Server Side Development
Best practices for developing server side code for Microsoft CRM include the following:
- Do not modify the Microsoft CRM database by any means other than using the SDK because this by-passes the Microsoft CRM security model.
- Use Workflow .NET Assemblies instead of using Post URL in workflow rules.
- Callouts are running in an administrator's context – you should be aware that this code may access information that the logged on user does not have access to.
- For callouts, workflow assemblies and plug-ins, avoid writing code that takes a long time to execute. It is particularly important that your code returns as quickly as possible. Failure to do this may result in Denial of Service (DOS).
- If you are replicating Microsoft CRM data in your own data store, you are responsible for the security of the data.
- Data that comes out of Microsoft CRM cannot be assumed that it is safe for rendering. Data may have been injected with insecure HTML tags.
- Adhere to the requirement of not accessing the Microsoft CRM databases directly through SQL Enterprise Manager. By-passing the SDK can open you up to SQL injection threats.
- For internet facing deployments, remember that your solution is only as secure as the weakest link. Once your application is exposed to the internet, it is open to security threats.
- Use only languages that produce managed code for the best security from buffer overruns, exceptions, etc.
For more information about security, see the following:
- NET Framework Developer's Guide, Securing Applications at http://msdn.microsoft.com/library/en-us/cpguide/html/cpconsecuringyourapplication.asp
- Secure Coding Guidelines for the .NET Framework at http://msdn.microsoft.com/library/en-us/dnnetsec/html/seccodeguide.asp
© 2007 Microsoft Corporation. All rights reserved.