Secure SugarCRM ??

[dshivhare]

Any body can tell me what is the 10 or 15 steps to secure your SugarCRM System ??

Thanks in Advance
Deepak

[dshivhare]

I think 10 or 15 steps are more

Can you tell me only 5 ?????

Thanks in Advance
Deepak

[Mike220474]

It totally depends on what you like to secure and what you believe to be secure.

In our case we are running the SugarCRM environment from an HTTPS location.

The server itself only allows access to people of our company who have a X.509 certificate provided by our company Certificate Authority.

As a result any data sent between our end users and the SugarCRM application is 2-way SSL encrypted and nobody can access the server unless they have a cpmpany CA X.509 cert in their local cert store.

So in reference to your question and our case:
Step 0: Set all your user access rights in SugarCRM and do not give them Admin unless required
Step 1: Secure your CRM with HTTPS
Step 2: Provide X.509 certificates to all your users
Step 3: Configure your SugarCRM server to only allow access to people who have a X.509 certificate

[thierry.beeckmans]

We are planning to put our Sugar Application online, because of the many different custom made portals.

The application needs to be secure, what Mike told about the certification makes a lot of sense.
Together with a proper configured firewall this can be made into a well secure system.

The thing that bothers me is the SOAP connection with the SugarCRM application.
How can the SOAP connection make use of the Certificate in a way that communication with other custom made portals is also secure?
I read a bit about nusoap and security on beanizer

Has anyone any experience with certificates and NUSOAP?
How can this secure connection be created?

I'm new into https & certificates, please help this newbie

[tartis]

I am looking for good file permissions to secure my install. During the install, I had to open up several folders and the config file for write permissions. Do these folders and files need to be set back to some kind of secure state?

[thierry.beeckmans]

I think you can turn the write permissions off, when you and other administrators do not plan to modify anything in the configuration and/or modify any layouts.
I guess a write permission to the files folder (and cache folder) is required for the daily operation.

[hubcrm]

Use the permissions recommended by Sugar for starters:

http://www.sugarcrm.com/wiki/index.p...sions_on_Linux

There will be recommendations in the for Windows etc also. Then consider your infrastructure around it in layers. Has the server OS been hardened, you'll find numerous guides online to doing this. Is the server running a firewall or do you have a separate device? Consider splitting the DB from the webserver and putting a firewall between them that only allows DB traffic. Look into something like snort for intrusion detection. Put the whole thing behind a VPN. You can so that pretty cheaply if you investigate an SSL based VPN like SSL-Explorer.

SSL isn't a bad shout. It's generically aimed at financial data or data with quantifiable financial impact. What banks do with SSL around online banking is about underwriting transactions with insurers not because SSL is considered inherently secure for all data. Spend on all of this has to be balanced around the value of your data though. Decent password and company security policy goes a long way. Waste of time doing all this if disgruntled employee just exports your database when they leave.