Products

Solutions

Resources

Partners

Community

About

New Community Website

Ordinarily, you'd be at the right spot, but we've recently launched a brand new community website... For the community, by the community.

Yay... Take Me to the Community!

The Community Blog is a personal opinion of community members and by no means the official standpoint of DNN Corp or DNN Platform. This is a place to express personal thoughts about DNNPlatform, the community and its ecosystem. Do you have useful information that you would like to share with the DNN Community in a featured article or blog? If so, please contact .

The use of the Community Blog is covered by our Community Blog Guidelines - please read before commenting or posting.


Most Under-Used Security Feature in DNN

IMHO there is a security feature in DNN that is not used enough, and it is really easy to implement.  The feature I am talking about is the use of the upgradeConnectionString.  This was added way back in version 2.?? (2.0.12 I think) and it is still not used by most users.  What this feature allows you to do is run DNN under a less privelege account, and the upgradeConnection user is for all installation DB functions.  Below is instructions on how to implement this feature.

------------------

1) Create 2 users in the database with the following permissions.

    a) PortalUser

       -- public

    b) PortalAdmin


       -- public
       -- db_securityadmin
       -- db_ddladmin
       -- db_datareader
       -- db_datewriter


2) Use PortalUser in the <SiteSqlServer> key.  This key is under <appSettings> in DNN3 and under <appSettings> and connectionStrings> in DNN4.

3) Use PortalAdmin in the <upgradeConnectionString> key which is under the SqlDataProvider section.  The same place dbowner and objectQualifier are set.

------------------

That is all there is to using this security feature.  The PortaUser will only have access to execute Sprocs  (3.2.2 and previous, 4.0.3 and previous) and Sprocs and User Defined Functions (3.3.3+ and 4.3.3+) and not have any direct table access.  The PortalAdmin user now has all the permissions the PortalUser would have had if upgradeConnectionString was not used ,and PortalAdmin is only used during the install process (including module installs).  As a final part of the installation process, if the upgradeConnectionString is being used the install makes sure public has execute permissions for all stored procedure and execute/select permissions based on type of User Defined Function (Scalar or Table).

By implementing the above security feature you will make you DB Admins and Security Group extremely happy.  I know that when we used DNN before the upgradeConnectionString was implemented, we ran the install with the user having DBOwner access, and then we updated the user permissions to only have public access and manually ran a script to grant public execute permissions on all the Sproc's.  As a matter of fact, that SQL script was used as the basis for the code that the install uses to grant the appropriate permission to public and later also to User Defined functions :-).

I am in the process of upgrading the installation documentation to reflect the use of the upgradeConnectionString to make DNN more secure, but until that is completed you can use this blog to help you implement this feature.

Comments

Comment Form

Only registered users may post comments.

NewsArchives


Aderson Oliveira (22)
Alec Whittington (11)
Alessandra Daniels (3)
Alex Shirley (10)
Andrew Hoefling (3)
Andrew Nurse (30)
Andy Tryba (1)
Anthony Glenwright (5)
Antonio Chagoury (28)
Ash Prasad (37)
Ben Schmidt (1)
Benjamin Hermann (25)
Benoit Sarton (9)
Beth Firebaugh (12)
Bill Walker (36)
Bob Kruger (5)
Bogdan Litescu (1)
Brian Dukes (2)
Brice Snow (1)
Bruce Chapman (20)
Bryan Andrews (1)
cathal connolly (55)
Charles Nurse (163)
Chris Hammond (213)
Chris Paterra (55)
Clint Patterson (108)
Cuong Dang (21)
Daniel Bartholomew (2)
Daniel Mettler (181)
Daniel Valadas (48)
Dave Buckner (2)
David Poindexter (12)
David Rodriguez (3)
Dennis Shiao (1)
Doug Howell (11)
Erik van Ballegoij (30)
Ernst Peter Tamminga (80)
Francisco Perez Andres (17)
Geoff Barlow (12)
George Alatrash (12)
Gifford Watkins (3)
Gilles Le Pigocher (3)
Ian Robinson (7)
Israel Martinez (17)
Jan Blomquist (2)
Jan Jonas (3)
Jaspreet Bhatia (1)
Jenni Merrifield (6)
Joe Brinkman (274)
John Mitchell (1)
Jon Henning (14)
Jonathan Sheely (4)
Jordan Coopersmith (1)
Joseph Craig (2)
Kan Ma (1)
Keivan Beigi (3)
Kelly Ford (4)
Ken Grierson (10)
Kevin Schreiner (6)
Leigh Pointer (31)
Lorraine Young (60)
Malik Khan (1)
Matt Rutledge (2)
Matthias Schlomann (16)
Mauricio Márquez (5)
Michael Doxsey (7)
Michael Tobisch (3)
Michael Washington (202)
Miguel Gatmaytan (3)
Mike Horton (19)
Mitchel Sellers (40)
Nathan Rover (3)
Navin V Nagiah (14)
Néstor Sánchez (31)
Nik Kalyani (14)
Oliver Hine (1)
Patricio F. Salinas (1)
Patrick Ryan (1)
Peter Donker (54)
Philip Beadle (135)
Philipp Becker (4)
Richard Dumas (22)
Robert J Collins (5)
Roger Selwyn (8)
Ruben Lopez (1)
Ryan Martinez (1)
Sacha Trauwaen (1)
Salar Golestanian (4)
Sanjay Mehrotra (9)
Scott McCulloch (1)
Scott Schlesier (11)
Scott Wilkinson (3)
Scott Willhite (97)
Sebastian Leupold (80)
Shaun Walker (237)
Shawn Mehaffie (17)
Stefan Cullmann (12)
Stefan Kamphuis (12)
Steve Fabian (31)
Steven Fisher (1)
Tony Henrich (3)
Torsten Weggen (3)
Tycho de Waard (4)
Vicenç Masanas (27)
Vincent Nguyen (3)
Vitaly Kozadayev (6)
Will Morgenweck (40)
Will Strohl (180)
William Severance (5)
What is Liquid Content?
Find Out
What is Liquid Content?
Find Out
What is Liquid Content?
Find Out