Is it a security risk to have the IUSR account set up as a dbo, or is it
better to give the IUSR account selected authority? I use the IUSR account
to access SQL Server for ASP web pages. The connection string uses
IUSR_<machine> with no password, but the password is stored within IIS.
Hi
Bad idea to give that user DBO. If a hacker gets though your web pages, he
can do anything to your database.
Always give users explicit permission (never to tables, but to stored
procedures), and give the least permissions you can.
Regards
Mike Epprecht, Microsoft SQL Server MVP
Zurich, Switzerland
IM: mike@.epprecht.net
MVP Program: http://www.microsoft.com/mvp
Blog: http://www.msmvps.com/epprecht/
"WC Justice" <BJustice@.wcje.com> wrote in message
news:%W2qe.73996$6k7.73701@.bignews4.bellsouth.net. ..
> Is it a security risk to have the IUSR account set up as a dbo, or is it
> better to give the IUSR account selected authority? I use the IUSR
> account to access SQL Server for ASP web pages. The connection string
> uses IUSR_<machine> with no password, but the password is stored within
> IIS.
>
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment