Secure installation

Posted by Community Admin on 05-Aug-2018 15:05

Secure installation

All Replies

Posted by Community Admin on 02-Feb-2011 00:00

I was just wondering if there exists any documentation on how to lock down a Sitefinity installation for good database and code security on a production deployment. Is the default installation considered secure? I know the user I provide during installation needs much higher level privileges in the database than I'm comfortable with in the long term.

Thanks!

Posted by Community Admin on 07-Feb-2011 00:00

Hi Zak,

We believe it is secure. We require db_owner role on the database, because we are doing a lot of things on the data layer - add and remove columns dynamically for example. Could you please let us know what setting is not comfortable for you?

Best wishes,
Georgi
the Telerik team
Do you want to have your say when we set our development plans? Do you want to know when a feature you care about is added or when a bug fixed? Explore the Telerik Public Issue Tracking system and vote to affect the priority of the items

Posted by Community Admin on 07-Feb-2011 00:00

I don't much like the idea of giving a public facing web application carte blanche db_owner permissions. My DBA is cringing as well. Does this not violate some best practices regarding application and database security?

Posted by Community Admin on 07-Feb-2011 00:00

Hello Zak,

The user should be dbo when you install Sitefinity or you perform an update.
db_datareader and db_datawriter are required. The db_datawriter role allows its members to perform modification of existing data and to insert new data. The members can execute the INSERT, UPDATE, and, DELETE statements against the database objects in a database.

Modules like Forms creates database tables and if you do not have permissions you will get an error. All custom fields creates columns and new records in existing tables.

Regards,
Ivan Dimitrov
the Telerik team

Do you want to have your say when we set our development plans? Do you want to know when a feature you care about is added or when a bug fixed? Explore the Telerik Public Issue Tracking system and vote to affect the priority of the items

Posted by Community Admin on 07-Feb-2011 00:00

Hi Ivan, and thanks for the quick reply.

This is significantly better news, and I think highlights a severe deficiency in the current Sitefinity documentation. Specific listing of what permissions are needed, both at the database and IIS/Windows Server level would be a boon to all of us deploying your products. I, for one, have struggled deploying Sitefinity on IIS7.5 because the information regarding NTFS permissions that I could find was vague at best.

In the meantime, can you tell me exactly what permissions my database user needs after installation is complete?

db_datareader
db_datawriter
CREATE TABLE

Do I need ALTER or DROP table (I hope not DROP)? Anything else?

Thanks for all your patience. My organization is very security conscious and wants all applications locked down as much as possible.
Zak

Posted by Community Admin on 08-Feb-2011 00:00

Hello Zak,

We have already modified our installation guide to provide what folder permissions are needed for the website in IIS. We are going to do so for the database user too. You need Alter table, Drop table is not needed.

Best wishes,
Radoslav Georgiev
the Telerik team

Do you want to have your say when we set our development plans? Do you want to know when a feature you care about is added or when a bug fixed? Explore the Telerik Public Issue Tracking system and vote to affect the priority of the items

Posted by Community Admin on 08-Feb-2011 00:00

Thanks!

This thread is closed