Web security

Topics: Developer Discussion, Help
Jul 13, 2007 at 7:35 PM
I've moved to sql server from express. I'm trying to create a user and login for the web to use when I go production, hopefully sometime this weekend.

My problem? I don't have a clue which security roles to assign, etc. What did you guys use?

You can talk to me like I'm 5 on this one. I'm an oracle gal, and it was always handled by a dba. I've never done this on my own before.

Thanks in advance!
Coordinator
Jul 14, 2007 at 1:15 AM
You shouldn't really need to worry about "roles". The default dbo ("database owner") should work.
Jul 14, 2007 at 2:07 AM
So there aren't any concerns about granting all that extra security to the web? I know we were always really locked down - only allowing select and so on.

Then that should be fairly simple. Maybe I've been worrying for no reason.
Coordinator
Jul 14, 2007 at 5:33 PM
Yep... it should just work under the default.
Jul 16, 2007 at 7:26 PM
As an fyi to anyone who wishes to lock down their db a bit, you only need to grant dbreader, dbwriter access, in addition to checking all the aspnet_ boxes for the membership providers, etc.

Then you grant exec on all stored procs to your user.

The problem with using db_owner is that it allows any web user smart enough to get through your security to be able to do some nasty things like dropping your entire database.