Prev: In place upgrade of Windows 2003 Std to Windows 2008 Std
Next: IIS tracking failed logins for users
From: Dan on 23 Jul 2010 11:05
Hi,
We are hoping to deploy a Srvr 2008 Web Edition box in a DMZ with a SQL
database (used by the webpage).

Is it possible for a client to connect to the database directly (not through
IIS) to periodically upload data? I have heard that SQL is for local use only.

I would rather that client made the connection to upload the data rather
then the webserver (incase the webserver is comprimised)
From: Dan on 23 Jul 2010 11:18

"Dan" <Dan(a)discussions.microsoft.com> wrote in message
news:CA573BB3-A0D6-414D-8C34-B35B98D222FB(a)microsoft.com...
> Hi,
> We are hoping to deploy a Srvr 2008 Web Edition box in a DMZ with a SQL
> database (used by the webpage).
>
> Is it possible for a client to connect to the database directly (not
> through
> IIS) to periodically upload data? I have heard that SQL is for local use
> only.
>
> I would rather that client made the connection to upload the data rather
> then the webserver (incase the webserver is comprimised)

Do you mean a SQL Server database? SQL Server can be connected to remotely,
although by default in 2005 and 2008 remote connections are disabled so the
configuration would need to be changed.

Opening SQL Server to remote access is very risky though, while a
compromised web server is bad at least there is some control still possible
to your SQL Server (so long as you are using permissions appropriately and
not just using a sysadmin account for all connections from IIS to SQL
Server), but should someone gain access to SQL Server using a sysadmin
account they could cause a lot more trouble than with IIS being compromised.

--
Dan

From: "Mr. Arnold" MR. on 24 Jul 2010 08:03

"Dan" <Dan(a)discussions.microsoft.com> wrote in message
news:CA573BB3-A0D6-414D-8C34-B35B98D222FB(a)microsoft.com...
> Hi,
> We are hoping to deploy a Srvr 2008 Web Edition box in a DMZ with a SQL
> database (used by the webpage).
>
> Is it possible for a client to connect to the database directly (not
> through
> IIS) to periodically upload data? I have heard that SQL is for local use
> only.
>
> I would rather that client made the connection to upload the data rather
> then the webserver (incase the webserver is comprimised)

You're opening the SQL Server up on the Web server to be hacked for sure by
putting the server into the DMZ.

You can use the SQL Server Service Broker and keep the machine behind the
firewall.

http://msdn.microsoft.com/en-us/library/ms166043(SQL.90).aspx

You can connect remotely to the SQL Server Service Broker queues.

http://msdn.microsoft.com/en-us/library/ms166145.aspx

You can crate XML for CRUD operations against tables and send the XML to the
SQL Server Service Broker queues you named for each CRUD operation.

Of course you would have a client side app, it can be Window desktop,
Console, Windows Service or Web application that will go into communications
with the SQL Server Service Broker and send the XML to the appropriate
queue.

Then you can use the SQL Server Service Broker CLR which can use C# or
VB.NET and do thing you want after you read it out of a queue and do CRUD
operations against the database.

http://en.wikipedia.org/wiki/Microsoft_SQL_Server




 | 
Pages: 1
Prev: In place upgrade of Windows 2003 Std to Windows 2008 Std
Next: IIS tracking failed logins for users