RE: CF Server / IIS / SQL Server
Unfortunately there's no "one size fits all" answer. The books that were suggested should help you understand how Microsoft's security works. Your admin people probably install software using their admin accounts for the same reason we do here. We do not allow users rights to install software to their computers. There are several reasons for doing this. First we have to support the computers. If a user can install whatever they want whenever they want there is no telling what system, or work related, files they would corrupt. Then trying to diagnose the problem becomes impossible. You know the first thing that they will bring in is that virus ridden screen saver! Also if a user installs a piece of software, even if they use it for work, we become responsible to insure that the data is backed up. We do not backup local drives and configure all of our software to save files to network drives. If the software is not configured this way and their computer crashes we have just lost data. Finally there is the whole issue of licensing. If you bring software in how do we know you are not violating the license of the software. If it is critical to your job to use the software then we will provide it, and insure the proper licensing/number of copies are purchased. Having said that we configured our network as follows, and I'm sure it's not perfect but it works for us. IIS, CF and SQL all have their own domain users. These users are assigned rights to access just what is needed. On a workstation basis we avoid creating ODBC connections like the plague. We have some where it was unavoidable, but since 99% of all database access is to SQL Server we create connection strings in real-time based on INI files. This allows us to move applications between development, test and production with out changes. Where we do use ODBC connections is with CF. In this case we use CF's administrator page to create the ODBC connection and we have a single point of maintenance. For database permissions we create specific SQL users that have access to what is needed on the server. In general we create a SQL user per system. If this user needs access to a database other than the one for the system it was created for we grant them rights into the other databases. Also, as far as rights go, wither it is domain rights or SQL Server rights everything is done with groups. If a single user needs access to something the are either added to a group that already has the right or we create a new group and give the group the right. We have found the following to be true, that "if one person needs the right the 2nd person will be down tomorrow for the same right". Hope this helps. __ Bill Grover Supervisor MIS Phone: 301.424.3300 x3324 EU Services, Inc. FAX:301.424.3696 649 North Horners Lane E-Mail: [EMAIL PROTECTED] Rockville, MD 20850-1299WWW:http://www.euservices.com __ > -Original Message- > From: Tangorre, Michael T. [mailto:[EMAIL PROTECTED]] > Sent: Wednesday, February 20, 2002 10:48 AM > To: CF-Talk > Subject: CF Server / IIS / SQL Server > > > Hello, > > Ok, let me start by saying this is going to be a long email (my > apologies)... > I am at my wits end here with the admins on campus who can't > seem to figure > anything out. > > In terms of accounts and services, what is the best way to > setup IIS, SQL > 2K, and CF 5.0. I am > a novice when it comes to installing this stuff, however I am > trying to > assist the admins here on campus. > Basically, the admins on campus are in a group on the NT domain called > "admins" or something to that nature. > One server has IIS and CF on it, and the other server has SQL > 2K only. The > admins install stuff using their domain > admin acocunts... is this a good idea.. shouldn't all > software be installed > using a local system account? > > Another issue they (now trickleing down to web guys) have is ODBC > connections and setting them up. What is the best account to use > for this and what kind of permissions does that account need? > We have tried > setting up ODBCs using all kinds of logins and passwords, > but instead of guessing I want to know why and how this all works. > > Once IIS and CF are installed using the right acocunts (which I don't > believe they are now) and once SQL server is up and running > un der the right > account > what is the best practice for database permissions in terms > CF and SQL: > specifying a new user and pass for each database that people > will be using > in CF Apps? > > Man I am just at a loss here trying to figure this stuff > out.. Any links, > books, online trainings.. anything would be much appreciated. > In addition, > if anyone can respond to get me started in learning this > stuff so I can try > and get this all straightened
RE: CF Server / IIS / SQL Server
Mike Well - there are a host of books out there on Win2k or NT administration. Most of them are pretty good. Unless you want to be an expert on the topic (an MCSE for example) you really just need a reference - minasi's book is a great comprehensive text and he knows a lot about the Nuances MS products - so he may be all you need. And at 1500 pages I'm guessing it will be quite enough to get through in one spring break - in between bears and broa... uh women . -mk Mark A. Kruger, MCSE, CFG www.cfwebtools.com ..no more brochures! -Original Message- From: Tangorre, Michael T. [mailto:[EMAIL PROTECTED]] Sent: Wednesday, February 20, 2002 9:01 AM To: CF-Talk Subject: RE: CF Server / IIS / SQL Server Thanks Mark. I am looking into getting some books to help me btter understand this administration stuff. Should make for some good reading over spring break. Do you recommend any other books? Thanks, Mike -Original Message- From: Mark A. Kruger - CFG [mailto:[EMAIL PROTECTED]] Sent: Wednesday, February 20, 2002 1:52 PM To: CF-Talk Subject: RE: CF Server / IIS / SQL Server There is no such thing as the "server" domain - even though the login screen leads you to believe there is - there is only a "domain" and a "local account" (not the same as the local "system" account). If you use a local account, you will need to share permissions from one stand alone server to another - which is adding rather than removing complexity. The idea behind a domain acount is to simplify the process. Create an account and carefully assign the resources you want it to have - then use it where you need to. If you end up with too many users, you can create groups instead - also useful. But it appears a single user would suffice for what you have in mind. Mark P.S. - I suggest the book "Mastering Windows 2000 Server - Mark Minasi" - it's readable and may help you sort this out. -Original Message- From: Tangorre, Michael T. [mailto:[EMAIL PROTECTED]] Sent: Wednesday, February 20, 2002 8:21 AM To: CF-Talk Subject: RE: CF Server / IIS / SQL Server When you say create an account on the domain, do you mean the server domain, or our entire network domain? -Original Message- From: Mark A. Kruger - CFG [mailto:[EMAIL PROTECTED]] Sent: Wednesday, February 20, 2002 1:24 PM To: CF-Talk Subject: RE: CF Server / IIS / SQL Server A lot depends on what you are trying to do. How restrictive are your security policies, how tightly do you want to lock down the server etc. If you want a "simple" approach, create a domain account with very specific permissions on the web server (make sure an "deny" anything you don't want exposed), and very specific permissions on the database server - then use it as the service account for CF and IIS - and use trusted connections for your ODBC connections. That IS the convienience of it - one account controlling all access. But be very sure that you know what you intend and do NOT intend to expose as resources for that user. And don't give it admin rights or sa rights. If it needs dbo permissions, give it dbo rights on the individual databases rather than blanket SA rights. As far as installing to the local system account - that's ok IF you realize that CF will have access to any local resource (and you can't deny the local system account)... so as long as that is what you intend - fine. You would then need to implement "standard" SQL security - adding complexity - but not too much. Mark -Original Message- From: Tangorre, Michael T. [mailto:[EMAIL PROTECTED]] Sent: Wednesday, February 20, 2002 7:48 AM To: CF-Talk Subject: CF Server / IIS / SQL Server Hello, Ok, let me start by saying this is going to be a long email (my apologies)... I am at my wits end here with the admins on campus who can't seem to figure anything out. In terms of accounts and services, what is the best way to setup IIS, SQL 2K, and CF 5.0. I am a novice when it comes to installing this stuff, however I am trying to assist the admins here on campus. Basically, the admins on campus are in a group on the NT domain called "admins" or something to that nature. One server has IIS and CF on it, and the other server has SQL 2K only. The admins install stuff using their domain admin acocunts... is this a good idea.. shouldn't all software be installed using a local system account? Another issue they (now trickleing down to web guys) have is ODBC connections and setting them up. What is the best account to use for this and what kind of permissions does that account need? We have tried setting up ODBCs using all kinds of logins and passwords, but instead of guessing I want to know why and how this all works. Once IIS and CF are installed using the right acocunts (which I don't believe they are now) and once SQL server is up and runn
RE: CF Server / IIS / SQL Server
Thanks Mark. I am looking into getting some books to help me btter understand this administration stuff. Should make for some good reading over spring break. Do you recommend any other books? Thanks, Mike -Original Message- From: Mark A. Kruger - CFG [mailto:[EMAIL PROTECTED]] Sent: Wednesday, February 20, 2002 1:52 PM To: CF-Talk Subject: RE: CF Server / IIS / SQL Server There is no such thing as the "server" domain - even though the login screen leads you to believe there is - there is only a "domain" and a "local account" (not the same as the local "system" account). If you use a local account, you will need to share permissions from one stand alone server to another - which is adding rather than removing complexity. The idea behind a domain acount is to simplify the process. Create an account and carefully assign the resources you want it to have - then use it where you need to. If you end up with too many users, you can create groups instead - also useful. But it appears a single user would suffice for what you have in mind. Mark P.S. - I suggest the book "Mastering Windows 2000 Server - Mark Minasi" - it's readable and may help you sort this out. -Original Message- From: Tangorre, Michael T. [mailto:[EMAIL PROTECTED]] Sent: Wednesday, February 20, 2002 8:21 AM To: CF-Talk Subject: RE: CF Server / IIS / SQL Server When you say create an account on the domain, do you mean the server domain, or our entire network domain? -Original Message- From: Mark A. Kruger - CFG [mailto:[EMAIL PROTECTED]] Sent: Wednesday, February 20, 2002 1:24 PM To: CF-Talk Subject: RE: CF Server / IIS / SQL Server A lot depends on what you are trying to do. How restrictive are your security policies, how tightly do you want to lock down the server etc. If you want a "simple" approach, create a domain account with very specific permissions on the web server (make sure an "deny" anything you don't want exposed), and very specific permissions on the database server - then use it as the service account for CF and IIS - and use trusted connections for your ODBC connections. That IS the convienience of it - one account controlling all access. But be very sure that you know what you intend and do NOT intend to expose as resources for that user. And don't give it admin rights or sa rights. If it needs dbo permissions, give it dbo rights on the individual databases rather than blanket SA rights. As far as installing to the local system account - that's ok IF you realize that CF will have access to any local resource (and you can't deny the local system account)... so as long as that is what you intend - fine. You would then need to implement "standard" SQL security - adding complexity - but not too much. Mark -Original Message- From: Tangorre, Michael T. [mailto:[EMAIL PROTECTED]] Sent: Wednesday, February 20, 2002 7:48 AM To: CF-Talk Subject: CF Server / IIS / SQL Server Hello, Ok, let me start by saying this is going to be a long email (my apologies)... I am at my wits end here with the admins on campus who can't seem to figure anything out. In terms of accounts and services, what is the best way to setup IIS, SQL 2K, and CF 5.0. I am a novice when it comes to installing this stuff, however I am trying to assist the admins here on campus. Basically, the admins on campus are in a group on the NT domain called "admins" or something to that nature. One server has IIS and CF on it, and the other server has SQL 2K only. The admins install stuff using their domain admin acocunts... is this a good idea.. shouldn't all software be installed using a local system account? Another issue they (now trickleing down to web guys) have is ODBC connections and setting them up. What is the best account to use for this and what kind of permissions does that account need? We have tried setting up ODBCs using all kinds of logins and passwords, but instead of guessing I want to know why and how this all works. Once IIS and CF are installed using the right acocunts (which I don't believe they are now) and once SQL server is up and running un der the right account what is the best practice for database permissions in terms CF and SQL: specifying a new user and pass for each database that people will be using in CF Apps? Man I am just at a loss here trying to figure this stuff out.. Any links, books, online trainings.. anything would be much appreciated. In addition, if anyone can respond to get me started in learning this stuff so I can try and get this all straightened out would be great. Thanks, Mike Tangorre A.K.A. Senior AU Student Webteam Slave / mr fixit ... blah blah blah. Gr :-) __ Why Share? Dedicated Win 2000 Server · PIII 800 / 256 MB RAM / 40 GB HD
RE: CF Server / IIS / SQL Server
There is no such thing as the "server" domain - even though the login screen leads you to believe there is - there is only a "domain" and a "local account" (not the same as the local "system" account). If you use a local account, you will need to share permissions from one stand alone server to another - which is adding rather than removing complexity. The idea behind a domain acount is to simplify the process. Create an account and carefully assign the resources you want it to have - then use it where you need to. If you end up with too many users, you can create groups instead - also useful. But it appears a single user would suffice for what you have in mind. Mark P.S. - I suggest the book "Mastering Windows 2000 Server - Mark Minasi" - it's readable and may help you sort this out. -Original Message- From: Tangorre, Michael T. [mailto:[EMAIL PROTECTED]] Sent: Wednesday, February 20, 2002 8:21 AM To: CF-Talk Subject: RE: CF Server / IIS / SQL Server When you say create an account on the domain, do you mean the server domain, or our entire network domain? -Original Message- From: Mark A. Kruger - CFG [mailto:[EMAIL PROTECTED]] Sent: Wednesday, February 20, 2002 1:24 PM To: CF-Talk Subject: RE: CF Server / IIS / SQL Server A lot depends on what you are trying to do. How restrictive are your security policies, how tightly do you want to lock down the server etc. If you want a "simple" approach, create a domain account with very specific permissions on the web server (make sure an "deny" anything you don't want exposed), and very specific permissions on the database server - then use it as the service account for CF and IIS - and use trusted connections for your ODBC connections. That IS the convienience of it - one account controlling all access. But be very sure that you know what you intend and do NOT intend to expose as resources for that user. And don't give it admin rights or sa rights. If it needs dbo permissions, give it dbo rights on the individual databases rather than blanket SA rights. As far as installing to the local system account - that's ok IF you realize that CF will have access to any local resource (and you can't deny the local system account)... so as long as that is what you intend - fine. You would then need to implement "standard" SQL security - adding complexity - but not too much. Mark -Original Message- From: Tangorre, Michael T. [mailto:[EMAIL PROTECTED]] Sent: Wednesday, February 20, 2002 7:48 AM To: CF-Talk Subject: CF Server / IIS / SQL Server Hello, Ok, let me start by saying this is going to be a long email (my apologies)... I am at my wits end here with the admins on campus who can't seem to figure anything out. In terms of accounts and services, what is the best way to setup IIS, SQL 2K, and CF 5.0. I am a novice when it comes to installing this stuff, however I am trying to assist the admins here on campus. Basically, the admins on campus are in a group on the NT domain called "admins" or something to that nature. One server has IIS and CF on it, and the other server has SQL 2K only. The admins install stuff using their domain admin acocunts... is this a good idea.. shouldn't all software be installed using a local system account? Another issue they (now trickleing down to web guys) have is ODBC connections and setting them up. What is the best account to use for this and what kind of permissions does that account need? We have tried setting up ODBCs using all kinds of logins and passwords, but instead of guessing I want to know why and how this all works. Once IIS and CF are installed using the right acocunts (which I don't believe they are now) and once SQL server is up and running un der the right account what is the best practice for database permissions in terms CF and SQL: specifying a new user and pass for each database that people will be using in CF Apps? Man I am just at a loss here trying to figure this stuff out.. Any links, books, online trainings.. anything would be much appreciated. In addition, if anyone can respond to get me started in learning this stuff so I can try and get this all straightened out would be great. Thanks, Mike Tangorre A.K.A. Senior AU Student Webteam Slave / mr fixit ... blah blah blah. Gr :-) __ Dedicated Windows 2000 Server PIII 800 / 256 MB RAM / 40 GB HD / 20 GB MO/XFER Instant Activation · $99/Month · Free Setup http://www.pennyhost.com/redirect.cfm?adcode=coldfusiona FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
RE: CF Server / IIS / SQL Server
When you say create an account on the domain, do you mean the server domain, or our entire network domain? -Original Message- From: Mark A. Kruger - CFG [mailto:[EMAIL PROTECTED]] Sent: Wednesday, February 20, 2002 1:24 PM To: CF-Talk Subject: RE: CF Server / IIS / SQL Server A lot depends on what you are trying to do. How restrictive are your security policies, how tightly do you want to lock down the server etc. If you want a "simple" approach, create a domain account with very specific permissions on the web server (make sure an "deny" anything you don't want exposed), and very specific permissions on the database server - then use it as the service account for CF and IIS - and use trusted connections for your ODBC connections. That IS the convienience of it - one account controlling all access. But be very sure that you know what you intend and do NOT intend to expose as resources for that user. And don't give it admin rights or sa rights. If it needs dbo permissions, give it dbo rights on the individual databases rather than blanket SA rights. As far as installing to the local system account - that's ok IF you realize that CF will have access to any local resource (and you can't deny the local system account)... so as long as that is what you intend - fine. You would then need to implement "standard" SQL security - adding complexity - but not too much. Mark -Original Message- From: Tangorre, Michael T. [mailto:[EMAIL PROTECTED]] Sent: Wednesday, February 20, 2002 7:48 AM To: CF-Talk Subject: CF Server / IIS / SQL Server Hello, Ok, let me start by saying this is going to be a long email (my apologies)... I am at my wits end here with the admins on campus who can't seem to figure anything out. In terms of accounts and services, what is the best way to setup IIS, SQL 2K, and CF 5.0. I am a novice when it comes to installing this stuff, however I am trying to assist the admins here on campus. Basically, the admins on campus are in a group on the NT domain called "admins" or something to that nature. One server has IIS and CF on it, and the other server has SQL 2K only. The admins install stuff using their domain admin acocunts... is this a good idea.. shouldn't all software be installed using a local system account? Another issue they (now trickleing down to web guys) have is ODBC connections and setting them up. What is the best account to use for this and what kind of permissions does that account need? We have tried setting up ODBCs using all kinds of logins and passwords, but instead of guessing I want to know why and how this all works. Once IIS and CF are installed using the right acocunts (which I don't believe they are now) and once SQL server is up and running un der the right account what is the best practice for database permissions in terms CF and SQL: specifying a new user and pass for each database that people will be using in CF Apps? Man I am just at a loss here trying to figure this stuff out.. Any links, books, online trainings.. anything would be much appreciated. In addition, if anyone can respond to get me started in learning this stuff so I can try and get this all straightened out would be great. Thanks, Mike Tangorre A.K.A. Senior AU Student Webteam Slave / mr fixit ... blah blah blah. Gr :-) __ Why Share? Dedicated Win 2000 Server · PIII 800 / 256 MB RAM / 40 GB HD / 20 GB MO/XFER Instant Activation · $99/Month · Free Setup http://www.pennyhost.com/redirect.cfm?adcode=coldfusionc FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
RE: CF Server / IIS / SQL Server
A lot depends on what you are trying to do. How restrictive are your security policies, how tightly do you want to lock down the server etc. If you want a "simple" approach, create a domain account with very specific permissions on the web server (make sure an "deny" anything you don't want exposed), and very specific permissions on the database server - then use it as the service account for CF and IIS - and use trusted connections for your ODBC connections. That IS the convienience of it - one account controlling all access. But be very sure that you know what you intend and do NOT intend to expose as resources for that user. And don't give it admin rights or sa rights. If it needs dbo permissions, give it dbo rights on the individual databases rather than blanket SA rights. As far as installing to the local system account - that's ok IF you realize that CF will have access to any local resource (and you can't deny the local system account)... so as long as that is what you intend - fine. You would then need to implement "standard" SQL security - adding complexity - but not too much. Mark -Original Message- From: Tangorre, Michael T. [mailto:[EMAIL PROTECTED]] Sent: Wednesday, February 20, 2002 7:48 AM To: CF-Talk Subject: CF Server / IIS / SQL Server Hello, Ok, let me start by saying this is going to be a long email (my apologies)... I am at my wits end here with the admins on campus who can't seem to figure anything out. In terms of accounts and services, what is the best way to setup IIS, SQL 2K, and CF 5.0. I am a novice when it comes to installing this stuff, however I am trying to assist the admins here on campus. Basically, the admins on campus are in a group on the NT domain called "admins" or something to that nature. One server has IIS and CF on it, and the other server has SQL 2K only. The admins install stuff using their domain admin acocunts... is this a good idea.. shouldn't all software be installed using a local system account? Another issue they (now trickleing down to web guys) have is ODBC connections and setting them up. What is the best account to use for this and what kind of permissions does that account need? We have tried setting up ODBCs using all kinds of logins and passwords, but instead of guessing I want to know why and how this all works. Once IIS and CF are installed using the right acocunts (which I don't believe they are now) and once SQL server is up and running un der the right account what is the best practice for database permissions in terms CF and SQL: specifying a new user and pass for each database that people will be using in CF Apps? Man I am just at a loss here trying to figure this stuff out.. Any links, books, online trainings.. anything would be much appreciated. In addition, if anyone can respond to get me started in learning this stuff so I can try and get this all straightened out would be great. Thanks, Mike Tangorre A.K.A. Senior AU Student Webteam Slave / mr fixit ... blah blah blah. Gr :-) __ Dedicated Windows 2000 Server PIII 800 / 256 MB RAM / 40 GB HD / 20 GB MO/XFER Instant Activation · $99/Month · Free Setup http://www.pennyhost.com/redirect.cfm?adcode=coldfusiona FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
