| Author |
 Topic  |
|
|
timd
Starting Member
United Kingdom
7 Posts |
 Posted - 10 July 2002 : 10:07:10
|
Hi,
I've just set up the Snitz forums on our intranet, had a few errors but managed to get it working in the end. I'm looking in my SQL server setup and I find that the IUSR_<machinename> account has db_owner permissions. I don't like this. Please can someone tell me what are the minimum permissions I need to give my IUSR_ account without having to make it db_owner?
(Sql Server 7, IIS 5, Win2K, SQL/NT Authentication set up but only NT used)
Thanks.
|
|
|
ruirib
Snitz Forums Admin
Portugal
26364 Posts |
Posted - 10 July 2002 : 10:12:27
|
Why did you do that in the first place? Are you using Windows integrated authentication? (...just verified that you are)
Anyway probably assigning dbdatareader and dbdatawriter should be enough, unless you want to upgrade or create tables, things you won't do unless you want to setup MODs.
Alternatively you can setup a login to use SQL Server Authentication, and create a user associated with that login. That will probably be safer than assigning rigths to the anonymous internet account.
-------------------------------------------------
Installation Guide | Do's and Dont's | MODs
Edited by - ruirib on 10 July 2002 10:17:35 |
 |
|
|
timd
Starting Member
United Kingdom
7 Posts |
Posted - 10 July 2002 : 10:22:55
|
Thanks for this. I was thinking I'd need to add individual permissions to tables, but this should work fine.
Our intranet's a bit of a mish-mash of secure and non-secure areas; I use integrated authentication where there is a finite number of identifiable users, but not everyone has an NT account so if I want something to be accessible to all users it has to be through the anonymous account. (We use Novell and NT). I can get NT accounts for some users but there's about 6000 users on our network.
One day I'll have everyone set up in nice groups and the intranet'll be lovely and secure...(I can't get a picture of a flying pig can i?)
|
|
|
|
HuwR
Forum Admin
United Kingdom
20611 Posts |
Posted - 10 July 2002 : 10:37:05
|
You would be much better off using SQL authentication in that case.
Not every user needs a login, just each application that coonects, so just
create a webuser account and give them permissions to the databases you wish
then just use that as your log in account.
|
|
|
|
ruirib
Snitz Forums Admin
Portugal
26364 Posts |
Posted - 10 July 2002 : 10:45:36
|
I second Huw's opinion. I think using NT authentication with an anonynmous user is not really authentication, is it?
With your current situation anyone who wants can connect to your database. With SQL Server Authentication at least they are forced to know your username / password
-------------------------------------------------
Installation Guide | Do's and Dont's | MODs |
|
|
|
timd
Starting Member
United Kingdom
7 Posts |
Posted - 10 July 2002 : 12:06:27
|
Thanks for this. I'll have to look further into the implications of organising things this way....my initial though however is that I'll have to pass the username and password in the connect strings, which I'm not keen on from a security point of view, but admittedly it's probably more secure than the current situation.
|
|
|
| |
Topic |
|
Topic Locked
