I'm a newb so forgive me if this question has been asked 100 times already....

I'm setting up my first "public" website and was wondering what are acceptable settings for IIS and SQL in terms of security?  I'm running IIS v5 and SQL 2000.

 In IIS I unchecked Integrated Windows Authentication and left Anonymous Authentication checked which is authenticating as the standard IUSR_MACHINENAME account.

I understand that ASP.NET applications will run under the MACHINENAME\ASPNET account.  After several failed attempts (or attempts that felt like I was doing WAY too much work and granting as many permissions in SQL as the admin would get...) I simply made added the ASPNET account to SQL and made it a owner of the ASPNET membership database.  The reason I did this is because every time I tried to do something with a role or user, I would get an access denied message to the stored procedures required to perform those operations.

 Is it acceptable to do this?  I obviously want to make this as secure as I possibly can...please help.

Thanks!

Also, a related problem:  I cannot manage the ASP roles/users using the VS2005 Website Administration Tool.  I'm working on my computer and the website is located on a dmz server.  There is a firewall between these boxes and when I try to configure security it says something about An error has occurred while establishing a connection to the server.  I was able to create a custom user/role management page that does work for creating users and managing roles, so I don't think it is a connection string setting since this actually works...perhaps it's a firewall issue?

mhutter:

I simply made added the ASPNET account to SQL and made it a owner of the ASPNET membership database. 

 Is it acceptable to do this?  I obviously want to make this as secure as I possibly can...please help.

I'm doing that in the same way as you. Since ASPNET account need to manage the database, you'd better add the account to the db_owner role to ensure it has sufficient permissions to perform management tasks.

mhutter:

Also, a related problem:  I cannot manage the ASP roles/users using the VS2005 Website Administration Tool.  I'm working on my computer and the website is located on a dmz server.  There is a firewall between these boxes and when I try to configure security it says something about An error has occurred while establishing a connection to the server.  I was able to create a custom user/role management page that does work for creating users and managing roles, so I don't think it is a connection string setting since this actually works...perhaps it's a firewall issue?

Are you trying to manage the roles/users on the dmz server from your computer? As I know the Website Administration Tool can only manage local website data. Peter has wrote a sample web application to manage membership data, you can take a look at this link:
Microsoft ASP.NET 2.0 Member/Role Management with IIS, Part 2: Implementation

Thanks for the response...but my question was more (or supposed to be more) about how common is it for a production website/application to simply make that ASPNET account an owner of the db it needs access to...

There must be other ways, and I guess that is what I am asking; what are my options and which is considered a better practice from a security stand point?

Yes, if you want to use whole membership functionality, the account which runs the web application needs to have sufficient permissions to perform various tasks in the database. I haven't test the minimum permissions for this, but it won't be far way from adding the user to db_owner role. If you do not want to add ASPNET account as dbo, you can simply use another account to run the web application, with specifying the account/password in identity element in web.config.

Cool....Thanks!