Products

Evoq Content Overview Content Creation Workflow Asset Management Mobile Responsive Personalization Content Analytics SEO Integrations Security Website PerformanceEvoq Engage Overview Community Management  Dashboard  Analytics  Member Profile Gamification Advocate Marketing Community Engagement  Ideas  Answers  Discussions  Groups  Wikis  Events Mobile ReadyDNN Support PackagesEvoq: CMS FeaturesEvoq OnDemandCompare DNN's CMS Products

Solutions

Content Management SystemMulti-Channel PublishingDigital MarketingOnline Community ManagementIntranet Software SolutionOur CustomersPrime

Resources

Test DrivesSchedule A DemoDocumentation CenterWebinarsWhite PapersProduct ManualsRequest PricingData SheetsCase StudiesEvoq Preferred Products Content Management Ecommerce Forms Identity Management and Authentication Site Management Social Themes

Partners

DNN Partners Partner Directory Become a DNN Partner Partner Program Overview  Hosting  Implementation  ISV  Training  Competencies

Community

Participate Ask a Question Forums Community Showcase DNN MVP  Program Overview  Lifetime MVPs  Honorary MVPs Subscribe to DNN Digest Advisory Groups  Awareness Advisory Group  Developer Advisory Group  Partner Advisory Group  Technology Advisory GroupLearn Documentation Wiki Community Blog Video Library Project History Development RoadmapDownload DNN Store Language Packs Manuals Nightly BuildsSecurity Policies Security Center

Blog

About

News Press Releases News Coverage Press KitCareersContact DNN

QA

Ideas Test

New Community Website

Ordinarily, you'd be at the right spot, but we've recently launched a brand new community website... For the community, by the community.

Yay... Take Me to the Community!

Welcome to the DNN Community Forums, your preferred source of online community support for all things related to DNN.
In order to participate you must be a registered DNNizen
HomeHomeUsing DNN Platf...Using DNN Platf...Administration ...Administration ...SQL Security - SQL Connection String DSN? SQL Module removed in Production Site?SQL Security - SQL Connection String DSN? SQL Module removed in Production Site?
Previous
 
Next
New Post
6/16/2010 2:31 PM
 
Mike Rhoades


Joined: 3/8/2010
Posts: 3
Hello all,

We are building a DNN three stage environment: DEV - STAGE - PROD.

Background: DNN Admin with little .NET programming
Server 2008
SQL 2008
DNN 5.4.2

(I have searched all over and may have missed a thread for both of these questions/concerns so point me to the correct direction or answer directly)

Concern 1: Our SQL DBA's concern is security with a developer (a contractor, myself and future workers) knowing the UID/PID of the Production DNN SQL Server (stored in web.config of course). Typically in other environments, the DBA would set up a DSN on the production server with UID/PID so the developer would not have to know them, decreasing their liability.

Question 1: HOW do you set up a the Connection String in web.config to connect to SQL via a DSN?
It may be simple but I failed to find it being set up other than using the SQL client object.

Concern 2: The next concern is allowing the HOST in Production access to the SQL module. Here his main concern is if it is running as DBO then a less-than-knowledgable Site Host (contractor with access) could really jack up the Production SQL Server.

Question 2: WHAT is the best way of eliminating the SQL module/capabilities from the DNN Production instance?
Delete the page? Manually delete the module?
The module will still be available if the page is deleted. Understood. Is there a clean way to uninstall the capability? the Module?

Any advice is welcomed. If I need to explain further, please let me know.

Thanks!

Mike
 
New Post
6/16/2010 4:12 PM
 
Sebastian Leupold


Sebastian Leupold's Avatar

Sebastian Leupold's Avatar

Sebastian Leupold's Avatar

Sebastian Leupold's Avatar

www.dnnwerk.de
Joined: 3/8/2004
Posts: 46212
Q1: the only option to hide database credentials is using integrated security. however, there should be a dedicated user for DNN only, which has permission to DNN database only (and anyone with host access can perform any action from inside host :: SQL anyways. Q2: a superuser is someone with advanced previleges. If you got a less-than-knowledgable contractor, he should not get more than admin access (and no file access as well). A host can always install any module which regains him same con/distructive opportunities.
Cheers from Germany,
Sebastian Leupold

dnnWerk - The DotNetNuke Experts   German Spoken DotNetNuke User Group

Speed up your DNN Websites with TurboDNN
 
New Post
6/17/2010 10:56 AM
 
Mike Rhoades


Joined: 3/8/2010
Posts: 3
Sebastian,

Thanks for the reply. In response to your answers:

Q1: To help me understand and clarify your statement, I need to:
  • check the integrated security check box on install
  • make sure that there is a Windows Account (AD account) that has access to the database VERSUS a SQL-based account... i.e. a system account that the DBA is accountable for which "hides" the password from us contract developers
Q2: Other than deleting the Host::SQL page to give a "sense" of security, the Superuser/Host account can esentially install another module that does the same thing as you said... basically requiring a personnel policy for our DNN webmasters to BE CAREFUL and ONLY use the Host account when needed (i.e. install Host-level Extensions, portal creation, lists, DNN update).

Thanks again for the quick and helpful response!

Mike
 
New Post
6/17/2010 7:51 PM
 
Sebastian Leupold


Sebastian Leupold's Avatar

Sebastian Leupold's Avatar

Sebastian Leupold's Avatar

Sebastian Leupold's Avatar

www.dnnwerk.de
Joined: 3/8/2004
Posts: 46212
Mike, Q1 depends on the OS version and IIS configuration. "Integrated security" means, the windows account of the ASP.net process running the processes in your application pool is used as well for accessing the database (e.g. "Network Service" in English versions of Windows Server 2003/2008). This might be an ordinary Windows account as well. Q2: yes - host should be used for system/extension installation and system configuration as well as portal creation / delete etc. only. Anyone with host access / file access to the installation has ability for full control of your website (and maybe beyond).
Cheers from Germany,
Sebastian Leupold

dnnWerk - The DotNetNuke Experts   German Spoken DotNetNuke User Group

Speed up your DNN Websites with TurboDNN
 
 Page 1 of 1
Previous
 
Next
HomeHomeUsing DNN Platf...Using DNN Platf...Administration ...Administration ...SQL Security - SQL Connection String DSN? SQL Module removed in Production Site?SQL Security - SQL Connection String DSN? SQL Module removed in Production Site?


These Forums are dedicated to discussion of DNN Platform and Evoq Solutions.

For the benefit of the community and to protect the integrity of the ecosystem, please observe the following posting guidelines:

  1. No Advertising. This includes promotion of commercial and non-commercial products or services which are not directly related to DNN.
  2. No vendor trolling / poaching. If someone posts about a vendor issue, allow the vendor or other customers to respond. Any post that looks like trolling / poaching will be removed.
  3. Discussion or promotion of DNN Platform product releases under a different brand name are strictly prohibited.
  4. No Flaming or Trolling.
  5. No Profanity, Racism, or Prejudice.
  6. Site Moderators have the final word on approving / removing a thread or post or comment.
  7. English language posting only, please.
What is Liquid Content?
Find Out
What is Liquid Content?
Find Out
What is Liquid Content?
Find Out