Access to internal database

The most secure is to set up each "user" as an NT account and force login.
This can end up as a maintenance nightmare, however. Outside of this, you
will have to create some form of security account table for each user of the
system. You can set up an admin role and user roles and have the admin for a
particular company control the user's access. That will take some of the
maintenance off your back. You will have to add these new tables (account,
role, etc.) to your database or a separate security database.

All db access should be done through stored procedures, if possible, as that
adds a security layer over ad hoc queries against tables. A "hacker" will
only have access to the data retrieved, updated, etc., by a procedure, which
you have control over. This is not possible with all types of databases.

---

Gregory A. Beamer
MVP; MCP: +I, SE, SD, DBA

***************************
Think Outside the Box!
***************************
"CMan" wrote:

Hi ,

We have a internal database application which we now need to update from a
website hosted at an external site.

We want users to be able to come to the website and see their very latest
information. They should be able to update this data and submit it to a
holding area before it is checked by an operator and the live record
updated.

What is the best and most secure way to achieve this scenario?
How should the website be connected to the internal database?

Thanks

CMan

If you are in Microsoft environment, you need to publish your database out
on your local ISA server. You can allow external access from only one
location, which is the webserver. The web server then would connect to the
database server by the ISA IP address. If you are going to pass secure data
between the web and database server, you will want to equip the database
server with a SSL certificate.

Eliyahu

"CMan" <cm**@nospam.nospam> wrote in message
news:%2****************@TK2MSFTNGP12.phx.gbl...

Hi ,

We have a internal database application which we now need to update from a
website hosted at an external site.

We want users to be able to come to the website and see their very latest
information. They should be able to update this data and submit it to a
holding area before it is checked by an operator and the live record
updated.

What is the best and most secure way to achieve this scenario?
How should the website be connected to the internal database?

Thanks

CMan

Webservices come to mind. You could have a webservice on yourend that would be triggered from the site. That way you canhave the site run off of your local DB even though it is hostedremotely. This is a problem however if your site does not havethe same type of redundency as your hosting environment. Ifyour servers go down so would site. Another way would be tosend the web site submitted data to the formatted flat file. That way you could just FTP down to your site securely wheneveryou wanted to.

Alan Washington

Hi ,

We have a internal database application which we now need toupdate from a
website hosted at an external site.

We want users to be able to come to the website and see theirvery latest
information. They should be able to update this data and submitit to a
holding area before it is checked by an operator and the liverecord
updated.

What is the best and most secure way to achieve this scenario?
How should the website be connected to the internal database?

Thanks

CMan

User submitted from AEWNET (http://www.aewnet.com/)

http://msdn.microsoft.com/architectu...n/default.aspx

chanmm

"CMan" <cm**@nospam.nospam> wrote in message
news:%2****************@TK2MSFTNGP12.phx.gbl...

Hi ,

We have a internal database application which we now need to update from a
website hosted at an external site.

We want users to be able to come to the website and see their very latest
information. They should be able to update this data and submit it to a
holding area before it is checked by an operator and the live record
updated.

What is the best and most secure way to achieve this scenario?
How should the website be connected to the internal database?

Thanks

CMan

Thanks everyone,

So we can make the connection to the database server over SSL? Or do you
just mean between the web server and browser?
How do we set this up? Is it a simple SQL Server setting or win2000 network
setting?

How does SSL compare to using IPsec?
Can this all be done securely through win2000 alone or is third party
software required/preferred?

Thanks in advance.

CMan



"Eliyahu Goldin" <re*************@monarchmed.com> wrote in message
news:eQ**************@TK2MSFTNGP15.phx.gbl...

If you are in Microsoft environment, you need to publish your database out
on your local ISA server. You can allow external access from only one
location, which is the webserver. The web server then would connect to the
database server by the ISA IP address. If you are going to pass secure data between the web and database server, you will want to equip the database
server with a SSL certificate.

Eliyahu

"CMan" <cm**@nospam.nospam> wrote in message
news:%2****************@TK2MSFTNGP12.phx.gbl...

Hi ,

We have a internal database application which we now need to update from a website hosted at an external site.

We want users to be able to come to the website and see their very latest information. They should be able to update this data and submit it to a
holding area before it is checked by an operator and the live record
updated.

What is the best and most secure way to achieve this scenario?
How should the website be connected to the internal database?

Thanks

CMan

Yes, you can make SSL connection between the database server and the
webserver if you install a SSL certificate on the database server.

Microsoft document "Building Secure ASP.NET Applications" is a good strating
point. Can be downloaded from
http://www.microsoft.com/downloads/d...C-BF9C6593F25E

Eliyahu

"CMan" <cm**@nospam.nospam> wrote in message
news:uP**************@TK2MSFTNGP11.phx.gbl...

Thanks everyone,

So we can make the connection to the database server over SSL? Or do you
just mean between the web server and browser?
How do we set this up? Is it a simple SQL Server setting or win2000 network setting?

How does SSL compare to using IPsec?
Can this all be done securely through win2000 alone or is third party
software required/preferred?

Thanks in advance.

CMan



"Eliyahu Goldin" <re*************@monarchmed.com> wrote in message
news:eQ**************@TK2MSFTNGP15.phx.gbl...

If you are in Microsoft environment, you need to publish your database out

on your local ISA server. You can allow external access from only one
location, which is the webserver. The web server then would connect to the database server by the ISA IP address. If you are going to pass secure data

between the web and database server, you will want to equip the database
server with a SSL certificate.

Eliyahu

"CMan" <cm**@nospam.nospam> wrote in message
news:%2****************@TK2MSFTNGP12.phx.gbl...

Hi ,

We have a internal database application which we now need to update from a website hosted at an external site.

We want users to be able to come to the website and see their very latest information. They should be able to update this data and submit it to

a holding area before it is checked by an operator and the live record
updated.

What is the best and most secure way to achieve this scenario?
How should the website be connected to the internal database?

Thanks

CMan

Thanks Eliyahu,

This has been really helpful.

For this use would there be any problem generating our own certificate>

CMan

"Eliyahu Goldin" <re*************@monarchmed.com> wrote in message
news:uU*************@TK2MSFTNGP09.phx.gbl...

Yes, you can make SSL connection between the database server and the
webserver if you install a SSL certificate on the database server.

Microsoft document "Building Secure ASP.NET Applications" is a good strating point. Can be downloaded from
http://www.microsoft.com/downloads/d...C-BF9C6593F25E
Eliyahu

"CMan" <cm**@nospam.nospam> wrote in message
news:uP**************@TK2MSFTNGP11.phx.gbl...

Thanks everyone,

So we can make the connection to the database server over SSL? Or do you

just mean between the web server and browser?
How do we set this up? Is it a simple SQL Server setting or win2000 network

setting?

How does SSL compare to using IPsec?
Can this all be done securely through win2000 alone or is third party
software required/preferred?

Thanks in advance.

CMan



"Eliyahu Goldin" <re*************@monarchmed.com> wrote in message
news:eQ**************@TK2MSFTNGP15.phx.gbl...

If you are in Microsoft environment, you need to publish your database

out on your local ISA server. You can allow external access from only one
location, which is the webserver. The web server then would connect to the database server by the ISA IP address. If you are going to pass secure

data

between the web and database server, you will want to equip the database server with a SSL certificate.

Eliyahu

"CMan" <cm**@nospam.nospam> wrote in message
news:%2****************@TK2MSFTNGP12.phx.gbl...
> Hi ,
>
> We have a internal database application which we now need to update from

a

> website hosted at an external site.
>
> We want users to be able to come to the website and see their very

latest

> information. They should be able to update this data and submit it

to a > holding area before it is checked by an operator and the live record
> updated.
>
> What is the best and most secure way to achieve this scenario?
> How should the website be connected to the internal database?
>
> Thanks
>
> CMan
>
>

Theoretically there should not be any problem. Never did it myself though.

Eliyahu

"CMan" <cm**@nospam.nospam> wrote in message
news:%2******************@TK2MSFTNGP12.phx.gbl...

Thanks Eliyahu,

This has been really helpful.

For this use would there be any problem generating our own certificate>

CMan

"Eliyahu Goldin" <re*************@monarchmed.com> wrote in message
news:uU*************@TK2MSFTNGP09.phx.gbl...

Yes, you can make SSL connection between the database server and the
webserver if you install a SSL certificate on the database server.

Microsoft document "Building Secure ASP.NET Applications" is a good

strating

point. Can be downloaded from

http://www.microsoft.com/downloads/d...C-BF9C6593F25E

Eliyahu

"CMan" <cm**@nospam.nospam> wrote in message
news:uP**************@TK2MSFTNGP11.phx.gbl...

Thanks everyone,

So we can make the connection to the database server over SSL? Or do you just mean between the web server and browser?
How do we set this up? Is it a simple SQL Server setting or win2000

network

setting?

How does SSL compare to using IPsec?
Can this all be done securely through win2000 alone or is third party
software required/preferred?

Thanks in advance.

CMan



"Eliyahu Goldin" <re*************@monarchmed.com> wrote in message
news:eQ**************@TK2MSFTNGP15.phx.gbl...
> If you are in Microsoft environment, you need to publish your database

out

> on your local ISA server. You can allow external access from only

one > location, which is the webserver. The web server then would connect to

the

> database server by the ISA IP address. If you are going to pass

secure data
> between the web and database server, you will want to equip the

database > server with a SSL certificate.
>
> Eliyahu
>
> "CMan" <cm**@nospam.nospam> wrote in message
> news:%2****************@TK2MSFTNGP12.phx.gbl...
> > Hi ,
> >
> > We have a internal database application which we now need to update from

a
> > website hosted at an external site.
> >
> > We want users to be able to come to the website and see their very
latest
> > information. They should be able to update this data and submit it

to

a

> > holding area before it is checked by an operator and the live

record > > updated.
> >
> > What is the best and most secure way to achieve this scenario?
> > How should the website be connected to the internal database?
> >
> > Thanks
> >
> > CMan
> >
> >
>
>

Thanks.
"Eliyahu Goldin" <re*************@monarchmed.com> wrote in message
news:u$**************@TK2MSFTNGP15.phx.gbl...

Theoretically there should not be any problem. Never did it myself though.

Eliyahu

"CMan" <cm**@nospam.nospam> wrote in message
news:%2******************@TK2MSFTNGP12.phx.gbl...

Thanks Eliyahu,

This has been really helpful.

For this use would there be any problem generating our own certificate>

CMan

"Eliyahu Goldin" <re*************@monarchmed.com> wrote in message
news:uU*************@TK2MSFTNGP09.phx.gbl...

Yes, you can make SSL connection between the database server and the
webserver if you install a SSL certificate on the database server.

Microsoft document "Building Secure ASP.NET Applications" is a good strating

point. Can be downloaded from

http://www.microsoft.com/downloads/d...C-BF9C6593F25E

Eliyahu

"CMan" <cm**@nospam.nospam> wrote in message
news:uP**************@TK2MSFTNGP11.phx.gbl...
> Thanks everyone,
>
> So we can make the connection to the database server over SSL? Or do

you

> just mean between the web server and browser?
> How do we set this up? Is it a simple SQL Server setting or win2000
network
> setting?
>
> How does SSL compare to using IPsec?
> Can this all be done securely through win2000 alone or is third

party > software required/preferred?
>
> Thanks in advance.
>
> CMan
>
>
>
>
>
>
>
> "Eliyahu Goldin" <re*************@monarchmed.com> wrote in message
> news:eQ**************@TK2MSFTNGP15.phx.gbl...
> > If you are in Microsoft environment, you need to publish your database out
> > on your local ISA server. You can allow external access from only one > > location, which is the webserver. The web server then would connect to

the
> > database server by the ISA IP address. If you are going to pass secure > data
> > between the web and database server, you will want to equip the

database

> > server with a SSL certificate.
> >
> > Eliyahu
> >
> > "CMan" <cm**@nospam.nospam> wrote in message
> > news:%2****************@TK2MSFTNGP12.phx.gbl...
> > > Hi ,
> > >
> > > We have a internal database application which we now need to update from
> a
> > > website hosted at an external site.
> > >
> > > We want users to be able to come to the website and see their

very > latest
> > > information. They should be able to update this data and submit

it to

a
> > > holding area before it is checked by an operator and the live

record > > > updated.
> > >
> > > What is the best and most secure way to achieve this scenario?
> > > How should the website be connected to the internal database?
> > >
> > > Thanks
> > >
> > > CMan
> > >
> > >
> >
> >
>
>