Products

Evoq Content Overview Content Creation Workflow Asset Management Mobile Responsive Personalization Content Analytics SEO Integrations Security Website PerformanceEvoq Engage Overview Community Management  Dashboard  Analytics  Member Profile Gamification Advocate Marketing Community Engagement  Ideas  Answers  Discussions  Groups  Wikis  Events Mobile ReadyDNN Support PackagesEvoq: CMS FeaturesEvoq OnDemandCompare DNN's CMS Products

Solutions

Content Management SystemMulti-Channel PublishingDigital MarketingOnline Community ManagementIntranet Software SolutionOur CustomersPrime

Resources

Test DrivesSchedule A DemoDocumentation CenterWebinarsWhite PapersProduct ManualsRequest PricingData SheetsCase StudiesEvoq Preferred Products Content Management Ecommerce Forms Identity Management and Authentication Site Management Social Themes

Partners

DNN Partners Partner Directory Become a DNN Partner Partner Program Overview  Hosting  Implementation  ISV  Training  Competencies

Community

Participate Ask a Question Forums Community Showcase DNN MVP  Program Overview  Lifetime MVPs  Honorary MVPs Subscribe to DNN Digest Advisory Groups  Awareness Advisory Group  Developer Advisory Group  Partner Advisory Group  Technology Advisory GroupLearn Documentation Wiki Community Blog Video Library Project History Development RoadmapDownload DNN Store Language Packs Manuals Nightly BuildsSecurity Policies Security Center

Blog

About

News Press Releases News Coverage Press KitCareersContact DNN

QA

Ideas Test

New Community Website

Ordinarily, you'd be at the right spot, but we've recently launched a brand new community website... For the community, by the community.

Yay... Take Me to the Community!

Welcome to the DNN Community Forums, your preferred source of online community support for all things related to DNN.
In order to participate you must be a registered DNNizen
HomeHomeUsing DNN Platf...Using DNN Platf...Administration ...Administration ...Downsides of "Integrated Security"?Downsides of "Integrated Security"?
Previous
 
Next
New Post
3/3/2010 5:03 AM
 
timvdh

Joined: 1/5/2005
Posts: 64

Hi,

on my production box (V-Server w/Sql Server Express) I am using an sql server account (and a cleartext password in web.config) for sql connections. On my dev box, I found it more convenient to add "Network Service" as an owner of the DotNetNuke database.

If I did the same on the production server, then I could turn off sql server authentication mode. I am hesitating, because I think I read that it is not such a good idea to give "Network Service" access to your sql servers. ON the other hand the sql server on the production box is being used by the DNN database exclusively.

One disadvantage I see with turning off sql server authentification mode is that I am not sure how to connect to the production box with sql server management studio, since dev box and production box are not in the same domain (dev is Windows 7 and connecting via DSL to the Windows 2003 VServer hosted by a provider).

Can someone hint on the proper way to do this? TIA for any hints, Regards
Tim
 
New Post
3/3/2010 9:44 AM
 
Jeff Cochran


Joined: 6/3/2005
Posts: 2799

The advantage to using Windows Integrated authentication is the ability to manage users and access through the same mechanisms you manage network users, add users to groups for access, etc.  In your case, there really is no advantage, and the disadvantage is that dealing with local accounts adds another layer of management you don't have any reason to need.

Jeff
 
New Post
3/3/2010 10:23 AM
 
Joe Brinkman


Joe Brinkman's Avatar

blog.theaccidentalgeek.com
Joined: 5/18/2003
Posts: 2356

From a security perspective, I highly recommend using integrated security for your production websites.  Each application pool can and should have a separate account with access locked down to just the database needed to service that application.  This helps isolates the websites and makes hacking into each one more difficult.

If you need remote db access then using SQL logins is still a possibility.  Just because the website is using integrated security does not mean you have to use integrated security as well.

Ultimately, being secure always requires more work to setup and maintain, however, if you care at all about not losing control of your website or your data, then you'll take reasonable security precautions which varies from website to website and business to business.  Obviously, the security around Amazon.com is much different than the security I employ on my local blog.  Regardless, there is a minimal level that should be assumed for any public facing website, and that includes not using cleartext passwords in web.config.

Joe Brinkman
DNN Corp.
 
New Post
3/4/2010 12:36 PM
 
timvdh

Joined: 1/5/2005
Posts: 64

Thank you, Jeff + Joe! What I will do is switch to windows authentication so I can remove the ugly password from web.config and authorize "Network service" to own the DNN DB. But I will stay with mixed authentification mode so I I can still connect to the sql server with the "sa" account (and a really hard to guess password), just because I am lazy and yes, my site is (unfortunatly) not amazon.com

Best Regards
Tim
 
 Page 1 of 1
Previous
 
Next
HomeHomeUsing DNN Platf...Using DNN Platf...Administration ...Administration ...Downsides of "Integrated Security"?Downsides of "Integrated Security"?


These Forums are dedicated to discussion of DNN Platform and Evoq Solutions.

For the benefit of the community and to protect the integrity of the ecosystem, please observe the following posting guidelines:

  1. No Advertising. This includes promotion of commercial and non-commercial products or services which are not directly related to DNN.
  2. No vendor trolling / poaching. If someone posts about a vendor issue, allow the vendor or other customers to respond. Any post that looks like trolling / poaching will be removed.
  3. Discussion or promotion of DNN Platform product releases under a different brand name are strictly prohibited.
  4. No Flaming or Trolling.
  5. No Profanity, Racism, or Prejudice.
  6. Site Moderators have the final word on approving / removing a thread or post or comment.
  7. English language posting only, please.
What is Liquid Content?
Find Out
What is Liquid Content?
Find Out
What is Liquid Content?
Find Out