SQL Server Security Best Practice

Topics: Controls
Sep 18, 2014 at 11:47 AM
Hi,
I hope an SQL Sercurity question is well received on this forum. I'm looking at an installation of Blog Engine from and SQL DBA perspective and I need to harden the security. I'm posting hear because I want to share best practices and learn about blog engine. I'll describe how I want to change my clients configuration and hope for screams from you all if I'm going to stop on Blog Engine.

We have Blog Engine with web.config storing a clear text password to our SQL Server. The password has dbowner privileges to two other databases.

First, how are you all storing your Connecton string credentials when connecting to SQL?

Second, Is anyone familiar with the bare minimal privilages the SQL login will need for Blog Engine? datareader and datawriter?

I'm probably overthinking this and should just try it.
Coordinator
Sep 18, 2014 at 4:48 PM
You can use windows authentication if you not comfortable having password in connection string. Read/write should be fine as BE does not execute any DDL commands, only standard CRUD operations.