Microsoft Security Bulletin MS98-004
Unauthorized ODBC Data Access with RDS and IIS
Last Revision: July 17, 1998
Remote Data Service (RDS) is a component of Microsoft® Data Access Components (MDAC), which is installed by default when Windows NT® Server's Internet Information Service (IIS) 4.0 is installed through the Microsoft Windows NT Option Pack. The goal of the RDS component is to enable controlled Internet access to remote data resources through the Windows NT's IIS. However, because the RDS DataFactory (a single component of RDS) allows implicit remoting of data access requests by default, it can be exploited to allow unauthorized Internet clients to access OLE database (DB) datasources available to the server. The implicit remoting function of the RDS 1.5 through the DataFactory component should be disabled.
The purpose of this bulletin is to inform Microsoft customers of this issue, its applicability to Microsoft products, and the availability of countermeasures that Microsoft has developed to further secure its customers.
This issue was discovered by the Microsoft development team and documented in Microsoft Knowledge Base article 184375 on April 22, 1998.
A Web client connecting to a Windows NT IIS server can use the RDS DataFactory object to direct that server to access data using an installed OLE DB provider. This includes executing SQL Server™ calls to ODBC-compliant databases using the ODBC drivers installed on the server.
For example a Web-client could issue a SQL command along with the name or Internet Protocol (IP) address of a remote SQL Server system, a SQL account and password, database name, and a SQL query string. If the request is valid (the remote server is reachable by the Windows NT IIS server, the user account and password are correct, and the database name is valid), the query results will be sent through HTTP back to the client. Although it is true that this requires significant inside information, the potential accessibility of this information should not be underestimated; organizations that don't practice good computing practices could have blank or easy-to-guess passwords on their SQL administrator accounts. The RDS DataFactory object along with other installed ODBC drivers opens other possibilities, including possible access to non-published files on the Windows NT IIS server.
The risk of security vulnerability caused by the DataFactory is even greater if newer OLE DB Providers are installed on the server. "Microsoft DataShape Provider" and "Microsoft JET OLE DB provider" (which ship with MDAC 2.0 in Visual Studio™ 98) allow shell commands to be executed. If the DataFactory is enabled on such a server, Internet clients can use these providers to execute shell commands, which can potentially bring down the server or otherwise severely affect its performance.
Affected Software Versions
- Microsoft Windows NT Server's Internet Information Server version 4.0
- Microsoft Remote Data Services version 1.5
- Microsoft Visual Studio version 6.0
Vulnerability Identifier: CVE-1999-1011
What Microsoft is Doing
The Microsoft Product Security Response Team has produced a set of guidelines and scripts to assist customers in disabling the implicit remoting functionality of the RDS through the DataFactory object.
Microsoft strongly recommends that all customers using Windows NT Server's IIS with OLE DB or ODBC drivers installed should take the actions described below.
What Customers Should Do
If you don't intentionally use the implicit remoting functionality in the DataFactory object, you should disable it.
Please note that you can still use RDS to invoke Business Objects on the server, but an administrator must explicitly enable access to these object by inserting keys for them in the registry. Any pages or applications that rely on RDS's Datacontrol or DataFactory components will not work after this access.
Removing Implicit DataFactory Functionality:
If the following registry entries are removed from the server hosting Windows NT Server's IIS, then the implicit remoting functionality (through DataFactory) of RDS will be disabled. These keys can be removed using the Registry Editor (REGEDT32.exe), or other tools for manipulating the registry.
- HKEY_LOCAL_MACHINE \SYSTEM \CurrentControlSet \Services \W3SVC \Parameters \ADCLaunch \RDSServer.DataFactory
- HKEY_LOCAL_MACHINE \SYSTEM \CurrentControlSet \Services \W3SVC \Parameters \ADCLaunch \AdvancedDataFactory
- HKEY_LOCAL_MACHINE \SYSTEM \CurrentControlSet \Services \W3SVC \Parameters \ADCLaunch \VbBusObj.VbBusObjCls
Note The three registry keys listed above have been wrapped for ease of readability.
Active Server Pages (ASP) pages that depend only on ADO for database connectivity will continue to function. However, the benefits section of the Windows NT IIS 4.0 sample site, Exploration Air, may not function correctly after this change is made.
Using the REGDEL.exe command line utility to remove DataFactory functionality
Note REGDEL.exe is a tool available as part of the Windows NT Resource Kit utilities that can be used to delete registry entries from the command line.
Copy the following text into a .bat file (for example, c:\dfremove.bat) and run the batch file on machines on which you want to remove the RDS components.
REM Batch file to remove RDS components
REM Make sure that REGDEL.exe from the Resource Kit is in your PATH
Echo RDS Keys Removed
RDS 2.0, which ships with Visual Studio 6.0 allows server administrators to use customized handlers for requests to RDS Server. Using the customized handlers, administrators can intercept all requests and responses to and from the RDS Server. RDS 2.0 also ships a default customization handler which is driven by information in an .INI file, installed on the server. This default handler can be used to modify SQL and Connection strings received from the client. RDS 2.0 is part of MDAC 2.0, which ships with Visual Studio 98.
Note Upgrading to RDS 2.0 will not automatically solve the problem -- you must configure the RDS according to your security needs. Please refer to RDS 2.0 documentation for details on how to configure the default .INI file or how to write your own customization handler.
Please see the following references for more information related to this issue.
- Microsoft Security Bulletin 98-004, Unauthorized File Access with RDS and IIS (the web-posted version of this bulletin), http://www.microsoft.com/technet/security/bulletin/ms98-004.mspx
- Microsoft Knowledge Base article 184375, Security Implications of RDS 1.5, IIS 4.0, and ODBC, http://support.microsoft.com/default.aspx?scid=kb;en-us;184375&sd=tech
- Microsoft Universal Data Access web site, http://www.microsoft.com/data
- July 14, 1998: Bulletin Created
- July 17, 1998: Made corrections to the batch file
For additional security-related information about Microsoft products, please visit http://www.microsoft.com/technet/security
THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY.