Installing a secure system
You should follow these best practices to minimize the risks of service interruption and data corruption:
- Firewall. Install a firewall if users will access the system remotely. This protects your network from the Internet, ensures only authorized traffic accesses your Sage CRM database, and protects your server from unauthorized users. You can configure rules to restrict traffic and allow traffic originating from a specific source only to protect your server from Internet attacks. You can also install a firewall in your remote sites and set up Virtual Private Networks (VPNs) to increase data security. Set mobile users as mobile firewall users so they can access the VPN and transmit and receive data securely. Enable and configure the Windows Firewall.
- Application security. Follow these best practices when configuring your Sage CRM server and client machines.
- Assign different levels of access security to users depending on their job role.
- Enforce strong passwords for each Sage CRM user. For more information, see password policy recommendations provided by Microsoft.
- Configure the Sage CRM server to use HTTPS to protect data from being intercepted in transit. When IIS is configured to use HTTPS, any data that is passed between the browser and the server is encrypted.
- Configure HTTP response headers in IIS (X-Frame-Options, X-XSS-Protection, X-Content-Type-Options, and so on) to improve security and mitigate attacks such as clickjacking and cross-site scripting.
- Keep the Sage CRM server and client machines patched to ensure the software elements that enable TLS (Transport Layer Security) are as secure as possible. TLS is a fundamental part of a secure web request.
- Consider installing Sage CRM and SQL Server on different machines. Configure your network so that requests from the Internet cannot access the SQL Server. For example, you can place your Sage CRM server in a perimeter network (DMZ) to ensure that only web requests get to the Sage CRM server and only database requests pass into the internal network where the SQL Server resides.
- Software. Regularly install software updates and patches to minimize software security vulnerability. Install recognized anti-virus software. Uninstall unnecessary applications.
- Backups. Perform scheduled and manual backups. Establish a regular procedure for backing up the Registry and Program files. Repeat the procedure prior to major customization work or upgrades.
- Server security. Separate the domain controller server from the Sage CRM and database servers. In a Windows Server Systems environment, the Domain Controller (DC) serves as a gatekeeper to the domain resources by storing account information, authenticating users, and enforcing security policies. The defenses offered by a configured DC are further enhanced by placing it behind a robust firewall.
- Use NT Challenge/Response to allow access to clients with a valid domain login.
- Use HTTPS to secure your data sessions with client users.
- Configure security policies on Windows Server.
- Disable or delete unnecessary accounts, ports and services on the server. Disable unnecessary share drives.
- Configure auditing on the server.
- Configure encryption on Windows Server.
- Use the IIS Lockdown and URLScan tools to harden IIS.
- Database security. Users do not have direct access to the SQL database. The eWare DLL accesses the database using a predefined logon. When a user requests data, the eWare DLL connects to the database using MDAC and retrieves the required data.
For more security you can configure eWare DLL to access SQL using a login with limited access, or access with the appropriate rights to add, change and delete data from every table in the database. Address the potential of remote users obtaining administrator level access to the system by ensuring appropriate passwords are associated with the sa account.
Further measures, specific to the SQL server, include:
- Install only required components when installing SQL Server.
- Run the SQL Server Configuration Manager and SQL Server Surface Area Configuration tools to disable unnecessary features and services.
- Periodically assess the server's security using the Microsoft Baseline Security Analyzer (MBSA) and SQL Server Best Practice Analyzer.
- Change the default ports associated with the SQL Server installation to put off hackers from port scanning the server.
- Remove the BUILTIN/Administrators group from the SQL Server Logins.