Introduction
About 2 years ago DNN has release a module called Security Analyzer (hosted in GitHub https://github.com/DNNCommunity/SecurityAnalyzer ). This module helps the users detect some security issues in their sites and work on tightening the security of their site(s). One of these checks is done against the permissions given to the SQL Server user specified in the connection string. In many sites, the super user sees some error/warning similar to this image:
To fix this error, the user’s permission in the connection string must be limited and here is how to it.
Step 1
Open SQL Server Management Studio, connect to your SQL Server instance, and expand the security tab, right click on login and click “New Login …”
Step 2
Create a new login (choose any login name and password you like for this login) and assign a “public” role only in the Server Roles” tab as in the following image, then click OK button.
Step 3
Navigate to your DNN database under the Databases node, expand it, right click on the Security node, and click “New > User …” as shown.
Step 4
In the dialog that appears add the user name and login name ash shown:
(
Note: I’m using these two as the same name, but remember that these names can be different).
Step 5
Select membership node on the left and make sure only “db_user” is the only selected checkbox (as shown) then click OK button.
Note: No schema ownership setting is needed.
Step 6
Open your site’s “web.config” file and modify the connection string to use the new user and password entered in the previous steps. Here is a sample of what my test site looked like.
Step 7
Now, go back and visit the Security Analyzer page and make sure the SQL security risk warning has disappeared. You should see something similar to this message image.
Hopefully this will help you tightening your web site’s security.