Microsoft Dynamics 365

Security Assessment
Summary

Page 01
Microsoft Confidential
The information contained in this document represents the current view of Microsoft Corporation on the issues
discussed as of the date of publication. Because Microsoft must respond to changing market conditions, it should
not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of
any information presented after the date of publication.

This document is for informational purposes only. NEITHER MICROSOFT NOR ANY THIRD PARTY MENTIONED IN
THIS DOCUMENT MAKES ANY WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN
THIS DOCUMENT.

As detailed herein, NCC Group was appointed by Microsoft to conduct a security assessment of critical
components of Microsoft Dynamics 365 Customer Engagement cloud service, and NCC Group accepts no duty or
responsibility (including negligence) to any party other than Microsoft in relation to the assessment and disclaims
all liability of any nature whatsoever in relation to this document.

As detailed herein, Kratos Technology and Training Solutions, Inc. was appointed by Microsoft to conduct a
security assessment of Microsoft Dynamics 365 Customer Engagement and Kratos Technology and Training
Solutions, Inc. accepts no duty or responsibility (including negligence) to any party other than Microsoft in relation
to the assessment and disclaims all liability of any nature whatsoever in relation to this document.

Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under
copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or
transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for
any purpose, without the express written permission of Microsoft Corporation.

Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights
covering subject matter in this document. Except as expressly provided in any written license agreement from
Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights,
or other intellectual property.

© 2019 Microsoft Corporation. All rights reserved.

Microsoft Dynamics is a registered trademark or trademark of Microsoft Corporation in the United States and/or
other countries.

The names of actual companies and products mentioned herein may be the trademarks of their respective owners.

Page 02
Microsoft Confidential
Contents
Introduction ............................................................................................................................................................................................................ 4
Scope.................................................................................................................................................................................................................... 4
Caveats ...................................................................................................................................................Error! Bookmark not defined.
Test Methodologies ............................................................................................................................................................................................. 5
Summary of Assessment Results .................................................................................................................................................................... 6
Summary of Findings ..................................................................................................................................................................................... 6
Conclusion ............................................................................................................................................ Error! Bookmark not defined.
Microsoft Responses to Findings ................................................................................................................................................................... 7

Page 03
Microsoft Confidential
Introduction
Microsoft Dynamics 365 is a remotely hosted, subscription-based service providing organizations with a Customer
Relationship Management (CRM) facility.
To evaluate the security of the overall Azure platform and services, Microsoft conducts frequent security testing
through independent third parties. In addition, the Microsoft Red Team carries out internal testing focused on the
various services that make up Azure and Dynamics 365 to help identify
This summary report is intended to provide information and insights into the most recent independent tests
conducted by independent third parties.
1. Testing by NCC Group, a CREST certified company, was carried out in May 2019 and focused on core
services/components including the windows hypervisor and the Key Vault service.
2. Kratos SecureInfo (Kratos) carried out a more comprehensive US FedRAMP (Federal Risk and
Authorization Management Program) penetration test of the Azure service in January 2019. .
Scope
NCC
The NCC security assessment was carried out in the test environment in May 2019 and included:
• Sales Module deployed in Commercial Environment
• Common Data Services Platform which stores all the Dynamics 365 data from Sales, Customer Service,
Project Service automation, Field Service and Marketing
The hostnames within the scope of this test are listed below:
• *.crm.dynamics.com (provided by Microsoft Dynamics Team)
• Home.dynamics.com
Kratos
In order to conduct the penetration test in accordance with the FedRAMP penetration testing guidance, the Kratos
test in January 2019 was broken into multiple sub-tests based on different attack vectors.
The scope of this phase of each vector included the full FedRAMP accreditation boundary for Dynamics 365 for
Government unless explicitly excluded in the Azure Penetration Testing Rules of Engagement (RoE) document.
The penetration test included all devices and applications in the Azure Public accreditation boundary as either a
primary or secondary targets unless excluded. The scope included, but were not limited to:
• Network infrastructure;
• Internet facing services such as web applications.
• Social engineering efforts directed at designated corporate employees;
• Hosts; and
• Datacenter Physical Security.

Caveats
Due to the nature of the live environment, checks that would have a high probability of causing disruption to the
service, for example denial of service attempts, were excluded.

Page 04
Microsoft Confidential
Test Methodologies
NCC
The primary areas of concern in webservice security are:
• Injection
• Broken Authentication
• Sensitive Data Exposure
• XML External Entities (XXE)
• Broken Access Controls
• Security Misconfigurations
• Cross-Site Scripting (XSS)
• Insecure Deserialization
• Using Known Vulnerable Components
• Insufficient Logging and Monitoring
NCC Group’s web service assessment methodology is designed to find common vulnerabilities such as message
replay attacks, XML complexity attacks, and transport security weaknesses. The purpose of the assessment is to
identify any vulnerabilities which can be exploited in order to attack the system or other users, bypass controls,
escalate privileges, or extract sensitive data. The service is assessed from several perspectives, including with no
credentials, user credentials, and privileged user credentials.
Kratos
KTTS used the methodology specified by the US FedRAMP program which can be viewed using the following link:
• https://www.fedramp.gov/files/2015/01/FedRAMP-PenTest-Guidance-v-1-0.pdf
KCCS determined that the following FedRAMP attack vectors were applicable with regard to the Azure and
Dynamics services:
• External to Corporate
• External to Target System
• Tenant to Target System
• Tenant to Tenant
• Corporate to CSP Management System
• Physical Penetration.
The Mobile Application vector was deemed not applicable to the Azure environment.

Page 05
Microsoft Confidential
Summary of Assessment Results
Summary of Findings
The following table summarizes the number of issues identified and their associated risk ratings.

Description Critical High Medium Total

Microsoft Dynamics 0 1 2 3
Customer Engagement

Page 06
Microsoft Confidential
Microsoft Responses to Findings
NCC
This section describes Microsoft responses to the outstanding issues from the penetration test.

Impact Description Microsoft response

High XML External Entity Injection (XXE)
It was possible for an attacker to use a
vulnerability in the configuration of the
XML processor to read any file on the host
system that presented the application.
The vulnerabilities found are only exploitable
through interaction by an authenticated user
The vulnerability was partly mitigated.

Medium Reflected Cross-Site Scripting
The Dynamics 365 application was
vulnerable to reflected, or non-persistent,
cross-site scripting (XSS) attacks. This type
of vulnerability occurs when data provided
by web client is used immediately by server
side scripts to generate a page of results
for the users.
Medium Arbitrary File Path Manipulation
The application allowed users to provide a
file path to load a DLL files for the plugins.
This could be potentially abused to
enumerate internal resources on the server
side.
The vulnerability found are virtually all
exploitable only by high privilege users like
admins and customizers, who are considered
under our trust boundary. Only if an attacker
can first exploit the reflected XSS
vulnerabilities can this vulnerability pose a risk.
Nevertheless, Engineering Teams is looking at
the XSS vulnerability found and will be fixing
them soon.
The vulnerability found are virtually all
exploitable only by high privilege users like
admins and customizers, who are considered
under our trust boundary. The Engineering
team is looking to fix this vulnerability.

Kratos
The Kratos test identified no high-risk issues, one moderate and six low-risk issues.

Page 07
Microsoft Confidential