Web Elements Security
<p><font face="arial,helvetica,sans-serif" size="2">Hello,</font></p><p><font face="arial,helvetica,sans-serif" size="2">We are using Crystal Reports in a .net Business Objects Enterprise environment and have successfully done so for few years now. We are very interested in the new web page features that WebElements offer and have read the installation guidance which refers to the security risks of Pass Through HTML. </font></p><p><font face="Arial" size="2">Not being an HTML gurus we have approached our ICT system/web security colleagues for advice on the security risks of implementing WebElements. We operate both the BOXIR2 server and the MS SQL server entirely within our own domain on a firewalled internet. Approximately 250-300 are members of our domain but only 40-50 with access to the BO server.</font></p><p><font face="Arial" size="2">Our ICT colleagues recommended that if the server were open to the Internet they would not advise implementing WebElements but as we are operating on a closed intranet then providing we accepted the risk then it should be OK.</font></p><p><font face="Arial" size="2">My problem is I'm trying to guage just what the risk is! Is it possible direct access to the SQL server data for any domain members that could execute pass through HTML, even with permissions set on the tables, views etc., on the server? Or would the risk be much lower, i.e. controlled by the SQL server permissions. Or is the access to the SQL data set at the same read only level of the BO server pemissions on the SQL.</font></p><p><font face="Arial" size="2">My apologies if this sounds very general but we are trying to get our heads around the scale of the risk. Any advice, practical experience of risk a similar configuration would be very welcome.</font></p><p><font face="Arial" size="2">Many thanks,</font></p><p><font face="Arial" size="2">Dave</font></p>