I use C# Asp.net and SQl 2008 R2
I’m pretty new to DB so I need some guide line.
I create a User A with Role/Permission Administrator to create my DB using MS Management Studio.
Now I need to set-up my website to READ/UPDATE/DELETE Rows in my Tables, this user will be pointed in the Connection String.
My questions:
in the connection String shall I user A (Role Admin)?
or should I crete a new User and giving role Data Reader and Data write?
I need my code able work with the content of my table but do not modifying the schema.
Please let me know. Many Thanks
You should create a new user that has the minimum permissions possible.
This way, if anyone takes over the website, they are limited to doing only what this user can do and can’t do the other things the admin user can.
If you use the admin user, there is a risk that a malicious user will be able to change the schema (or even drop the database) using SQL injection or other techniques to inject their code into your server.
Additionally, if you have any code that would change the schema, which might be called (perhaps as an oversight or coding error), the damage is limited to what the low privileged user can do.
This is part of defense in depth.