Limiting Access to the Administration Database

  • Article

It is important to lock down the server that hosts the Administration database for your site. When you run Commerce Server Setup, you give users of that computer full control of the Administration database. Although the SQL password for the Administration database login is encrypted in the Windows registry, it is possible for users to gain access to it by using a script that accesses one of these programming objects: SiteConfigReadOnly, SiteConfig, or GlobalConfig. Make sure users cannot gain access to the computer or run scripts on it after you complete Setup. Disable the Guest account and disallow access to everyone without administrative privileges.

You can restrict usage of the SiteConfig and GlobalConfig objects by modifying the access control lists (ACLs) on the registry keys for these object classes. To restrict access to these objects, change the permissions on these objects through the Windows Registry Editor.

To change the permissions on an administrative object

  1. Click Start, and then click Run.

  2. In the Run dialog box, in the Open box, type regedt32.

  3. Click HKEY_LOCAL_MACHINE.

  4. On the View menu, click Find Key.

  5. In the Find dialog box, in the Find what box, type the appropriate key, as shown in the following table.

    To find the key for this object Type this
    SiteConfig 31B031AE-8877-4973-BC58-FEE0EF8CE07B
    GlobalConfig CB438FDD-81EC-45FF-9DBB-9F9FBBF717AF

  6. Clear the Match whole word only check box, and then click Find Next.

    A list of keys appears. The key you requested will be marked as selected with a thin black border. You might have to scroll down the list to see the selected key.

  7. Click the node for the key for which you searched.

  8. In the Security menu, click Permissions.

  9. In the Permissions dialog box, set the appropriate permissions, based on your needs. Limit Read permissions to accounts that need to modify the Administration database.

Ee797424.note(en-US,CS.10).gif Note

  • The SiteConfigReadOnly object must be accessible by all user accounts that will access Commerce Server applications. If you want to allow anonymous access, the object must be available to the anonymous account, which is named IUSR_<computername>. The key for the SiteConfigReadOnly object is D1AA04A4-B00D-4D30-88AA-E3070DAE8040.


All rights reserved.