Installing a secure system

You should follow these best practices to minimize the risks of service interruption and data corruption:

  • Firewall. Install a firewall if users will access the system remotely. This protects your network from the Internet, ensures only authorized traffic accesses your Sage CRM database, and protects your server from unauthorized users. You can configure rules to restrict traffic and allow traffic originating from a specific source only to protect your server from Internet attacks. You can also install a firewall in your remote sites and set up Virtual Private Networks (VPNs) to increase data security. Set mobile users as mobile firewall users so they can access the VPN and transmit and receive data securely. Enable and configure the Windows Firewall.
  • Application security. Follow these best practices when configuring your Sage CRM server and client machines.
    • Assign different levels of access security to users depending on their job role.
    • Enforce strong passwords for each Sage CRM user. For more information, see password policy recommendations provided by Microsoft.
    • Configure the Sage CRM server to use HTTPS to protect data from being intercepted in transit. When IIS is configured to use HTTPS, any data that is passed between the browser and the server is encrypted.
    • Configure HTTP response headers in IIS (X-Frame-Options, X-XSS-Protection, X-Content-Type-Options, and so on) to improve security and mitigate attacks such as clickjacking and cross-site scripting.
    • Keep the Sage CRM server and client machines patched to ensure the software elements that enable TLS (Transport Layer Security) are as secure as possible. TLS is a fundamental part of a secure web request.
    • Consider installing Sage CRM and SQL Server on different machines. Configure your network so that requests from the Internet cannot access the SQL Server. For example, you can place your Sage CRM server in a perimeter network (DMZ) to ensure that only web requests get to the Sage CRM server and only database requests pass into the internal network where the SQL Server resides.
  • Software. Regularly install software updates and patches to minimize software security vulnerability. Install recognized anti-virus software. Uninstall unnecessary applications.
  • Backups. Perform scheduled and manual backups. Establish a regular procedure for backing up the Registry and Program files. Repeat the procedure prior to major customization work or upgrades.
  • Server security. Separate the domain controller server from the Sage CRM and database servers. In a Windows Server Systems environment, the Domain Controller (DC) serves as a gatekeeper to the domain resources by storing account information, authenticating users, and enforcing security policies. The defenses offered by a configured DC are further enhanced by placing it behind a robust firewall.
    • Use NT Challenge/Response to allow access to clients with a valid domain login.
    • Use HTTPS to secure your data sessions with client users.
    • Configure security policies on Windows Server.
    • Disable or delete unnecessary accounts, ports and services on the server. Disable unnecessary share drives.
    • Configure auditing on the server.
    • Configure encryption on Windows Server.
    • Use the IIS Lockdown and URLScan tools to harden IIS.
  • Database security. Users do not have direct access to the Sage CRM database. Sage CRM accesses the database using a predefined logon. When a user requests data, Sage CRM connects to the database using MDAC and retrieves the required data.

    For improved security, you can configure Sage CRM to access the database using a SQL Server or Azure SQL account with limited access or rights to add, change, and delete data from every table in the database.

    Make sure that remote users cannot obtain administrator-level access to the system.  

    Further database security measures include:

    • Installing only required SQL Server components.
    • Runing the SQL Server Configuration Manager and SQL Server Surface Area Configuration tools to disable unnecessary features and services.
    • Periodically assessing the server's security using the Microsoft Baseline Security Analyzer (MBSA) and SQL Server Best Practice Analyzer.
    • Changing the default port associated with the SQL Server installation or Azure SQL server to put off hackers from port scanning the server.
    • Removing the BUILTIN/Administrators group from the SQL Server Logins.