I am learning ASP.NET MVC 3 from many sources on the internet. I am worrying whether my settings based on the mixed information contains unnecessary things leading to security risks.
In this topic, I need your suggestion or comment pertaining to my settings explained below. I will assign a number to each step to make it easier to be referenced in your comment or suggestion.
STEP 1: Enabling IIS
STEP 2: Installing .NET 4
No image 🙂
STEP 3: Installing SQL-Server 2008R2
No image 🙂
STEP 4: Installing Visual Studio 2010
No image 🙂
STEP 5: Make a project, e.g., NerdDinner
I put my project file (including NerdDinner.mdb) under C:\
NerdDinner.mdb is already populated with dummy data.
STEP 6: Configuring Global Application Pool
STEP 7: Make Virtual Directory using Visual Studio 2010
Shown in IIS Manager, NerdDinner is an application under the default web site.
STEP 8: Configuring Application Pool for NerdDinner web app
STEP 9: Attaching and Configuring NerdDinner.mdb using Sql-Server Management Studio
STEP 10: Configuring Connection String
<add name="NerdDinnerEntities"
connectionString="metadata=res://*/Models.NerdDinner.csdl|res://*/Models.NerdDinner.ssdl|res://*/Models.NerdDinner.msl;provider=System.Data.SqlClient;provider connection string="
Data Source=.\sqlexpress;
Initial Catalog=NerdDinner;
Integrated Security=True;
MultipleActiveResultSets=True
""
providerName="System.Data.EntityClient" />
Testing
Everything works well, but I am not sure whether or not these steps contains security issues.
This is more of a production environment tip, but you should practice it on your development machine as well.
IIS7.x by default will create a separate application pool for your website named after the name you give the website.
Instead of running the application pool and the site/application under
NETWORK SERVICE, run both the site and the pool asApplicationPoolIdentity.In the website or application features pane open the Authentication feature select Anonymous Authentication and do right-click Edit:
Next, ensure your website is running in its own application pool. Sub applications may benefit from their own application pool, but we tend to put them in the same pool as the parent site unless there is a need for a different runtime configuration such as a different version of ASP.NET or Pipeline mode.
When you have configured this grant the requisite permissions to the pool identity on your web folders by doing:
ICACLS c:\dynamic\NerdDinner\NerdDinner /grant "IIS AppPool\site1":(CI)(OI)(M)Or you can apply these permissions via explorer:
Click
Check NamesthenOK:In SQL Server the same thing applies, instead of giving permissions on your database to NETWORK SERVICE, give permissions to the
ApplicationPoolIdentityinstead. As withNETWORK SERVICEthis will only work if the SQL database is on the same machine as the web server if you’re running a standalone server.For example:
In the dialogue shown above, don’t search and
Check Namesbecause this will replace theIIS AppPool\portion of the username with your machine name. When you click OK SQL will complain that it can’t locate[MACHINENAME]\NerdDinner.Next set the add as a login to the NerdDinner database:
I’m setting as DB Owner here but you can choose the role you see fit for your needs. If this is your development machine then DBO will be fine because you can then do DDL from within Visual Studio. Most shared host production environments will make the first login (which is usually all you get) DBO anyway because many apps such as DotNetNuke etc need full control over their databases.
The connection string you’ve provided in your example should work as-is without any changes.
For more information on this topic: