Server Side Development

banner art

Best practices for developing server side code for Microsoft CRM include the following:

  • Do not modify the Microsoft CRM database by any means other than using the SDK because this by-passes the Microsoft CRM security model.
  • Use Workflow .NET Assemblies instead of using Post URL in workflow rules.
  • Callouts are running in an administrator's context – you should be aware that this code may access information that the logged on user does not have access to.
  • For callouts, workflow assemblies and plug-ins, avoid writing code that takes a long time to execute. It is particularly important that your code returns as quickly as possible. Failure to do this may result in Denial of Service (DOS).
  • If you are replicating Microsoft CRM data in your own data store, you are responsible for the security of the data.
  • Data that comes out of Microsoft CRM cannot be assumed that it is safe for rendering. Data may have been injected with insecure HTML tags.
  • Adhere to the requirement of not accessing the Microsoft CRM databases directly through SQL Enterprise Manager. By-passing the SDK can open you up to SQL injection threats.
  • For internet facing deployments, remember that your solution is only as secure as the weakest link. Once your application is exposed to the internet, it is open to security threats.
  • Use only languages that produce managed code for the best security from buffer overruns, exceptions, etc.

For more information about security, see the following:

  • NET Framework Developer's Guide, Securing Applications at 
  • Secure Coding Guidelines for the .NET Framework at

© 2007 Microsoft Corporation. All rights reserved.