Hi all,
I’m working through some standard security hardening procedures for my NopCommerce deployment (DB and IIS mainly), and just wondering what the minimum database permissions are for the app to function? Also, if anyone else has any experience or recommendations with securing NopCommerce from the default installation that would be greatly appreciated.
Cheers
Database permissions & security hardening
- 48
- 810
- 3/10/2015
- Netherlands
For normal operations nopCommerce would require select, insert and update permissions on all it's tables and permissions to run stored procedures.
But in order to install/uninstall plugins that require data access create and drop table permissions are required as well.
If you really want to tighten database security you might want to consider separating the admin from the public store. (separate website in iis for the admin, using different credentials)
But in order to install/uninstall plugins that require data access create and drop table permissions are required as well.
If you really want to tighten database security you might want to consider separating the admin from the public store. (separate website in iis for the admin, using different credentials)
- 2
- 10
- 7/9/2015
- Australia
Thanks for that :)
Nopaholics wrote:
Yeah, this is what we were planning on doing, although I haven't looked into how this is achieved yet. Thanks a lot for your help.
Nopaholics wrote:
If you really want to tighten database security you might want to consider separating the admin from the public store. (separate website in iis for the admin, using different credentials)
Yeah, this is what we were planning on doing, although I haven't looked into how this is achieved yet. Thanks a lot for your help.
- 48
- 810
- 3/10/2015
- Netherlands
rbrasier wrote:
Yeah, this is what we were planning on doing, although I haven't looked into how this is achieved yet. Thanks a lot for your help.
I haven't tested it; But you could probably create a second site in IIS that points to the same webroot and have the second site use a different app pool.
If that doesn't work you could copy the entire site and remove the Admin folder in the frontend site. But in that case you would probably need to replicate some files (at least the config files generated by the admin)
Yeah, this is what we were planning on doing, although I haven't looked into how this is achieved yet. Thanks a lot for your help.
I haven't tested it; But you could probably create a second site in IIS that points to the same webroot and have the second site use a different app pool.
If that doesn't work you could copy the entire site and remove the Admin folder in the frontend site. But in that case you would probably need to replicate some files (at least the config files generated by the admin)