Secure installation
I was just wondering if there exists any documentation on how to lock down a Sitefinity installation for good database and code security on a production deployment. Is the default installation considered secure? I know the user I provide during installation needs much higher level privileges in the database than I'm comfortable with in the long term.
Thanks!
Hi Zak,
We believe it is secure. We require db_owner role on the database, because we are doing a lot of things on the data layer - add and remove columns dynamically for example. Could you please let us know what setting is not comfortable for you?
Best wishes,I don't much like the idea of giving a public facing web application carte blanche db_owner permissions. My DBA is cringing as well. Does this not violate some best practices regarding application and database security?
Hello Zak,
The user should be dbo when you install Sitefinity or you perform an update.
db_datareader and db_datawriter are required. The db_datawriter role allows its members to perform modification of existing data and to insert new data. The members can execute the INSERT, UPDATE, and, DELETE statements against the database objects in a database.
Modules like Forms creates database tables and if you do not have permissions you will get an error. All custom fields creates columns and new records in existing tables.
Regards,
Ivan Dimitrov
the Telerik team
Hi Ivan, and thanks for the quick reply.
This is significantly better news, and I think highlights a severe deficiency in the current Sitefinity documentation. Specific listing of what permissions are needed, both at the database and IIS/Windows Server level would be a boon to all of us deploying your products. I, for one, have struggled deploying Sitefinity on IIS7.5 because the information regarding NTFS permissions that I could find was vague at best.
In the meantime, can you tell me exactly what permissions my database user needs after installation is complete?
db_datareader
db_datawriter
CREATE TABLE
Do I need ALTER or DROP table (I hope not DROP)? Anything else?
Thanks for all your patience. My organization is very security conscious and wants all applications locked down as much as possible.
Zak
Hello Zak,
We have already modified our installation guide to provide what folder permissions are needed for the website in IIS. We are going to do so for the database user too. You need Alter table, Drop table is not needed.
Best wishes,
Radoslav Georgiev
the Telerik team
Thanks!