Re: Password Protect My DSN
Absolutely. I'm not a security hawk and tend not to get too out of control with locking things down, but I do like to create a user with only those privileges required to execute the application functionality (and, of course, only the database or databases required by the app). I then supply that un/pwd to the CF Administrator. Like I said, it's not completely locked down and I know that, but it's enough to do what I need it to do - limit my exposure. Whatever you do, make sure you stop using sa. That has the potential to end really badly for you. :-) On 3/14/07, Robert Rawlins - Think Blue [EMAIL PROTECTED] wrote: Hello Guys, My DSN doesn't currently require a username and password, just the DSN will do. Now I've read a few 'best practices' and security type documents in the past and they've always stated that my DSN should require a username and password to keep it nice and secure. Now, my database requires a password to connect to it, and I place these into my ColdFusion admin panel, is it simple a case of leaving this setting blank in the admin panel and then passing those settings along in my query? I'm running at the moment with the 'sa' user whilst in development, which is scaring me a little, should I be creating a special 'ColdFusion' user for SQL Server giving specific features?, On my DSN I've set the restricted query types so it can't create or drop entire tables as the app will never have to do this. If I need to create a separate user then what's the best way of achieving this, what settings should I be using for the user as far as their privileges are concerned? Thanks for any advice on this guys, Rob ~| Deploy Web Applications Quickly across the enterprise with ColdFusion MX7 Flex 2 Free Trial http://www.adobe.com/products/coldfusion/flex2/?sdid=RVJU Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:272642 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Re: Password Protect My DSN
Also, I find putting passwords in every cfquery -- potentially then hundreds of occurrances throughout your code -- is less secure than having it appear once as in a password protected webform. Mik At 08:00 AM 3/14/2007, Rob Wilkerson wrote: Absolutely. I'm not a security hawk and tend not to get too out of control with locking things down, but I do like to create a user with only those privileges required to execute the application functionality (and, of course, only the database or databases required by the app). I then supply that un/pwd to the CF Administrator. Like I said, it's not completely locked down and I know that, but it's enough to do what I need it to do - limit my exposure. Whatever you do, make sure you stop using sa. That has the potential to end really badly for you. :-) On 3/14/07, Robert Rawlins - Think Blue [EMAIL PROTECTED] wrote: Hello Guys, My DSN doesn't currently require a username and password, just the DSN will do. Now I've read a few 'best practices' and security type documents in the past and they've always stated that my DSN should require a username and password to keep it nice and secure. Now, my database requires a password to connect to it, and I place these into my ColdFusion admin panel, is it simple a case of leaving this setting blank in the admin panel and then passing those settings along in my query? I'm running at the moment with the 'sa' user whilst in development, which is scaring me a little, should I be creating a special 'ColdFusion' user for SQL Server giving specific features?, On my DSN I've set the restricted query types so it can't create or drop entire tables as the app will never have to do this. If I need to create a separate user then what's the best way of achieving this, what settings should I be using for the user as far as their privileges are concerned? Thanks for any advice on this guys, Rob ~| Upgrade to Adobe ColdFusion MX7 The most significant release in over 10 years. Upgrade see new features. http://www.adobe.com/products/coldfusion?sdid=RVJR Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:272645 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
RE: Password Protect My DSN
Thanks Rob Mik, I've now made the changes to I have a specific user for each data source with restricted access to their particular database, they only have read/write privileges too so they are unable to do anything too naughty. As for the query Mik, I'm running model-glue and reactor, so my password would only be stored in my XML config file, all other occurrences for my DAOs and Gateways would be referenced using #_getConfig().getDSN()# or something like that which I feel reasonably safe. Rob -Original Message- From: Mik Muller [mailto:[EMAIL PROTECTED] Sent: 14 March 2007 13:50 To: CF-Talk Subject: Re: Password Protect My DSN Also, I find putting passwords in every cfquery -- potentially then hundreds of occurrances throughout your code -- is less secure than having it appear once as in a password protected webform. Mik At 08:00 AM 3/14/2007, Rob Wilkerson wrote: Absolutely. I'm not a security hawk and tend not to get too out of control with locking things down, but I do like to create a user with only those privileges required to execute the application functionality (and, of course, only the database or databases required by the app). I then supply that un/pwd to the CF Administrator. Like I said, it's not completely locked down and I know that, but it's enough to do what I need it to do - limit my exposure. Whatever you do, make sure you stop using sa. That has the potential to end really badly for you. :-) On 3/14/07, Robert Rawlins - Think Blue [EMAIL PROTECTED] wrote: Hello Guys, My DSN doesn't currently require a username and password, just the DSN will do. Now I've read a few 'best practices' and security type documents in the past and they've always stated that my DSN should require a username and password to keep it nice and secure. Now, my database requires a password to connect to it, and I place these into my ColdFusion admin panel, is it simple a case of leaving this setting blank in the admin panel and then passing those settings along in my query? I'm running at the moment with the 'sa' user whilst in development, which is scaring me a little, should I be creating a special 'ColdFusion' user for SQL Server giving specific features?, On my DSN I've set the restricted query types so it can't create or drop entire tables as the app will never have to do this. If I need to create a separate user then what's the best way of achieving this, what settings should I be using for the user as far as their privileges are concerned? Thanks for any advice on this guys, Rob ~| Upgrade to Adobe ColdFusion MX7 The most significant release in over 10 years. Upgrade see new features. http://www.adobe.com/products/coldfusion?sdid=RVJR Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:272648 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: Password Protect My DSN
One of the reasons to password protect your DSN in code vs administrator is on a shared host the ability for someone to compromise your administrator if the host isn't diligent about it. Another reason is to not allow someone else on your virtual host to maliciously access you data source without providing credentials. As far as locking it down theres a lot of routes to go. If you search for security checklists by MIST, DISA, DoS etc you'll find some Govt. type ones, probably, that will give you an idea. Obviously as said, never use the SA acct. Another couple good ones: - In your CF admin data source remove the ability (under advanced) to create, alter, drop, grant, and revoke. (obviously as long as your application doesn't need to make table structural or permission modifications). - In SQL server there is a public role assigned to a lot of things. If you are using a created, authenticated user, you can typically remove this public role without any harm to your database/application. - The user you create in SQL for ColdFusion typically only needs datareader and datawriter access to the database (again depending on the application requirements). Most times a basic app. won't need anything else. ~| Deploy Web Applications Quickly across the enterprise with ColdFusion MX7 Flex 2 Free Trial http://www.adobe.com/products/coldfusion/flex2/?sdid=RVJU Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:272654 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
RE: Password Protect My DSN
Thanks for that Dana its greatly appreciated. I had set my new users to datareader and datawriter as well as removing any further access using the ColdFusion admin panel, and everything seems to be working just fine. I'll be sure to check around for those documents. Thanks, Rob -Original Message- From: Dana Kowalski [mailto:[EMAIL PROTECTED] Sent: 14 March 2007 14:15 To: CF-Talk Subject: Re: Password Protect My DSN One of the reasons to password protect your DSN in code vs administrator is on a shared host the ability for someone to compromise your administrator if the host isn't diligent about it. Another reason is to not allow someone else on your virtual host to maliciously access you data source without providing credentials. As far as locking it down theres a lot of routes to go. If you search for security checklists by MIST, DISA, DoS etc you'll find some Govt. type ones, probably, that will give you an idea. Obviously as said, never use the SA acct. Another couple good ones: - In your CF admin data source remove the ability (under advanced) to create, alter, drop, grant, and revoke. (obviously as long as your application doesn't need to make table structural or permission modifications). - In SQL server there is a public role assigned to a lot of things. If you are using a created, authenticated user, you can typically remove this public role without any harm to your database/application. - The user you create in SQL for ColdFusion typically only needs datareader and datawriter access to the database (again depending on the application requirements). Most times a basic app. won't need anything else. ~| ColdFusion MX7 and Flex 2 Build sales marketing dashboard RIAâs for your business. Upgrade now http://www.adobe.com/products/coldfusion/flex2?sdid=RVJT Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:272655 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4