locked
Is there a security hole with the CRMDeploymentServiceAppPool service? RRS feed

  • Question

  • Hi folks,

    Am I missing something or the fact that anonymous authentication being enabled by default on Deployment.svc allows for any developer to access and gain all associated privileges to the deployment service?

    In other words, since the url: http://<yourCRMServer>/XRMDeployment/2011/Deployment.svc is accessible through anonymous authentication can a developer access its functionality via web services without having to authenticate?

    Thank you for your input.

    Regards,


    :~DaDynamixFan

    Friday, March 23, 2012 10:16 AM

Answers

  • Anonymous Authentication is enabled on the whole CRM_IIS tree.

    There are some CRM services that uses queries without any credentials (by design/default) to open services.

    Execution/Injection of parameters must be done with proper credentials.

    For your question- a developer must be a member of Deployment Admins.

    • Marked as answer by DaDynamixFan Wednesday, April 4, 2012 8:10 AM
    Monday, March 26, 2012 2:50 PM