|
Home > Archive > MS SQL Server Connectivity > June 2005 > IUSR Role in SQL Server Database
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
IUSR Role in SQL Server Database
|
|
| WC Justice 2005-06-09, 8:23 pm |
| Is it a security risk to have the IUSR account set up as a dbo, or is it
better to give the IUSR account selected authority? I use the IUSR account
to access SQL Server for ASP web pages. The connection string uses
IUSR_<machine> with no password, but the password is stored within IIS.
| |
| Mike Epprecht \(SQL MVP\) 2005-06-09, 8:23 pm |
| Hi
Bad idea to give that user DBO. If a hacker gets though your web pages, he
can do anything to your database.
Always give users explicit permission (never to tables, but to stored
procedures), and give the least permissions you can.
Regards
--------------------------------
Mike Epprecht, Microsoft SQL Server MVP
Zurich, Switzerland
IM: mike@epprecht.net
MVP Program: http://www.microsoft.com/mvp
Blog: http://www.msmvps.com/epprecht/
"WC Justice" <BJustice@wcje.com> wrote in message
news:%W2qe.73996$6k7.73701@bignews4.bellsouth.net...
> Is it a security risk to have the IUSR account set up as a dbo, or is it
> better to give the IUSR account selected authority? I use the IUSR
> account to access SQL Server for ASP web pages. The connection string
> uses IUSR_<machine> with no password, but the password is stored within
> IIS.
>
|
|
|
|
|