Hosting Secure Site

Our business is in need of setting up a dealer portal website which needs to 
interact with our internal SQL/App server.  I know SBS is not the place to 
host the site so setting up a virtual web server and putting it in some sort 
of DMZ is the plan thus far.  I'm planning on running the site securely 
(https://) which will conflict with the SBS OWA and RWW.  I'd perfer to use 
the same static IP address so how would I go about setting up and accessing 
the dealer site given that both will be on port 443?  Could I just change 
the port of the dealer portal? (eg.  https://mysite.com:4443)  I suspect the 
site will be fairly low volume if that matters any...

Is this normally how a company data driven website is setup?  I would assume 
3rd party hosting isn't an option since much of the data lives on our 
internal SQL/App server...

Any other suggestions?


0
Scott
1/18/2010 6:51:20 PM
windows.server.sbs 1975 articles. 0 followers. Follow

6 Replies
676 Views

Similar Articles

[PageSpeed] 42

I'd get another external IP
and use that for external access.

If you want to make things easier externally
just have a subdomain created of
dealer.yourdomain.com that points to that IP.

You may have 5 IP's already in some business accounts
Russ

-- 
Russell Grover - SBITS.Biz [SBS-MVP]
Microsoft Gold Certified Partner
Microsoft Certified Small Business Specialist
World Wide 24hr SBS Remote Support - http://www.SBITS.Biz
Microsoft Online Services - http://www.microsoft-online-services.com


"Scott Rymer" <tsrymer/at/hotmail/dot/com> wrote in message 
news:F2C2CDC3-A0DC-4389-AD70-6094C6959237@microsoft.com...
> Our business is in need of setting up a dealer portal website which needs 
> to interact with our internal SQL/App server.  I know SBS is not the place 
> to host the site so setting up a virtual web server and putting it in some 
> sort of DMZ is the plan thus far.  I'm planning on running the site 
> securely (https://) which will conflict with the SBS OWA and RWW.  I'd 
> perfer to use the same static IP address so how would I go about setting 
> up and accessing the dealer site given that both will be on port 443? 
> Could I just change the port of the dealer portal? (eg. 
> https://mysite.com:4443)  I suspect the site will be fairly low volume if 
> that matters any...
>
> Is this normally how a company data driven website is setup?  I would 
> assume 3rd party hosting isn't an option since much of the data lives on 
> our internal SQL/App server...
>
> Any other suggestions?
>
> 
0
Russ
1/18/2010 8:24:05 PM
Scott Rymer wrote:
> Our business is in need of setting up a dealer portal website which 
> needs to interact with our internal SQL/App server.  I know SBS is not 
> the place to host the site so setting up a virtual web server and 
> putting it in some sort of DMZ is the plan thus far.  I'm planning on 
> running the site securely (https://) which will conflict with the SBS 
> OWA and RWW.  I'd perfer to use the same static IP address so how would 
> I go about setting up and accessing the dealer site given that both will 
> be on port 443?  Could I just change the port of the dealer portal? 
> (eg.  https://mysite.com:4443)  I suspect the site will be fairly low 
> volume if that matters any...
> 
> Is this normally how a company data driven website is setup?  I would 
> assume 3rd party hosting isn't an option since much of the data lives on 
> our internal SQL/App server...
> 
> Any other suggestions?
> 
> 
Many ways...

Best practice is to host it externally, and to organise data flow 
between the sites. Professional web hosting normally includes an SQL 
database and active web page software of either Windows or *nix 
varieties. That also sidesteps the port issue.

Even in a local DMZ, this is the right way to do it, with the web server 
machine never having access to the LAN. Always pull the user data from 
the web server, and push back the data to publish, or send it by email. 
Never link a publicly-accessible web server to a database running on a 
non-expendable machine. The important thing to ensure is that if the web 
server is compromised, it does not provide any greater access to the 
rest of the company's IT systems than is available directly from the 
Internet.

An example: a client of mine needs to publish scanned documents on a web 
server, together with data associated with them. The documents are 
linked to a database, with the master copy at the client's office. So 
there is an application which allows the scan to be associated with a 
particular record in the master database at the time it is made. Then, 
the scan is processed and pushed by FTP to the website.

The updated database records are potentially more sensitive then the 
scans and are encrypted and emailed out of the client's office. The 
website pulls the emails from an IMAP server, extracts the attachments 
and copies the records to the slave database after verification, 
anti-SQL-injection and XSS measures etc. This has the side effect of 
maintaining an automatic up-to-date backup database offsite, and in fact 
in another country in this case.

It's a bit harder if significant data entry has to be made on web pages, 
but the relevant active page can sanitise and then email the data, or 
place it in a file for download by FTP or HTTP (or more secure method).

Since you're using https with a known group of clients, you could 
consider requiring a client certificate for access to the server, which 
you would distribute to the dealers along with written instructions that 
it should be installed only on secure computers. You will no doubt be 
using professionally-written web applications, and should be able to get 
more security advice from those professionals.

It is certainly more expensive to outsource the website if nothing goes 
wrong for a few years, but even a single compromise will tip the costs 
the other way, by quite a large amount. Think of it as insurance.

-- 
Joe
0
Joe
1/18/2010 8:59:03 PM
Joe,  thanks for the great advise.

Hosting externally isn't likely an option from a budget perspective... but 
what are some options to get data flowing from my internal SQL database to 
the web server hosted on a 3rd party server?

Some ideas I've had so far w.r.t. data:

Would SQL replication be advisable for data flowing from SQL to the web 
server?
What about using web services on the SQL box to send data to the web server?
FTPing XML files on a schedule from SQL box to a web server directory?

Obviously, I want the app to be as secure as possible.  I need to educate 
myself on the security risks before I go shopping for a developer...


> Many ways...
>
> Best practice is to host it externally, and to organise data flow between 
> the sites. Professional web hosting normally includes an SQL database and 
> active web page software of either Windows or *nix varieties. That also 
> sidesteps the port issue.
>
> Even in a local DMZ, this is the right way to do it, with the web server 
> machine never having access to the LAN. Always pull the user data from the 
> web server, and push back the data to publish, or send it by email. Never 
> link a publicly-accessible web server to a database running on a 
> non-expendable machine. The important thing to ensure is that if the web 
> server is compromised, it does not provide any greater access to the rest 
> of the company's IT systems than is available directly from the Internet.
>
> An example: a client of mine needs to publish scanned documents on a web 
> server, together with data associated with them. The documents are linked 
> to a database, with the master copy at the client's office. So there is an 
> application which allows the scan to be associated with a particular 
> record in the master database at the time it is made. Then, the scan is 
> processed and pushed by FTP to the website.
>
> The updated database records are potentially more sensitive then the scans 
> and are encrypted and emailed out of the client's office. The website 
> pulls the emails from an IMAP server, extracts the attachments and copies 
> the records to the slave database after verification, anti-SQL-injection 
> and XSS measures etc. This has the side effect of maintaining an automatic 
> up-to-date backup database offsite, and in fact in another country in this 
> case.
>
> It's a bit harder if significant data entry has to be made on web pages, 
> but the relevant active page can sanitise and then email the data, or 
> place it in a file for download by FTP or HTTP (or more secure method).
>
> Since you're using https with a known group of clients, you could consider 
> requiring a client certificate for access to the server, which you would 
> distribute to the dealers along with written instructions that it should 
> be installed only on secure computers. You will no doubt be using 
> professionally-written web applications, and should be able to get more 
> security advice from those professionals.
>
> It is certainly more expensive to outsource the website if nothing goes 
> wrong for a few years, but even a single compromise will tip the costs the 
> other way, by quite a large amount. Think of it as insurance.
>
> -- 
> Joe 

0
Scott
1/18/2010 9:34:24 PM
Scott Rymer wrote:
> Joe,  thanks for the great advise.
> 
> Hosting externally isn't likely an option from a budget perspective... 
> but what are some options to get data flowing from my internal SQL 
> database to the web server hosted on a 3rd party server?
> 
> Some ideas I've had so far w.r.t. data:
> 
> Would SQL replication be advisable for data flowing from SQL to the web 
> server?

I would think that was OK. I can't imagine any reason for a data flow 
back the other way, but then it would never have occurred to me a couple 
of years ago that PDFs could be dangerous.

> What about using web services on the SQL box to send data to the web 
> server?
> FTPing XML files on a schedule from SQL box to a web server directory?
> 
They certainly *should* be safe. As above...

> Obviously, I want the app to be as secure as possible.  I need to 
> educate myself on the security risks before I go shopping for a 
> developer...
> 

There be dragons... I'm not an expert on web security, like most here I 
have to be a jack-of-all-trades, and I know just enough about web 
security to be very wary. It's a full-time job in itself. Google for SQL 
injection and XSS if you want to scare yourself by how easy it is to 
leave gaping holes, and how many well-known websites have been 
compromised using just those two techniques. I can hack basic web server 
scripting, but I'd never consider writing code for a public site without 
acquiring a great deal more knowledge. And I'd still outsource the hosting.

I also can't help much specifically, as I'm comfortable with perl and 
php, so I tend to favour *nix servers if I need to get involved in 
scripting. Transferring MySQL data as pure text is trivial and easy to 
monitor for stuff that shouldn't be there. I've had nothing to do with 
MS SQL, but general Microsoft experience suggests that it would be 
somewhat less transparent to deal with. But what you want is 
bread-and-butter stuff to web developers, I'd have thought most would 
have off-the-shelf software to do it.

Best of luck.

-- 
Joe
0
Joe
1/18/2010 10:17:38 PM
This is a multi-part message in MIME format.

------=_NextPart_000_0159_01CA9926.C437AAF0
Content-Type: text/plain;
	charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

The money you will pay in license fees for SQL server serviceing the =
internet/new hardware/Server OS and so on, is far greater than what you =
would pay to host it externall

--=20
Cris Hanna [SBS - MVP] (since 1997)
Co-Contributor, Windows Small Business Server 2008 Unleashed
http://www.amazon.com/Windows-Small-Business-Server-Unleashed/dp/06723295=
73/ref=3Dpd_bbs_sr_1?ie=3DUTF8&s=3Dbooks&qid=3D1217269967&sr=3D8-1
Owner, CPU Services, Belleville, IL
A Microsoft Registered Partner
------------------------------------
MVPs do not work for Microsoft
Please do not submit questions directly to me.

  "Scott Rymer" <tsrymer/at/hotmail/dot/com> wrote in message =
news:eotSDYImKHA.5040@TK2MSFTNGP06.phx.gbl...
  Joe,  thanks for the great advise.

  Hosting externally isn't likely an option from a budget perspective... =
but=20
  what are some options to get data flowing from my internal SQL =
database to=20
  the web server hosted on a 3rd party server?

  Some ideas I've had so far w.r.t. data:

  Would SQL replication be advisable for data flowing from SQL to the =
web=20
  server?
  What about using web services on the SQL box to send data to the web =
server?
  FTPing XML files on a schedule from SQL box to a web server directory?

  Obviously, I want the app to be as secure as possible.  I need to =
educate=20
  myself on the security risks before I go shopping for a developer...


  > Many ways...
  >
  > Best practice is to host it externally, and to organise data flow =
between=20
  > the sites. Professional web hosting normally includes an SQL =
database and=20
  > active web page software of either Windows or *nix varieties. That =
also=20
  > sidesteps the port issue.
  >
  > Even in a local DMZ, this is the right way to do it, with the web =
server=20
  > machine never having access to the LAN. Always pull the user data =
from the=20
  > web server, and push back the data to publish, or send it by email. =
Never=20
  > link a publicly-accessible web server to a database running on a=20
  > non-expendable machine. The important thing to ensure is that if the =
web=20
  > server is compromised, it does not provide any greater access to the =
rest=20
  > of the company's IT systems than is available directly from the =
Internet.
  >
  > An example: a client of mine needs to publish scanned documents on a =
web=20
  > server, together with data associated with them. The documents are =
linked=20
  > to a database, with the master copy at the client's office. So there =
is an=20
  > application which allows the scan to be associated with a particular =

  > record in the master database at the time it is made. Then, the scan =
is=20
  > processed and pushed by FTP to the website.
  >
  > The updated database records are potentially more sensitive then the =
scans=20
  > and are encrypted and emailed out of the client's office. The =
website=20
  > pulls the emails from an IMAP server, extracts the attachments and =
copies=20
  > the records to the slave database after verification, =
anti-SQL-injection=20
  > and XSS measures etc. This has the side effect of maintaining an =
automatic=20
  > up-to-date backup database offsite, and in fact in another country =
in this=20
  > case.
  >
  > It's a bit harder if significant data entry has to be made on web =
pages,=20
  > but the relevant active page can sanitise and then email the data, =
or=20
  > place it in a file for download by FTP or HTTP (or more secure =
method).
  >
  > Since you're using https with a known group of clients, you could =
consider=20
  > requiring a client certificate for access to the server, which you =
would=20
  > distribute to the dealers along with written instructions that it =
should=20
  > be installed only on secure computers. You will no doubt be using=20
  > professionally-written web applications, and should be able to get =
more=20
  > security advice from those professionals.
  >
  > It is certainly more expensive to outsource the website if nothing =
goes=20
  > wrong for a few years, but even a single compromise will tip the =
costs the=20
  > other way, by quite a large amount. Think of it as insurance.
  >
  > --=20
  > Joe=20

------=_NextPart_000_0159_01CA9926.C437AAF0
Content-Type: text/html;
	charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=3DContent-Type content=3D"text/html; =
charset=3Diso-8859-1">
<META content=3D"MSHTML 6.00.6000.16945" name=3DGENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=3D#ffffff>
<DIV><FONT face=3DArial size=3D2>The money you will pay in license fees =
for SQL=20
server serviceing the internet/new hardware/Server OS and so on, is far =
greater=20
than what you would pay to host it externall</FONT></DIV>
<DIV><BR>-- <BR>Cris Hanna [SBS - MVP] (since 1997)<BR>Co-Contributor, =
Windows=20
Small Business Server 2008 Unleashed<BR><A=20
href=3D"http://www.amazon.com/Windows-Small-Business-Server-Unleashed/dp/=
0672329573/ref=3Dpd_bbs_sr_1?ie=3DUTF8&amp;s=3Dbooks&amp;qid=3D1217269967=
&amp;sr=3D8-1">http://www.amazon.com/Windows-Small-Business-Server-Unleas=
hed/dp/0672329573/ref=3Dpd_bbs_sr_1?ie=3DUTF8&amp;s=3Dbooks&amp;qid=3D121=
7269967&amp;sr=3D8-1</A><BR>Owner,=20
CPU Services, Belleville, IL<BR>A Microsoft Registered=20
Partner<BR>------------------------------------<BR>MVPs do not work for=20
Microsoft<BR>Please do not submit questions directly to me.<BR></DIV>
<BLOCKQUOTE=20
style=3D"PADDING-RIGHT: 0px; PADDING-LEFT: 5px; MARGIN-LEFT: 5px; =
BORDER-LEFT: #000000 2px solid; MARGIN-RIGHT: 0px">
  <DIV>"Scott Rymer" &lt;tsrymer/at/hotmail/dot/com&gt; wrote in message =
<A=20
  =
href=3D"news:eotSDYImKHA.5040@TK2MSFTNGP06.phx.gbl">news:eotSDYImKHA.5040=
@TK2MSFTNGP06.phx.gbl</A>...</DIV>Joe,&nbsp;=20
  thanks for the great advise.<BR><BR>Hosting externally isn't likely an =
option=20
  from a budget perspective... but <BR>what are some options to get data =
flowing=20
  from my internal SQL database to <BR>the web server hosted on a 3rd =
party=20
  server?<BR><BR>Some ideas I've had so far w.r.t. data:<BR><BR>Would =
SQL=20
  replication be advisable for data flowing from SQL to the web=20
  <BR>server?<BR>What about using web services on the SQL box to send =
data to=20
  the web server?<BR>FTPing XML files on a schedule from SQL box to a =
web server=20
  directory?<BR><BR>Obviously, I want the app to be as secure as =
possible.&nbsp;=20
  I need to educate <BR>myself on the security risks before I go =
shopping for a=20
  developer...<BR><BR><BR>&gt; Many ways...<BR>&gt;<BR>&gt; Best =
practice is to=20
  host it externally, and to organise data flow between <BR>&gt; the =
sites.=20
  Professional web hosting normally includes an SQL database and =
<BR>&gt; active=20
  web page software of either Windows or *nix varieties. That also =
<BR>&gt;=20
  sidesteps the port issue.<BR>&gt;<BR>&gt; Even in a local DMZ, this is =
the=20
  right way to do it, with the web server <BR>&gt; machine never having =
access=20
  to the LAN. Always pull the user data from the <BR>&gt; web server, =
and push=20
  back the data to publish, or send it by email. Never <BR>&gt; link a=20
  publicly-accessible web server to a database running on a <BR>&gt;=20
  non-expendable machine. The important thing to ensure is that if the =
web=20
  <BR>&gt; server is compromised, it does not provide any greater access =
to the=20
  rest <BR>&gt; of the company's IT systems than is available directly =
from the=20
  Internet.<BR>&gt;<BR>&gt; An example: a client of mine needs to =
publish=20
  scanned documents on a web <BR>&gt; server, together with data =
associated with=20
  them. The documents are linked <BR>&gt; to a database, with the master =
copy at=20
  the client's office. So there is an <BR>&gt; application which allows =
the scan=20
  to be associated with a particular <BR>&gt; record in the master =
database at=20
  the time it is made. Then, the scan is <BR>&gt; processed and pushed =
by FTP to=20
  the website.<BR>&gt;<BR>&gt; The updated database records are =
potentially more=20
  sensitive then the scans <BR>&gt; and are encrypted and emailed out of =
the=20
  client's office. The website <BR>&gt; pulls the emails from an IMAP =
server,=20
  extracts the attachments and copies <BR>&gt; the records to the slave =
database=20
  after verification, anti-SQL-injection <BR>&gt; and XSS measures etc. =
This has=20
  the side effect of maintaining an automatic <BR>&gt; up-to-date backup =

  database offsite, and in fact in another country in this <BR>&gt;=20
  case.<BR>&gt;<BR>&gt; It's a bit harder if significant data entry has =
to be=20
  made on web pages, <BR>&gt; but the relevant active page can sanitise =
and then=20
  email the data, or <BR>&gt; place it in a file for download by FTP or =
HTTP (or=20
  more secure method).<BR>&gt;<BR>&gt; Since you're using https with a =
known=20
  group of clients, you could consider <BR>&gt; requiring a client =
certificate=20
  for access to the server, which you would <BR>&gt; distribute to the =
dealers=20
  along with written instructions that it should <BR>&gt; be installed =
only on=20
  secure computers. You will no doubt be using <BR>&gt; =
professionally-written=20
  web applications, and should be able to get more <BR>&gt; security =
advice from=20
  those professionals.<BR>&gt;<BR>&gt; It is certainly more expensive to =

  outsource the website if nothing goes <BR>&gt; wrong for a few years, =
but even=20
  a single compromise will tip the costs the <BR>&gt; other way, by =
quite a=20
  large amount. Think of it as insurance.<BR>&gt;<BR>&gt; -- <BR>&gt; =
Joe=20
<BR></BLOCKQUOTE></BODY></HTML>

------=_NextPart_000_0159_01CA9926.C437AAF0--

0
Cris
1/19/2010 10:45:11 PM
This is a multi-part message in MIME format.

------=_NextPart_000_000E_01CA99E2.6B42A9B0
Content-Type: text/plain;
	charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

Fair enough... do you have any documentation that would serve as a =
starting point for me to investigate how to get data from my internal =
SQL server to a third party server hosting my data driven website and =
vice-versa?  At some point, we'd be looking at online ordering that =
would need to integrate with our ERP system...  how is this normally =
done if the external website isn't allowed to talk to the internal =
database?

  "Cris Hanna [SBS - MVP]" <crisnospamhanna@cpunospamservices.net> wrote =
in message news:OQU7PkVmKHA.2188@TK2MSFTNGP04.phx.gbl...
  The money you will pay in license fees for SQL server serviceing the =
internet/new hardware/Server OS and so on, is far greater than what you =
would pay to host it externall

  --=20
  Cris Hanna [SBS - MVP] (since 1997)
  Co-Contributor, Windows Small Business Server 2008 Unleashed
  =
http://www.amazon.com/Windows-Small-Business-Server-Unleashed/dp/06723295=
73/ref=3Dpd_bbs_sr_1?ie=3DUTF8&s=3Dbooks&qid=3D1217269967&sr=3D8-1
  Owner, CPU Services, Belleville, IL
  A Microsoft Registered Partner
  ------------------------------------
  MVPs do not work for Microsoft
  Please do not submit questions directly to me.

    "Scott Rymer" <tsrymer/at/hotmail/dot/com> wrote in message =
news:eotSDYImKHA.5040@TK2MSFTNGP06.phx.gbl...
    Joe,  thanks for the great advise.

    Hosting externally isn't likely an option from a budget =
perspective... but=20
    what are some options to get data flowing from my internal SQL =
database to=20
    the web server hosted on a 3rd party server?

    Some ideas I've had so far w.r.t. data:

    Would SQL replication be advisable for data flowing from SQL to the =
web=20
    server?
    What about using web services on the SQL box to send data to the web =
server?
    FTPing XML files on a schedule from SQL box to a web server =
directory?

    Obviously, I want the app to be as secure as possible.  I need to =
educate=20
    myself on the security risks before I go shopping for a developer...


    > Many ways...
    >
    > Best practice is to host it externally, and to organise data flow =
between=20
    > the sites. Professional web hosting normally includes an SQL =
database and=20
    > active web page software of either Windows or *nix varieties. That =
also=20
    > sidesteps the port issue.
    >
    > Even in a local DMZ, this is the right way to do it, with the web =
server=20
    > machine never having access to the LAN. Always pull the user data =
from the=20
    > web server, and push back the data to publish, or send it by =
email. Never=20
    > link a publicly-accessible web server to a database running on a=20
    > non-expendable machine. The important thing to ensure is that if =
the web=20
    > server is compromised, it does not provide any greater access to =
the rest=20
    > of the company's IT systems than is available directly from the =
Internet.
    >
    > An example: a client of mine needs to publish scanned documents on =
a web=20
    > server, together with data associated with them. The documents are =
linked=20
    > to a database, with the master copy at the client's office. So =
there is an=20
    > application which allows the scan to be associated with a =
particular=20
    > record in the master database at the time it is made. Then, the =
scan is=20
    > processed and pushed by FTP to the website.
    >
    > The updated database records are potentially more sensitive then =
the scans=20
    > and are encrypted and emailed out of the client's office. The =
website=20
    > pulls the emails from an IMAP server, extracts the attachments and =
copies=20
    > the records to the slave database after verification, =
anti-SQL-injection=20
    > and XSS measures etc. This has the side effect of maintaining an =
automatic=20
    > up-to-date backup database offsite, and in fact in another country =
in this=20
    > case.
    >
    > It's a bit harder if significant data entry has to be made on web =
pages,=20
    > but the relevant active page can sanitise and then email the data, =
or=20
    > place it in a file for download by FTP or HTTP (or more secure =
method).
    >
    > Since you're using https with a known group of clients, you could =
consider=20
    > requiring a client certificate for access to the server, which you =
would=20
    > distribute to the dealers along with written instructions that it =
should=20
    > be installed only on secure computers. You will no doubt be using=20
    > professionally-written web applications, and should be able to get =
more=20
    > security advice from those professionals.
    >
    > It is certainly more expensive to outsource the website if nothing =
goes=20
    > wrong for a few years, but even a single compromise will tip the =
costs the=20
    > other way, by quite a large amount. Think of it as insurance.
    >
    > --=20
    > Joe=20

------=_NextPart_000_000E_01CA99E2.6B42A9B0
Content-Type: text/html;
	charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META content=3D"text/html; charset=3Diso-8859-1" =
http-equiv=3DContent-Type>
<META name=3DGENERATOR content=3D"MSHTML 8.00.6001.18865">
<STYLE></STYLE>
</HEAD>
<BODY bgColor=3D#ffffff>
<DIV><FONT size=3D2 face=3DArial>Fair enough... do you have any =
documentation that=20
would serve as a starting point for me to investigate how to get data =
from my=20
internal SQL server to a third party server hosting my data driven =
website and=20
vice-versa?&nbsp; At some point, we'd be looking at online ordering that =
would=20
need to integrate with our ERP system...&nbsp; how is this normally done =
if the=20
external website isn't allowed to talk to the internal =
database?</FONT></DIV>
<DIV><FONT size=3D2 face=3DArial></FONT>&nbsp;</DIV>
<BLOCKQUOTE=20
style=3D"BORDER-LEFT: #000000 2px solid; PADDING-LEFT: 5px; =
PADDING-RIGHT: 0px; MARGIN-LEFT: 5px; MARGIN-RIGHT: 0px"=20
dir=3Dltr>
  <DIV>"Cris Hanna [SBS - MVP]" &lt;<A=20
  =
href=3D"mailto:crisnospamhanna@cpunospamservices.net">crisnospamhanna@cpu=
nospamservices.net</A>&gt;=20
  wrote in message <A=20
  =
href=3D"news:OQU7PkVmKHA.2188@TK2MSFTNGP04.phx.gbl">news:OQU7PkVmKHA.2188=
@TK2MSFTNGP04.phx.gbl</A>...</DIV>
  <DIV><FONT size=3D2 face=3DArial>The money you will pay in license =
fees for SQL=20
  server serviceing the internet/new hardware/Server OS and so on, is =
far=20
  greater than what you would pay to host it externall</FONT></DIV>
  <DIV><BR>-- <BR>Cris Hanna [SBS - MVP] (since 1997)<BR>Co-Contributor, =
Windows=20
  Small Business Server 2008 Unleashed<BR><A=20
  =
href=3D"http://www.amazon.com/Windows-Small-Business-Server-Unleashed/dp/=
0672329573/ref=3Dpd_bbs_sr_1?ie=3DUTF8&amp;s=3Dbooks&amp;qid=3D1217269967=
&amp;sr=3D8-1">http://www.amazon.com/Windows-Small-Business-Server-Unleas=
hed/dp/0672329573/ref=3Dpd_bbs_sr_1?ie=3DUTF8&amp;s=3Dbooks&amp;qid=3D121=
7269967&amp;sr=3D8-1</A><BR>Owner,=20
  CPU Services, Belleville, IL<BR>A Microsoft Registered=20
  Partner<BR>------------------------------------<BR>MVPs do not work =
for=20
  Microsoft<BR>Please do not submit questions directly to me.<BR></DIV>
  <BLOCKQUOTE=20
  style=3D"BORDER-LEFT: #000000 2px solid; PADDING-LEFT: 5px; =
PADDING-RIGHT: 0px; MARGIN-LEFT: 5px; MARGIN-RIGHT: 0px">
    <DIV>"Scott Rymer" &lt;tsrymer/at/hotmail/dot/com&gt; wrote in =
message <A=20
    =
href=3D"news:eotSDYImKHA.5040@TK2MSFTNGP06.phx.gbl">news:eotSDYImKHA.5040=
@TK2MSFTNGP06.phx.gbl</A>...</DIV>Joe,&nbsp;=20
    thanks for the great advise.<BR><BR>Hosting externally isn't likely =
an=20
    option from a budget perspective... but <BR>what are some options to =
get=20
    data flowing from my internal SQL database to <BR>the web server =
hosted on a=20
    3rd party server?<BR><BR>Some ideas I've had so far w.r.t.=20
    data:<BR><BR>Would SQL replication be advisable for data flowing =
from SQL to=20
    the web <BR>server?<BR>What about using web services on the SQL box =
to send=20
    data to the web server?<BR>FTPing XML files on a schedule from SQL =
box to a=20
    web server directory?<BR><BR>Obviously, I want the app to be as =
secure as=20
    possible.&nbsp; I need to educate <BR>myself on the security risks =
before I=20
    go shopping for a developer...<BR><BR><BR>&gt; Many =
ways...<BR>&gt;<BR>&gt;=20
    Best practice is to host it externally, and to organise data flow =
between=20
    <BR>&gt; the sites. Professional web hosting normally includes an =
SQL=20
    database and <BR>&gt; active web page software of either Windows or =
*nix=20
    varieties. That also <BR>&gt; sidesteps the port =
issue.<BR>&gt;<BR>&gt; Even=20
    in a local DMZ, this is the right way to do it, with the web server =
<BR>&gt;=20
    machine never having access to the LAN. Always pull the user data =
from the=20
    <BR>&gt; web server, and push back the data to publish, or send it =
by email.=20
    Never <BR>&gt; link a publicly-accessible web server to a database =
running=20
    on a <BR>&gt; non-expendable machine. The important thing to ensure =
is that=20
    if the web <BR>&gt; server is compromised, it does not provide any =
greater=20
    access to the rest <BR>&gt; of the company's IT systems than is =
available=20
    directly from the Internet.<BR>&gt;<BR>&gt; An example: a client of =
mine=20
    needs to publish scanned documents on a web <BR>&gt; server, =
together with=20
    data associated with them. The documents are linked <BR>&gt; to a =
database,=20
    with the master copy at the client's office. So there is an <BR>&gt; =

    application which allows the scan to be associated with a particular =

    <BR>&gt; record in the master database at the time it is made. Then, =
the=20
    scan is <BR>&gt; processed and pushed by FTP to the =
website.<BR>&gt;<BR>&gt;=20
    The updated database records are potentially more sensitive then the =
scans=20
    <BR>&gt; and are encrypted and emailed out of the client's office. =
The=20
    website <BR>&gt; pulls the emails from an IMAP server, extracts the=20
    attachments and copies <BR>&gt; the records to the slave database =
after=20
    verification, anti-SQL-injection <BR>&gt; and XSS measures etc. This =
has the=20
    side effect of maintaining an automatic <BR>&gt; up-to-date backup =
database=20
    offsite, and in fact in another country in this <BR>&gt;=20
    case.<BR>&gt;<BR>&gt; It's a bit harder if significant data entry =
has to be=20
    made on web pages, <BR>&gt; but the relevant active page can =
sanitise and=20
    then email the data, or <BR>&gt; place it in a file for download by =
FTP or=20
    HTTP (or more secure method).<BR>&gt;<BR>&gt; Since you're using =
https with=20
    a known group of clients, you could consider <BR>&gt; requiring a =
client=20
    certificate for access to the server, which you would <BR>&gt; =
distribute to=20
    the dealers along with written instructions that it should <BR>&gt; =
be=20
    installed only on secure computers. You will no doubt be using =
<BR>&gt;=20
    professionally-written web applications, and should be able to get =
more=20
    <BR>&gt; security advice from those professionals.<BR>&gt;<BR>&gt; =
It is=20
    certainly more expensive to outsource the website if nothing goes =
<BR>&gt;=20
    wrong for a few years, but even a single compromise will tip the =
costs the=20
    <BR>&gt; other way, by quite a large amount. Think of it as=20
    insurance.<BR>&gt;<BR>&gt; -- <BR>&gt; Joe=20
<BR></BLOCKQUOTE></BLOCKQUOTE></BODY></HTML>

------=_NextPart_000_000E_01CA99E2.6B42A9B0--

0
Scott
1/20/2010 8:08:26 PM
Reply:

Similar Artilces:

Web Hosting, Reseller Hosting, and Dedicated Hosting!!!!!!
PREMIUM WORDPRESS BLOG HOSTING!! -Word press Hosting -Unlimited Domains -Panel Hosting -Unlimited Blogs -$7,95 per month http://minyurl.com/237 ...

password security
Hi every body. Are the passwords stored by Iexplorer crypted? Is it safe tu use the the feature of Internet Explorer that remember passwords? -- Jean Pierre Daviau - - - - Art: http://www.jeanpierredaviau.com From: "Jean Pierre Daviau" <once@wasenough.ca> | Hi every body. | Are the passwords stored by Iexplorer crypted? | Is it safe tu use the the feature of Internet Explorer that remember | passwords? No, it isn't safe. Malware often grabs these passwords and someone whoi uses the platform can also take advantage of t...

Best way to persist alter table changes in my local DB to web host
Hello. Using SQL Server 2008. I'm developing on my local PC with a copy of the DB that is contained on a web host. Is there a good way when I do an alter table on the local DB to export that change to the web host DB and have "semi-automatically" apply the change to its copy of the table? dontspammenow@yahoo.com (dontspammenow@yahoo.com) writes: > Using SQL Server 2008. I'm developing on my local PC with a copy of > the DB that is contained on a web host. Is there a good way when I do > an alter table on the local DB to export that change to the w...

Exchange 5.5
Hiya, I have a distribution list set up on my Exchange Server (5.5 with SP4, running on NT 4 SP6a) which only has 6 members. Over time though, as staff come and go, members have been added to this DL and then been removed at a later stage. I have a client who is reporting that when they try to email to the distribution list, they get two bounces. The first one is: "Unable to deliver message to the following address(es) /O=COMPANY/OU=EXCHANGE/CN=RECIPIENTS/CN=ADDRESS 1. Remote host said: 554 delivery error: This user doesn't have an account" Where ADDRESS 1 is a user that, ...

No clipart on microsoft site
When I tried accessing the clipart on Microsoft's site, no results ever come up. Why is this? The photos come out, but it doesn't show any clipart. Thanks Jo Jo Dude You are supposed to click on that little box below those pictures and then click on download. -- JoAnn Paules MVP Microsoft [Publisher] "Jo Dude" <not@here.com> wrote in message news:%23X4JimUbGHA.1008@TK2MSFTNGP02.phx.gbl... > When I tried accessing the clipart on Microsoft's site, no results ever > come up. Why is this? The photos come out, but it doesn't show any > ...

Best way to keep financial data secure in M05?
Thinking of getting M05 - do not have previous versions. I am concerned about financial data being compromised. Are there any tips on how to best keep your data secure if you'd like to use the online update of account feature? Step 1: find a bank that supports direct download rather than one that doesn't and thus requires download via Yodlee. "jshofstra" <jshofstra11@yahoo.com> wrote in message news:1117975134.899774.87820@f14g2000cwb.googlegroups.com... > Thinking of getting M05 - do not have previous versions. I am concerned > about financial data being com...

Hosting Secure Site
Our business is in need of setting up a dealer portal website which needs to interact with our internal SQL/App server. I know SBS is not the place to host the site so setting up a virtual web server and putting it in some sort of DMZ is the plan thus far. I'm planning on running the site securely (https://) which will conflict with the SBS OWA and RWW. I'd perfer to use the same static IP address so how would I go about setting up and accessing the dealer site given that both will be on port 443? Could I just change the port of the dealer portal? (eg. https://mysite...

Setting recordsource to secured table
Hi, I have a form that I am trying to re-use to display data from 2 different tables and the information is changed in the click event from the menu that selects the form and it sets the recordsource, label captions, and textbox sources. This works fine on my userid (the owner), but there are no permissions on those tables for other user groups. I thought I could get around that using the "with owneraccess option", but it doesn't seem to be working. I have confirmed that the owner of both tables has full permissions. What am I doing wrong? Thanks, beth Here is a snippet o...

Security Implementation
Whats the best way to manually implement security in Great Plains 7.5? We currently have about a hundred users setup in 5 user classes. How do you want to implement it? Do the five user classes work as far as how the users should be grouped for security? Advanced Security is the tool you are going to want to use. GP security is implemented much more easily if you use classes because you don't have to apply security to each user and it is company-independent. "Shariq" <Shariq@discussions.microsoft.com> wrote in message news:8F73D963-7C70-46F0-994A-78CE251081AC@micros...

security issue in notes
we are facing a security issue with notes in MSCRM 3.0 I want some users to be banned from the entity account e.g. So I set a security that they can only see their own accounts (user level) Now I want them to be able to access all contacts. So I set a security so they have full access on contacts. For the notes, I need to give them access to notes so they can attach docs and view all notes on all contacts. Now if this user has advanced find privileges, he will be able to query the notes of ALL accounts in the advanced finds. Anyone experienced this before? any way to restrict that acc...

hosts file
Hi all, After I modified HOSTS file in another directory I can not replace the one on windows/system32/drivers/etc. He account I use is administrator. I have windows vista home premiun SP1. By the way a virus altered HOSTS file and can not connect to internet with firefox, I added 127.0.0.1 to the file in order to make it work. Thanks a lot for any help. perhaps a freeware called spybot can help. first immunize then go to the tools section and see if the hosts file is visiable. in any case here is some more info: http://tinyurl.com/yafnssc -- db���...

Hosted exchange opinions
Can anyone comment on hosted exchange services as compared to stand-alone Outlook (not in a server) and Outlook on an in-house server? Would a hosted exchange service make sense for just 2-3 PCs who want to share a calendar and some contact folders? Any major drawbacks? Any feedbakc oni specific hosts? What about SherWeb? http://www.sherweb.com/) Thanks a bunch If you need to share outlook content, including calendars and email, or need to access calendar, contacts, and email from anywhere, hosted exchange makes a lot of sense - even for a single user. IMHO, cost is the only drawback...

Failed to register the security service
I am installing CRM and get the following error: "Failed to register the security Service: Retry, Abort or Ingore" I had CRM installed using MSDN subscription, recently purchased so I ended up uninstalling CRM and it is during the re-install I see this error. I followed a KB article on removing CRM by using Add/Remove Programs to remove CRM and then delete the CRM folder in program files. I then deleted the associated Website in IIS and recreated a new one to host the new install of CRM. I deleted the OU in the AD for the old Installation groups. I rebooted. and then started ...

OWA access with a security group
I want to use a security group to access OWA (Exchange 2003). How can I do this ? thanks, Lionel. I'm not sure that I understand. Are you attempting to provide a single logon for multiple people? Why not just give them a single logon to share? Nue "lionel" <lionel@discussions.microsoft.com> wrote in message news:C4BEE5FA-B02B-4DEA-9F1E-C22FA2D377E2@microsoft.com... >I want to use a security group to access OWA (Exchange 2003). How can I do > this ? > > thanks, > Lionel. You could right-click the users in AD Users and Computers, select Exchange Task...

Outlook Express 6 File attachment security. #2
I have Outlook express 6 and can't receive attachments because of the "Do not allow attachments to be saved or opened that could potentially be a virus" check box is selected. How can I turn this off if the tick box is greyed out. Please can you help Regards Jonathan Pearson ...

i need remove security or restore access to folder in windows server 2003
hi, I need access to folder in windows server 2003 nothing access with administrator thks __________ Informaci�n de ESET NOD32 Antivirus, versi�n de la base de firmas de virus 5220 (20100623) __________ ESET NOD32 Antivirus ha comprobado este mensaje. http://www.eset.com ESTEBAN OCONITRILLO RAMIREZ wrote: > hi, > I need access to folder in windows server 2003 nothing access with > administrator > http://www.computing.net/forum/windows2003/1.html ...

Security problem in PowerPoint
For corporate and government security reasons as well as for certain issues of personal privacy, the file names associated with images must NOT appear in the presentation, especially when converted to a PDF. However, PowerPoint automatically inserts the image file name as alternate text. There is no way to search for alternate text and there is no way to turn off this automatic "feature." Users dealing with classified and sensitive information thus unwittingly insert restricted information into PowerPoint files that migrate with the file when it is converted to other ...

This is not a relay host
We have a distribution group that contains external contacts. When someone from that group receives an email and does a reply it sends the email back to our exchange server but then they get an ndr because the exchange server returns the error "This is not a relay host - mail must be to or from host domain" as it wont then send on the email to the rest of the external contacts contained in the distribution group. Do I just need to add the domain name to the relay restrictions list under the access tab on the smtp virtual server? Thanks in advance Is this an Outlook distribution...

GP10 Security Best Practices Question
I have read up the KB articles on the new role-based security with GP10 but have some questions. If I upgrade but choose not to convert the old security, what is the quickest/best way to get up and running with fresh GP10 security? I have about 50 User-Id's that will need updating. Thanks, DavidF. David, There is no "quick and easy way" around security in any GP release. For v10 in particular, I would suggest you start to look at the tasks and roles performed by your users then compare those to the existing tasks and roles created under the new security model, then ass...

Access Security does not work
Hello, We are are on CRM 1.2. The security settings don't seem to work fully. For example, I have setup a security role called "Field Sales". One of the access rights is to be able to read only user's own records for accounts and quotes. The icon with only one "pie" on it. But neither seem to be working because users are able to see every account and every quote out there. But if I revoke read access fully, it seems to stop them from seeing quotes and accounts, this is in-line with the documentation. The moment I switch on the read only for user's own r...

MSIB solution site 2.0
For the MSIB 2.1 solution site we cannot get the external connections to run successfully. The .aspx file work on other sites on the same server but within MSIB they resolve to the internal DNS name of the webserver. Internally there are no issues only external. We added HTM and asp pages and were successful but .aspx files are not. Could there be a restraint on MSIB solution site. We are on a development environment so enterprise is not available. wrong newsgroup. what's MSIB even stand for? BK "steve" <anonymous@discussions.microsoft.com> wrote in message...

security outlook2003
How do I sent outlook up so I am the only one who has access to it. I set it up with a password but I can still get to outlook if I click cancel instead of putting the password in. sissy <sissy@discussions.microsoft.com> wrote: > How do I sent outlook up so I am the only one who has access to it. I > set it up with a password but I can still get to outlook if I click > cancel instead of putting the password in. Use your own Windows username and make sure it's password-protected. -- Brian Tillman [MVP-Outlook] ...

VBScript and Script Host
Hello, I do not know if this is right group. If not, Please let me know the correct group to Post. I am planning to develop an application where the users will be given provisions to write their own scripts and execute. I am planning to use VBScript and WSH (which is available in all versions of Windows). Does WSH, VBScripts protected licenses ? Is there any open source script and script interpreters available ? If I could develop such an application with scripting facility using VBScript and WSH can I make it commercial ? Thanks and Regards Ram Interestin...

the peer's stratum is less then the host stratum
I am getting a "The peer's stratum is less then the host stratum." Whenever I try to synchronize the time. What's going on? -- Demoman Paullllll wrote: > I am getting a "The peer's stratum is less then the host stratum." Whenever > I try to synchronize the time. What's going on? Loosely, it means that the Windows Time service deems your workstation to be a more accurate clock than the time server you have selected so it won't sync to the less accurate clock. Can you run the following command at a command prompt and post the ...

Master and subordinate sites?
How do I designate an inventory site as a subordinate site for PO generator purposes? I have not done it in a few years and I cannot seem to find the Window.. It is actually the other way around. Go to the Item Resource Planning window and enter the item number and set the Order Policy field to Use PO Gen. If this is the master site, click on the PO Gen Item and set the fields to specify how the order quantities are to be calculated. Leave the Order Method to Order to Independent Site. For the subordinate sites, make the same settings except on the PO Gen Item Maintenance window, s...