Sandbox (Isolation) Mode in MS CRM

1         What is a Sandbox?

Sandbox is Testing or Isolated Environment where untested code will be deployed to test. It is also used in the information security. As the sandbox is meaning of filtering, When we code an application in sandbox mode. The code will get executed in the browser by limiting the Operating System API Calls. This will be helpful in stopping the malicious code to execute in the local System of the Server. This enhances the system security levels

2         MS-CRM Sandbox Understanding

Sandbox mode is introduced from 2011 MSCRM. Microsoft Dynamics CRM Provides the execution of Plugins and workflows in Isolation mode (Sandbox Mode), Dynamics CRM Collects runtime statistics of plugins and Custom workflows. If the sandbox worker process exceeds the threshold level, It will be automatically get killed by the application platform. So the plugins which are running by this worker process failed by throwing an exception. Exceptions will be found in trace files for the plugins registered in Sandbox. The above statements conclude that the Sandbox mode is recommended in secured environments, i.e. Sandbox mode (Isolation/Partial Trust) can be executed both in Online and On-Premises. None mode (Full Trust) is executed only in On-Premises.

2.1       Where can we see this Sandbox Runtime Statistics?

Plugin and Custom Workflows runtime information is captured in MSCRM Database. Search for the PluginTypeStatisticBase, Write a Select Query

“Select * from PluginTypeStatisticBase”.

This will record the Plugin Performance and runtime execution Statistics like failure or crash percentages of the Plugin.

plugintypestatasticbase-query

Figure 1: PluginTypeStatasticBase Query

 

2.2       Find Sandbox Processing Service

Sandbox Processing Service is found in your Services .mscservices

Figure 2: MS CRM Sandbox Processing Service

host-and-worker-process-services

Figure 3: Host and Worker Process Services

3         How Does Sandbox Plugin/Workflow Execution

  • Once the Plugin execution Context is created, the entire Context will be serialized and send it to the sandbox host process to execute the Plugin in the current Context.
  • The sandbox host process de-serializes the information and then serialize to assigned sandbox worker processes to execute the plugin
  • The sandbox worker process then de-serializes the current execution context and runs the plugin code in partial trust.
  • The returned result again shared back to the Host process.
  • The captured result in host process then sent back to the original process which raised the request for sandbox mode (w3wp.exe or CrmAsyncService.exe)

Note: Consider the plugin fired at Pre-Operation

plugin-execution-by-w3wp

Figure 4: Plugin Execution by w3wp Process

workflow-execution-by-crm-async-process

Figure 5: CRM Async Process Executing Custom Workflow

Note: Consider CRM Async Processes is running a workflow

 

 

4         Limitation of Sandbox Plugin/Custom Workflow

  • Only the HTTP and HTTPS protocols are allowed.
  • Access to localhost (loopback) is not permitted.
  • IP addresses cannot be used. You must use a named web address.
  • Anonymous authentication is supported and recommended.
  • Access to your local file Systems
  • Cannot be able to access the external Dlls and Dlls registered in GAC
  • Web Services cannot be accessed in the sandbox plugins

These restrictions are can be modified in server environment by editing the registry settings of the MSCRM. Navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSCRM\SandboxWorkerOutboundUriPattern

The key is defined in the Regular expression format and added as a registry strings, editing the regular expression string you can take out the first three limitations (Web access). It will be in this format

“^http[s]?://(?!((localhost[:/])|(\[.*\])|([0-9]+[:/])|(0x[0-9a-f]+[:/])|(((([0-9]+)|(0x[0-9A-F]+))\.){3}(([0-9]+)|(0x[0-9A-F]+))[:/]))).+”;”

External Dlls cannot be added but we can achieve this limitation by using ILMERGE tool (DLL Merger) tool.

Note: The sandbox processing service role defaults to outbound calls being enabled. If you do not want to permit outbound calls from custom code, you can disable outbound calls by setting the following registry key to 1 (DWORD) on the server that hosts the sandbox processing service role. Next, restart the Microsoft Dynamics CRM Sandbox Processing Service.

5         General Errors that Occurs in Sandbox registered Plugin/Custom Workflow

  • Attempting to use the AppDomain.CurrentDomain.AssemblyResolve event
  • Security Exception (partially trust callers)
  • IO.Path.GetTempPath() [System.Security.Permissions.EnvironmentPermissionException]
  • Any filesystem access code [System.Security.Permissions.FileIOPermissionException]
  • Attempting to use the EventLog [System.Diagnostics.EventLogPermissionException]
  • Attempting to use Isolated Storage [System.Security.Permissions.IsolatedStoragePermissionException]
  • Any references to Thread.CurrentThread caused a security failure.

 

 

6         Advantages of Sandbox Plugin

  • .Net Code Access Security feature will be working and access to file Systems and event logs will be prevented. When you want to execute the code in secure way in your server.
  • The process which executes your plugin can be killed if your plugin exceeds certain thresholds or becomes unresponsive.
  • Each organization of CRM has sandbox processes. So it is independent from organization to organization.
  • When we debug the plugin using remote debugger which is in full trust (NONE mode) will use the full resources of the Server and other users cannot perform their action on it. Sandbox uses only the Sandbox process service.
  • Azure cloud services can be implemented in the Sandbox Plugins
  • Plugin runtime execution Statistics can be recorded in MSCRM Database. Performance measuring steps can be taken in consideration from the captured outputs in DB.