+1-888-365-2779
Try Now
More in this section

Forums / Deployment / Secure installation

Secure installation

7 posts, 1 answered
  1. Gaston County
    Gaston County avatar
    38 posts
    Registered:
    23 Feb 2012
    02 Feb 2011
    Link to this post
    I was just wondering if there exists any documentation on how to lock down a Sitefinity installation for good database and code security on a production deployment. Is the default installation considered secure? I know the user I provide during installation needs much higher level privileges in the database than I'm comfortable with in the long term.

    Thanks!
  2. Georgi
    Georgi avatar
    3583 posts
    Registered:
    28 Oct 2016
    07 Feb 2011
    Link to this post
    Hi Zak,

    We believe it is secure. We require db_owner role on the database, because we are doing a lot of things on the data layer - add and remove columns dynamically for example. Could you please let us know what setting is not comfortable for you?

    Best wishes,
    Georgi
    the Telerik team
    Do you want to have your say when we set our development plans? Do you want to know when a feature you care about is added or when a bug fixed? Explore the Telerik Public Issue Tracking system and vote to affect the priority of the items
  3. Gaston County
    Gaston County avatar
    38 posts
    Registered:
    23 Feb 2012
    07 Feb 2011
    Link to this post
    I don't much like the idea of giving a public facing web application carte blanche db_owner permissions. My DBA is cringing as well. Does this not violate some best practices regarding application and database security?
  4. Ivan Dimitrov
    Ivan Dimitrov avatar
    16072 posts
    Registered:
    25 Nov 2016
    07 Feb 2011
    Link to this post
    Hello Zak,

    The user should be dbo when you install Sitefinity or you perform an update.
    db_datareader and db_datawriter are required. The db_datawriter role allows its members to perform modification of existing data and to insert new data. The members can execute the INSERT, UPDATE, and, DELETE statements against the database objects in a database.

    Modules like Forms creates database tables and if you do not have permissions you will get an error. All custom fields creates columns and new records in existing tables.

    Regards,
    Ivan Dimitrov
    the Telerik team
    Do you want to have your say when we set our development plans? Do you want to know when a feature you care about is added or when a bug fixed? Explore the Telerik Public Issue Tracking system and vote to affect the priority of the items
  5. Gaston County
    Gaston County avatar
    38 posts
    Registered:
    23 Feb 2012
    07 Feb 2011
    Link to this post
    Hi Ivan, and thanks for the quick reply.

    This is significantly better news, and I think highlights a severe deficiency in the current Sitefinity documentation. Specific listing of what permissions are needed, both at the database and IIS/Windows Server level would be a boon to all of us deploying your products. I, for one, have struggled deploying Sitefinity on IIS7.5 because the information regarding NTFS permissions that I could find was vague at best.

    In the meantime, can you tell me exactly what permissions my database user needs after installation is complete?

    db_datareader
    db_datawriter
    CREATE TABLE

    Do I need ALTER or DROP table (I hope not DROP)? Anything else?

    Thanks for all your patience. My organization is very security conscious and wants all applications locked down as much as possible.
    Zak
  6. Radoslav Georgiev
    Radoslav Georgiev avatar
    3370 posts
    Registered:
    01 Feb 2016
    08 Feb 2011
    Link to this post
    Hello Zak,

    We have already modified our installation guide to provide what folder permissions are needed for the website in IIS. We are going to do so for the database user too. You need Alter table, Drop table is not needed.

    Best wishes,
    Radoslav Georgiev
    the Telerik team
    Do you want to have your say when we set our development plans? Do you want to know when a feature you care about is added or when a bug fixed? Explore the Telerik Public Issue Tracking system and vote to affect the priority of the items
    Answered
  7. Gaston County
    Gaston County avatar
    38 posts
    Registered:
    23 Feb 2012
    08 Feb 2011
    Link to this post
    Thanks!
7 posts, 1 answered