DBOwner Privileges
-
Hi, Whenever I have created data driven ASP.NET applications in the past, I have always specified in my connection string that ASP.NET should use a database user account that has dbowner privileges. Is it OK to do this, or should I restrict privileges? Most documentation I have found seems to indicate that dbowner is OK. Any opinions gratefully received. Thanks! Visit Riverside Internet[^] Visit Mike Puddephat Online[^]
-
Hi, Whenever I have created data driven ASP.NET applications in the past, I have always specified in my connection string that ASP.NET should use a database user account that has dbowner privileges. Is it OK to do this, or should I restrict privileges? Most documentation I have found seems to indicate that dbowner is OK. Any opinions gratefully received. Thanks! Visit Riverside Internet[^] Visit Mike Puddephat Online[^]
Hi Mike, In my opinion, just like any other security area, it is better to use an account with the least amount of privilege. By using an account with dbo privileges, any compromise of security, such as a SQL injection attack, can wreak havoc in the database. For example, the account can drop tables, modify stored procedures, etc. If instead you use an account with only db_datareader permissions and grant execute rights on your stored procedures, there is far less that can be done in the event security is compromised. Google has a slew of resources, and here are a couple to get you started:
- Implementing Security[^], from the SQL Server 2000 Resource Kit
- Overview of the SQL Server Security Model and Security Best Practices[^], from SQL-Server-Performance.com
- SQL Server Security: The db_executor Role[^], at SQL Server Central
- Securing SQL Server Tables[^], at Windows IT Pro
Hope that helps. :) --Jesse
-
Hi Mike, In my opinion, just like any other security area, it is better to use an account with the least amount of privilege. By using an account with dbo privileges, any compromise of security, such as a SQL injection attack, can wreak havoc in the database. For example, the account can drop tables, modify stored procedures, etc. If instead you use an account with only db_datareader permissions and grant execute rights on your stored procedures, there is far less that can be done in the event security is compromised. Google has a slew of resources, and here are a couple to get you started:
- Implementing Security[^], from the SQL Server 2000 Resource Kit
- Overview of the SQL Server Security Model and Security Best Practices[^], from SQL-Server-Performance.com
- SQL Server Security: The db_executor Role[^], at SQL Server Central
- Securing SQL Server Tables[^], at Windows IT Pro
Hope that helps. :) --Jesse
That's a great help. Thanks! Visit Riverside Internet[^] Visit Mike Puddephat Online[^]