COMMAND

    Microsoft Internet Information Server version 4.0
    Microsoft Remote Data Services version 1.5
    Microsoft Visual Studio version 6.0

SYSTEMS AFFECTED

    Win NT

PROBLEM

    Remote Data Service (RDS) is a component of Microsoft Data  Access
    Components  (MDAC),   which  is    installed   by  default    when
    Microsoft(r) Internet  Information Server  (IIS) 4.0  is installed
    via the Windows NT(r) Option Pack.  The goal of the RDS  component
    is to enable controlled  Internet access to remote  data resources
    through the Internet Information Server. However, because the  RDS
    DataFactory (a single component  of RDS) allows implicit  remoting
    of data access requests by  default, it can be exploited  to allow
    unauthorized  Internet  clients  to  access  OLE  DB   datasources
    available to the  server.  The  implicit remoting function  of the
    RDS 1.5 via  the DataFactory component  should be disabled.   This
    problem  was  discovered  by  the  Microsoft  development team and
    documented in Microsoft Knowledge Base article Q184375.

    A  web  client  connecting  to  an  IIS  server  can  use  the RDS
    DataFactory object to direct that  server to access data using  an
    installed OLE DB provider.   This includes executing SQL calls  to
    ODBC-compliant databases using the  ODBC drivers installed on  the
    server.

    For example a web-client could issue a SQL command along with  the
    name or  IP address  of a  remote SQL  server, a  SQL account  and
    password, database name, and a SQL query string. If the request is
    valid (remote server is reachable by the IIS server, user  account
    and  password  are  correct,  database  name  is valid), the query
    results will be sent via HTTP back to the client. While it is true
    that this requires  significant inside information,  the potential
    accessibility of this information should not be underestimated, as
    organizations that don't follow good security practices could have
    blank  or  easy  to  guess  passwords  on  their SQL administrator
    accounts.  The RDS  DataFactory object along with  other installed
    ODBC drivers opens other possibilities, including possible  access
    to non-published files on the IIS server.

    The vulnerability  caused by  the DataFactory  is even  greater if
    some  newer  OLE  DB  Providers  are  installed  on  the   server.
    "Microsoft DataShape Provider" and "Microsoft JET OLE DB provider"
    (which  ship  with  MDAC  2.0  in  Visual  Studio  98) allow shell
    commands to be executed. If  the DataFactory is enabled on  such a
    server, Internet clients can use these providers to execute  shell
    commands, which can potentially bring down the server or otherwise
    severely affect its performance.

SOLUTION

    The Microsoft Product Security Response Team has produced a set of
    guidelines  and  scripts  to  assist  customers  in  disabling the
    implicit remoting  functionality of  the RDS  via the  DataFactory
    object.   If  you  don't  intentionally  use the implicit remoting
    functionality in the DataFactory object, you should disable it.

    Please note that you can still use RDS to invoke Business  Objects
    on the server, but an administrator must explicitly enable  access
    to these object  by inserting keys  for them in  the registry. Any
    pages  or  applications   that  rely  on   RDS's  Datacontrol   or
    DataFactory components will not work after this.

    If  the  following  registry  entries  are removed from the server
    hosting  IIS,  then  the  implicit  remoting  functionality   (via
    DataFactory) of RDS  will be disabled.  These keys can  be removed
    using  the  Registry  Editor  (REGEDT32.EXE),  or  other tools for
    manipulating the registry:

        HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W3SVC\Parameters\ADCLaunch\RDSServer.DataFactory
        HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W3SVC\Parameters\ADCLaunch\AdvancedDataFactory
        HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W3SVC\Parameters\ADCLaunch\VbBusObj.VbBusObjCls

    ASP pages that depend on  only ADO for database connectivity  will
    continue to function.  However, the benefits  section of the  IIS4
    sample site,  Exploration Air,  may not  function correctly  after
    this change is made.

    Upgrading to RDS  2.0 will not  automatically solve the  problem -
    you  must  configure  the  RDS  according  to your security needs.
    Please  refer  to  RDS  2.0  documentation  for  details on how to
    configure  the  default  INI  file  or  how  to  write  your   own
    customization handler.