Hi Experts
I have read many posts around the web on the best way to accomplish this and I beleive I have a good grasp of what I need to do - however when it comes to things like this, I always appreciate a second pair of eyes to objectivley look at it!
Background:
We currently have a webserver (the only machine) in the DMZ using Apache, PHP & MySQL to serve a simple management calendar for internal and external installation crews. The server is running Windows 2003 Standard R2.
[Data is synced with the web server from an internal webserver and internal SQL server through the firewall. FIrewall rules are currently setup to allow one way access (LAN > DMZ). - This for info only.)
Goal:
A current vendor of one of our other applications has released a new web-version of their software to allow users outside of the office, web access to their timesheets. The data is currently residing on our one and only SQL 2005 server on the LAN.
It requires IIS for serving the website and access to the live sql database.
Im not a huge fan of allowing data into the LAN, but I have little choice here as the app must be used.
From what I have been reading, the following is what I beleive to be the best way to set this up.
a restricted account setup on the SQL 2005 server for the webserver to login with. No access other than to the database instance it requires. Allow connections to the SQL server only through the firewall, only from the webserver, and only to the databse port in use by the instance required. (LAN subnet exlcuded). The connection information to be stored on the webserver in the application settings inside IIS.
This in addition to following the IIS best practices and the Windows Server Security wizard.
Any comments would be appreciated!
Thanks in advance. (Hopefully this is an easy 500points for someone :-) )
Start Free Trial
