2

I think I'm going to have separate datasources for various functions. Almost all my cfqueries are select statements, so my default datasource will have everything turned off in the administrator (except for select).

But for the "Insert/Update/Delete" datasource, I'd like to see if I can minimize it's rights as well.

Whenever I'm setting up a user in Microsoft SQL Server for my ColdFusion datasource, I always go under Security, Users, New User. Under "Owned Schemas", I've gotten into the habit of checking db_owner and under "Role Members", I check db_owner.

I got it to work that way and haven't looked back. So now I'm looking back and wonder, does this give my ColdFusion datasource more rights than it needs to have? Is there another option under "Owned Schemas" and/or "Role Members" that could minimize my exposure?

Heck, I'd be ok with reducing the number of features as long as I knew what features I would be turning off. For instance, I never alter a table from ColdFusion.

Some people advise to only allow stored procedures and never allow updating tables directly from the application, but I'm not following that advice.

James A Mohler
  • 11,060
  • 15
  • 46
  • 72
Phillip Senn
  • 46,771
  • 90
  • 257
  • 373

1 Answers1

3

It looks like what you are trying to do is have your datasource / connection have the minimal amount of access to your SQL Server.

While it is true that ColdFusion datasources can restrict what kind of statements can be run, you really want your SQL connection to do the restriction. Say you have a datasource called Employee_Info but it is being used for a ColdFusion app that really should only be reading the Employee_Info data.

What you should do is on SQL Server create a read only login. You may even want to call it Employee_InfoRO

Also See

How do I limit the permissions of a C# program to read only on an SQLServer Database?

This is an image from one of the answers on that question

enter image description here

This link may also be useful

When you create a new login in SQL Server it selects db_owner by default

Why not have ColdFusion restrict to Select?

ColdFusion is NOT a native SQL Server engine. It does not really know the meaning of the SQL statements, that is the job of the SQL Server engine. ColdFusion only takes its best guess at what is a select, insert, update, and delete. It does so by string comparison and is very heavy. SQL Server engine knows more about DB security than ColdFusion ever will.

Community
  • 1
  • 1
James A Mohler
  • 11,060
  • 15
  • 46
  • 72
  • I would also add limiting the SQL user to only have rights to specific database(s) as well (on SQL server). I still limit the ColdFusion datasource rights as well. – Miguel-F Dec 03 '13 at 16:08
  • What benefits are you looking to get from doing that? – James A Mohler Dec 03 '13 at 17:11
  • 2
    Limiting the SQL user to only have rights to a single database or at least a few databases. That way the user cannot access other database(s) on that SQL server. Or did you mean the ColdFusion part? In that case, just another layer of security. I agree with you that it is not as secure as the SQL server part but I don't think it hurts. – Miguel-F Dec 03 '13 at 17:13