it uses.
Securing Windows Server
Windows Server, the foundation of Microsoft Dynamics CRM, provides sophisticated network security. The Kerberos version-5 authentication protocol is integrated into Active Directory, which gives you powerful standards-based authentication. In addition, users can use a single user name and password logon combination for the network. Windows Server also includes several features that help make the network more secure.
The following links take you to information about these features. You can learn how to help make your deployment of Windows Server more secure.
-
Windows Server 2003 Security Guide (http://go.microsoft.com/fwlink/?linkid=92529). This comprehensive guide has specific recommendations about how to harden computers that run Windows Server 2003.
-
Security and Protection (http://go.microsoft.com/fwlink/?linkid=92534). This Microsoft TechNet page is a list of links to information about features in Windows Server 2003 that help make your deployment more secure.
-
Windows Security Collection (http://go.microsoft.com/fwlink/?linkid=92537). This Microsoft TechNet article contains a comprehensive overview of the security features that are available in Windows Server 2003.
-
Windows Server 2003 Windows Firewall (WF) (http://go.microsoft.com/fwlink/?linkid=92539). This Microsoft TechNet article contains several topics about how to implement and configure Windows Firewall.
Windows error reporting
Microsoft Dynamics CRM requires the Windows Error Reporting service and Setup will install it if it is missing. The Error Reporting service collects information, such as IP addresses. These are not used to identify users. The Error Reporting service does not intentionally collect anyone's name, address, e-mail address, computer name, or any other form of personally identifying information. It is possible that such information may be captured in memory or in the data collected from open files, but Microsoft does not use it to identify users. In addition, some information that is transmitted between the Microsoft Dynamics CRM application and Microsoft may not be secure. For more information about the kind of information that is transmitted and how it is transmitted, see Using Windows Server 2003 in a Managed Environment: Error Reporting (http://go.microsoft.com/fwlink/?linkid=102981).
Virus protection
To help protect your system against viruses, see the following information sources:
-
Microsoft Security Central (http://go.microsoft.com/fwlink/?linkid=92540). This page is an entry point for tips, training, and guidance about how to keep your computer up to date and prevent your computer from being susceptible to exploitation, spyware, and viruses.
-
TechNet Security Center (http://go.microsoft.com/fwlink/?linkid=92541). This page has links to technical bulletins, advisories, updates, tools, and guidance designed to make computers and applications up to date and secure.
Managing security operations -
Security Guidance for Patch Management (http://go.microsoft.com/fwlink/?linkid=92542). Manage software updates and help make sure that your systems stay up to date
Securing SQL Server
Because Microsoft Dynamics CRM relies on SQL Server, make sure that you take the following measures to improve the security of your SQL Server database:
-
Make sure that the latest operating-system and SQL Server service packs (SP) and updates are applied. Check the Microsoft Security Central (http://go.microsoft.com/fwlink/?linkid=92540) Web site for the latest details.
-
Make sure that all SQL Server data and system files are installed on NTFS partitions for file system-level security. You should make the files available only to administrative or system-level users through NTFS permissions. This helps to safeguard against users who access those files when the MSSQLSERVER service is not running.
-
Use a low-privilege domain account. Or, you can specify the Network Service or the Local System account for SQL Server services. However, we do not recommend that you use these accounts because Domain User accounts are more appropriate for the SQL Server services. This account should have minimal rights in the domain and should help contain (but will not stop) an attack on the server if there is a compromise. In other words, this account should have only local user-level permissions in the domain. If SQL Server is installed by using a Domain Administrator account to run the services, a compromise of SQL Server will lead to a compromise of the whole domain. If you have to change this setting, use SQL Server Enterprise Manager to make the change, because the access control lists (ACLs) on files, the registry, and user rights will be changed automatically.
-
SQL Server authenticates users who have either Windows NT or SQL Server credentials. This is known as mixed-mode security. You should use integrated security (Windows NT authentication only) for the highest security. This allows the use of Windows NT credentials only, not SQL Server credentials.
-
By default, the auditing of the SQL Server system is disabled so that no conditions are audited. This makes intrusion detection difficult and aids the attacker with covering their tracks. At a minimum, you should enable auditing of failed logins.
-
Each SQL login is configured to use the master database as the default database. Although users should not have rights to the master database, as a best practice, you should change the default for every SQL login (except those with the SYSADMIN role) to use OrganizationName_MSCRM as the default database.
For more information, see Improving Microsoft Dynamics CRM Performance and Securing Data with Microsoft SQL Server 2008 (http://go.microsoft.com/fwlink/?linkid=143092).
The following considerations are for Exchange Server, and some are specific to Exchange Server in a Microsoft Dynamics CRM environment:
-
Exchange Server contains a rich series of mechanisms for precise administrative control of its infrastructure. In particular, you can use administrative groups to collect Exchange Server objects, such as servers, connectors, or policies, and then modify the ACLs on those administrative groups to make sure that only certain people can access them. You may, for example, want to give Microsoft Dynamics CRM administrators some control over servers that directly affect their applications. When you implement efficient use of administrative groups, you can make sure that you give Microsoft Dynamics CRM administrators only the rights that they require to perform their job.
-
Frequently, you may find it convenient to create a separate organizational unit (OU) for Microsoft Dynamics CRM users, and give Microsoft Dynamics CRM administrators limited administrative rights over that OU. They can therefore make the change for any user in that OU, but not to any user outside it.
-
You should make sure that you adequately protect against unauthorized e-mail relay. E-mail relay is a feature that lets an SMTP client use an SMTP server to forward e-mail messages to a remote domain. By default, Exchange Server 2003 and Exchange Server 2007 are configured to prevent e-mail relay. The exact settings that you configure will depend on your message flow and configuration of your Internet service provider's (ISP) e-mail server. However, the best way to approach this problem is to lock down your e-mail relay settings and then gradually open them to allow e-mail to flow successfully. For more information, view the Exchange Server Help.
-
If you use forward mailbox monitoring, the E-mail Router requires an Exchange Server or POP3-compliant mailbox. We recommend that the ACLs on this mailbox be set to prevent other users from adding server-side rules.
-
The Microsoft Dynamics CRM E-mail Router service operates under the Local System account. This enables the E-mail Router to access a specified user's mailbox and process e-mail in that mailbox.
For more information about how to make Exchange Server 2003 more secure, view the Microsoft Exchange Server 2003 Security Hardening Guide (http://go.microsoft.com/fwlink/?linkid=92543).
For more information about how to make Exchange Server 2007 more secure, view Security and Protection (http://go.microsoft.com/fwlink/?linkid=92544) information in the Microsoft TechNet Library.
|
Yüklə 0.59 Mb.