SQL Server Login Security

Siavash Mortazavi asked on August 10, 2015 18:14

Hi,

I would like to create a new SQL Server login and then a database user on top of that for my Kentico website, to include it in my connection string. Considering Principal of Least Privilege, could you please answer these questions?

  1. Does Kentico installer automatically take care of creating a least privileged user and add it to the connection string?
  2. If not, What permissions/limitations should I add to the instance Login I'm creating?
  3. Then, what permissions/limitations should I add to the database user, created for that login?
  4. Can|Should I reduce the privileges for the live version of the database, in comparison to the development version? Does Kentico require to run DDL codes on a live database, or it will be only Insert, Update, Delete, and Select?

Correct Answer

Trevor Fayas answered on August 10, 2015 21:45

1: The installer requires you to give it the user info, so it will not create a user or permissions. 2: https://docs.kentico.com/display/K8/Minimal+secure+configuration has a listing for you! 3: See above link 4: I would say you should have the same priveledges on both, so you don't have that as a variable if something needs to be debug 5:I don't believe Kentico uses any DDL codes for the database.

Hope that helps, as long as you don't provide ways for SQL injection attacks (through custom webparts or unsecure macros), you should be fine, Kentico is very secure, i don't think we have had 1 hack of Kentico yet and our company runs many, many kentico sites.

0 votesVote for this answer Unmark Correct answer

Recent Answers

Brenden Kehren answered on August 10, 2015 21:41

Have you read the documentation on Kentico minimal security configuration?

0 votesVote for this answer Mark as a Correct answer

Brenden Kehren answered on August 10, 2015 22:50

One thing to note is your user will need CREATE DB privileges while creating the new Kentico DB. You can remove this after the DB is created but note, it is needed.

0 votesVote for this answer Mark as a Correct answer

Siavash Mortazavi answered on August 11, 2015 14:53

My thanks to both Trevor and Brenden!

That document was exactly what I was looking for. I trust Kentico security, but I just don't want to include sa username and password in my connection strings! :D

0 votesVote for this answer Mark as a Correct answer

   Please, sign in to be able to submit a new answer.