In my configurations to setup IIS, SQL-Server, & ASP.NET below, are there unnecessary settings leading to security issues?

I am learning ASP.NET MVC 3 from many sources on the internet. I am worrying whether my settings based on the mixed information contains unnecessary things leading to security risks.

In this topic, I need your suggestion or comment pertaining to my settings explained below. I will assign a number to each step to make it easier to be referenced in your comment or suggestion.

---

STEP 1: Enabling IIS

---

STEP 2: Installing .NET 4

No image :-)

---

STEP 3: Installing SQL-Server 2008R2

No image :-)

---

STEP 4: Installing Visual Studio 2010

No image :-)

---

STEP 5:开发者_StackOverflow社区 Make a project, e.g., NerdDinner

I put my project file (including NerdDinner.mdb) under C:\

NerdDinner.mdb is already populated with dummy data.

---

STEP 6: Configuring Global Application Pool

---

STEP 7: Make Virtual Directory using Visual Studio 2010

Shown in IIS Manager, NerdDinner is an application under the default web site.

---

STEP 8: Configuring Application Pool for NerdDinner web app

---

STEP 9: Attaching and Configuring NerdDinner.mdb using Sql-Server Management Studio

---

STEP 10: Configuring Connection String

 <add name="NerdDinnerEntities"   

  connectionString="metadata=res://*/Models.NerdDinner.csdl|res://*/Models.NerdDinner.ssdl|res://*/Models.NerdDinner.msl;provider=System.Data.SqlClient;provider connection string=&quot;
     Data Source=.\sqlexpress;
     Initial Catalog=NerdDinner;
     Integrated Security=True;
     MultipleActiveResultSets=True
     &quot;"
     providerName="System.Data.EntityClient" />

---

Testing

Everything works well, but I am not sure whether or not these steps contains security issues.

---

This is more of a production environment tip, but you should practice it on your development machine as well.

IIS7.x by default will create a separate application pool for your website named after the name you give the website.

Instead of running the application pool and the site/application under NETWORK SERVICE, run both the site and the pool as ApplicationPoolIdentity.

In the website or application features pane open the Authentication feature select Anonymous Authentication and do right-click Edit:

Next, ensure your website is running in its own application pool. Sub applications may benefit from their own application pool, but we tend to put them in the same pool as the parent site unless there is a need for a different runtime configuration such as a different version of ASP.NET or Pipeline mode.

When you have configured this grant the requisite permissions to the pool identity on your web folders by doing:

ICACLS c:\dynamic\NerdDinner\NerdDinner /grant "IIS AppPool\site1":(CI)(OI)(M)

Or you can apply these permissions via explorer:

Click Check Names then OK:

In SQL Server the same thing applies, instead of giving permissions on your database to NETWORK SERVICE, give permissions to the ApplicationPoolIdentity instead. As with NETWORK SERVICE this will only work if the SQL database is on the same machine as the web server if you're running a standalone server.

For example:

In the dialogue shown above, don't search and Check Names because this will replace the IIS AppPool\ portion of the username with your machine name. When you click OK SQL will complain that it can't locate [MACHINENAME]\NerdDinner.

Next set the add as a login to the NerdDinner database:

I'm setting as DB Owner here but you can choose the role you see fit for your needs. If this is your development machine then DBO will be fine because you can then do DDL from within Visual Studio. Most shared host production environments will make the first login (which is usually all you get) DBO anyway because many apps such as DotNetNuke etc need full control over their databases.

The connection string you've provided in your example should work as-is without any changes.

For more information on this topic:

Application Pool Identities (IIS.NET)
New in IIS 7 - App Pool Isolation (Ken Schaefer)

---

I can't see anything obviously wrong here - the only things I would perhaps query are:

• Do you really need IIS 6 Metabase configuration compatibility here, if, as it looks like, you're building a server from scratch?
• Rather than your database user the having db_owner role, could you get away with just having db_datareader/db_datawriter? (I don't know the NerdDinner database so it could be totally correct, it's just an observation)