locked
Configure to improve security: Http Header fields, http methods and Cookies RRS feed

  • Question

  • I have added some follow up text below

    A customer has recently had a consultant perform Penetration testing on the CRM deployment. The CRM is deployed in a Hosted Environment using  ADFS.

    The pen test recommended the following

    1. Configure the server to disable it from actively sending  the server and X-Powered-By fields in the http header
    2. Disable all unnecessary http methods
    3. When the server issues a “Set Cookie” in the http response header, both the “HTTPOnly”  and the “Secure” attributes  are set.

    Where it is possible to follow each of these recommendations we do not know what effect they will have on the CRM functions.

    Does anyone have any experience of taking these measures and could advise us on what the likely impact could be?

    Follow up Text

    I would like to narrow this down a bit

    We have overcome Item 1  above by agreeing that it would only be a problem if there are known vulnerabilities on the deployment that have not been addressed.

    We have overcome Item 3 above by pointing out that we will ensure that access to the deployment will be HTTPS only

    That leaves Item 2

    This this has also been narrowd down to the following methods

    1. Options
    2. Propfind
    3. Search 

    These methods are enabled on the CRM  deployment

    Does anyone know is these methods are required by CRM for normal functioning ?

    Does anyone kow what the likely impact of disabeling them would be ?

    • Edited by Tom Egan Wednesday, May 23, 2012 10:16 AM
    Monday, May 21, 2012 3:13 PM

Answers

  • CRM does not use Options, Propfind (WebDav) or Search (WebDav) so disabling these will not affect CRM. Disabling these methods on IIS can affect Sharepoint or Exchnage server installation if hosted on the same IIS server.


    Murali

    • Marked as answer by Tom Egan Wednesday, July 25, 2012 1:18 PM
    Thursday, June 7, 2012 10:37 PM

All replies

  • Subscribed. Very interesting. Can't wait for someone to answer this one. 

    Tuesday, May 22, 2012 3:42 PM
  • CRM does not use Options, Propfind (WebDav) or Search (WebDav) so disabling these will not affect CRM. Disabling these methods on IIS can affect Sharepoint or Exchnage server installation if hosted on the same IIS server.


    Murali

    • Marked as answer by Tom Egan Wednesday, July 25, 2012 1:18 PM
    Thursday, June 7, 2012 10:37 PM
  • Thanks Muralikrishnan that was helpfull
    Wednesday, July 25, 2012 1:19 PM