Note: This guide describes Kentico CMS version 7. Unfortunately, we cannot support this guide from version 8 forward. Go to latest documentation

Skip to end of metadata
Go to start of metadata

Your web application should be run with the smallest set of rights that allow the application to function correctly. For example, a web application should NOT have access anywhere outside of the web application space. When attackers happen to find a flaw in the application, they will not at least gain access to sensitive information stored on the server (e.g., the SAM database, where the user passwords are stored).

You should explicitly ensure that:

  • The IIS is run under a custom low-rights user account.
  • The IIS application pool is run under a correctly configured user account. It is recommended to create a custom user account with minimum rights. See Specify an Identity for an Application Pool (IIS 7).
  • The SQL Server Services are run under separate low-rights Windows or Local user accounts. See Configure Windows Service Accounts and Permissions.
  • Unsafe SQL functions, like xp_cmdshell(), are not turned on.
  • The application runs in the most restricted trust level. Kentico can also run in the medium trust environment – it depends on the demands of your application.


On this page

Minimal Kentico requirements

This list provides the minimal configurations for the SQL and IIS user accounts in order to work properly with Kentico CMS.

Minimal configuration for an SQL user account

For browsing the web, this account must be:

  • granted with permissions connect, insert, select, execute, update, delete
  • added to the database-level role name db_owner.

For creating a database, this account must be:

  • granted with permissions connect, insert, select, execute, update, delete, alter, references
  • added to the database-level role db_owner.

If you want to limit the permissions for an SQL user, you have to first create a new SQL login in the SQL Management Studio, map it to the database and then assign the permissions for this login. For information about creating logins in SQL Management Studio, see Create a Login.

Minimal configuration for an IIS user account to be able to use Kentico:

  • this account must be granted with Read, Write, Modify permissions for the website directory.
  • No labels