This article has been archived. It is offered "as is" and will no longer be updated.
We strongly recommend that all users upgrade to Microsoft Internet Information Services (IIS) version 6.0 running on Microsoft Windows Server 2003. IIS 6.0 significantly increases Web infrastructure security. For more information about IIS security-related topics, visit the following Microsoft Web site:
IMPORTANT: This article contains information about editing the registry.Before you edit the registry, make sure you understand how to restore itif a problem occurs. For information about how to do this, view the"Restoring the Registry" Help topic in Regedit.exe or the "Restoring aRegistry Key" Help topic in Regedt32.exe.
Because the RDS Datafactory (a single component of RDS) allows implicitremoting of data access requests by default, it can be exploited to allowunauthorized Internet clients to access OLE DB datasources available tothe server.
A malicious user may be able to gain access to ODBC data, such as dataheld in Microsoft SQL Server or Microsoft Access, when connecting toInternet Information Server (IIS) 4.0 with Microsoft Remote Data Servicesinstalled.
Method One: Remove RDS Functionality
WARNING: Using Registry Editor incorrectly can cause serious problems thatmay require you to reinstall your operating system. Microsoft cannotguarantee that problems resulting from the incorrect use of RegistryEditor can be solved. Use Registry Editor at your own risk.
For information about how to edit the registry, view the "Changing KeysAnd Values" Help topic in Registry Editor (Regedit.exe) or the "Add andDelete Information in the Registry" and "Edit Registry Data" Help topicsin Regedt32.exe. Note that you should back up the registry before you editit.
To disallow all RDS functionality, you must remove the following registryentries from the server hosting IIS.
Run the Registry Editor (Regedt32.exe).
Remove the following registry keys and any subkeys:
NOTE: Each of the preceding registry keys is one path; it has been word wrapped for readability.
Active Server Pages (ASPs) that depend on just ADO (ActiveX Data Objects)for database connectivity will continue to run.
The Benefits part of the IIS 4.0 sample site, Exploration Air, may notfunction correctly if this change is made. There are no other standardfeatures in IIS 4.0 that require RDS.
Method Two: Enforce Correct Security Policy
The following are recommendations that should be followed by all Webdevelopers who are publishing data in ASP pages:
Remove all nonessential ODBC drivers, especially the Microsoft Text Driver.
Tighten NTFS permissions (ACLs) to restrict access to only those you trust.
If using SQL Server, then enforce strong security measures, such as:
Run SQL Server as a low-privileged user account.
Do not allow extended stored procedures.
Description of RDS Datafactory
Remote Data Services (RDS) is part of the Data Access Componentsinstalled by default with Windows NT 4.0 Option Pack and IIS 4.0. With RDS,Web clients can issue client-based SQL queries to OLE DB data sourceshosted on the Web server.
The DataFactory object allows you to connect to a specified data source(such as SQL Server), using a specified UserID and password, and execute aquery against that server and then return the result set back to theclient.
The data source, UserID, password, and SQL statement are passed asparameters to the method exposed on the DataFactory object. If the registrykeys stated above are removed however, the user will be unable to createthe object, therefore removing any possibility of abuse.
visual studio 98 vulnerability kbDatabase kbRDS kbMDAC