Philip Richardson

It looks like the British Government can’t help but loose personal data. This time it’s names and addresses of 160,000 children. In most of these cases the incidents are has a result of poor data handling practices. I’ve never been a believer in over-securing data inside the firewall. I agree that sometimes you do need to encrypt transactional data – but this is the exception rather than the rule. However once your data leaves the firewall (typically while in transport) to a third party then encryption is essential.

The challenge faced by organizations is how to actually manage the operational aspect of the encryption. Since CRM systems are ‘ripe targets’ for theft of personal data – lets examine a few techniques you might want to consider.

Scenario: The Lost Laptop

This is the easiest situation to secure yourself against. Consider using a whole disk encryption technology (like Bitlocker in Windows Vista). There are also a number of proven third party solutions out there. Whole disk encryption secures all the information on the laptop – so it doesn’t matter where the personal info is (email, spreadsheets, offline databases etc etc). There is no excuse nowadays for having personal information on an unencrypted laptop. No excuses.

Scenario: Man in the Middle

Many companies use the Internet to send files between their office locations. If you send files over unencrypted channels you are at risk to Man in the Middle attacks. Remember that Internet email is insanely vulnerable to this type of attack. I suggest using a secure filesharing website on your extranet to facilitate filesharing. An Internet facing SharePoint using HTTPS is a great example of this. Using such a share is also a good way of sending files to your business partners – however you can’t be sure what they will do with them.

Scenario: Outside the Firewall

Assuming you can get your file to a third party safely (https or encrypted sneaker net) then you are faced with significant operational challenge of overseeing the security behaviors of a third party organization. Many organizations simply throw their hands in the air and say ‘urh – it’s too hard!’. This is no silver bullet when solving this problem – however consider the following:

• Use Information Rights Management (IRM) in Office Docs. Give your third parties some limited credentials so they can view/edit documents secured in this fashion.
• Contractual obligations regarding IT and Physical Security. If your third parties as a good (or better) than you and your transport is secure then you are good shape. These types of arrangements are becoming increasingly popular.
• Give third parties access to your network. Careful here as they might be downloading data onto unsecured PCs.

Before implementing any security strategy you should consult with your IT and Physical security experts in your organization. You should also try and calculate a ‘cost’ of personal data. This is very helpful when ‘re-educating’ employees. Your people will be less likely to email CDs of customer lists when they realize they could be worth $500,000 each.

I always view the ‘goal’ of protecting personal information with the above things in mine: to give your people the tools to do the right thing (don’t forget to actually tell them about those tools) and make them truly understand why they need to do it.

I normally shun the practice of reproducing internal Microsoft emails. However in this case it’s acceptable (or at the very least it’s amusing).

I’ll find some volunteers in January and we’ll taste test it.

—————

From: Philip Richardson
Sent: Sunday, December 23, 2007 6:20 PM
To: [Our Whole Team]
Subject: Strange Package
Importance: Low

I wandered into the office last Wednesday and found a fedex package on my desk. Inside was some coffee. Bizarre I thought. Some coffee company has sent me coffee. No note or anything attached. This stuff does happen to bloggers occasionally (and I have blogged a little about coffee this year). The packaging seemed kind of ordinary so I just threw it in my drawer are left. Today I went back to the office to drop something off and decided to grab the coffee. I thought I’d throw it in the blade grinder at home and just use it for french press. I then noticed a strange cat/weasel creature on the box. I then read the packaging a little closer.

It turns out that it is freaking civet cat coffee. So I have a ¼ pound of ‘bold’ and a ¼ pound of ‘medium’ from http://www.luwakcoffee.com. Price: $65 each. Yes – that’s right it’s $260 per pound. In Sydney you pay $40 USD for one cappuccino made with this stuff.

For those unfamiliar with this ‘delicacy’: It’s coffee beans salvaged from the ‘dung’ of civet cats (also deer in Vietnam) who live in the coffee plantation. Supposedly the partial digestion of the bean ‘enhances’ the flavor.

I was tempted to throw it into the fully auto machine in the kitchen and not tell anyone but it seems like a waste (and possibly an insane HR violation). If any other coffee connoisseurs out there in the team are interested we can figure out what to do with it in January.

As mentioned in the press release the non-english languages are trickling out of our ‘manufacturing’ process. German is now available. Use the same links which I provided in my other post – but use the Choose Language drop down box to select alternative languages.

This is Part 2b of a Series of posts. Refer Part 1 and Part 2.

If you configured your development environment as per my previous post – you'll notice that if you log into the server using the IP (192.168.1.1) or the Host file configured URL (eg.http://contoso.crm.philiprichardson.org) that you will be prompted for Windows Credentials.

I use a neat little reg key on the CRM Server to change the internal subnet of the IFD setting. CRM looks at the IP of the incoming request and if this is in the internal range (this reg key) then it gives you a 'Windows experience'. If the IP is external it gives you an 'IFD experience'.

So if my client is configured with an IP of 192.168.1.2 (Subnet: 255.255.255.0).

• When the Internal range is 192.168.1.1-255.255.255.0 you will get a Windows Experience. This is the value we provided in our config.xml when we installed CRM.
• When the Internal range is 192.168.1.1-255.255.255.255 you will get an IFD Experience. This is because my client on the host OS has an IP of 192.168.1.2 (Subnet: 255.255.255.0) is outside the internal range.

Here are the two Reg Key Modifications. Note that this is supported (see the Implementation Guide (IG) for more details).

IFD Experience:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSCRM]
"IfdInternalNetworkAddress"="192.168.1.1-255.255.255.255"

Windows Experience:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSCRM]
"IfdInternalNetworkAddress"="192.168.1.1-255.255.255.0"

If you have your own network config – then you will need to work out the network addresses and subnet masks on your own. I strongly suggest you read the IG and the IFD Setup Doc. If you environment is on your network you may want to consult with your network administrator to figure out the right IP ranges.

Update: Fixed typos in the Subnet masks.

if you are installing CRM 4.0 on a machine without Internet access (eg. a VPC running only on a Loopback Adapter) you might run into some problems when CRM tries to download pre-requisite packages. Our DVD version (not out yet – it’s being ‘manufactured’) ships with these prerequisites but the downloads do not.

The simplest way is to install each of the Pre-Req’s manually. The best place to search for these is download.microsoft.com. I’ll refrain from posting links as these redistributable packages are always being updated.

The Visual C++ Redistributable Package presents us with a slightly different challenge. The package is unable to detect it’s installed state so CRM always installs it. So we need to create a Redist folder, subfolders for i386/amd64, a VCRedist folder and then place the VC++ install files there. Your full folder structure should look like this:

• \Redist\i386\VCRedist\vcredist_x86.exe
• \Redist\i386\VCRedist\vcredist_x64.exe
• \Redist\amd64\VCRedist\vcredist_x64.exe
• \Server\i386\SetupServer.exe
• \Server\amd64\SetupServer.exe
• \Client\SetupClient.exe
• \DMWizard\SetupDMClient.exe
• \Exchange\i386\setupexchange.exe
• \Exchange\amd64\setupexchange.exe

I added this setup.exes to the list to show the folder structure for the Server, Client, DM and Router (the Exchange folder). Note that the Redist folder is a peer to the Server and Client.

Update: Lots of people have been asking about the ‘Microsoft Application Error Reporting’ prerequisite. You’ll find it in the CRM installer (\Server\DW).