From: John Price [john.price@GRS-SOFTWARE.COM]
Sent: Monday, July 26, 1999 4:20 PM
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
Subject: RDS security issues - some thoughts

Hey all -

I'm new to this list ... I basically discovered it while investigating the
Microsoft RDS security hole described in MS99-025.   Thanks to rain forest
puppy for his lengthy and helpful post.  I am a developer working with
Internet-based apps that basically utilize RDS as their main data
connectivity strategy.  I'm not all that knowledgeable about security
issues, so bear with me.  Here's what I did to (hopefully) solve the RDS
problem.

1) deleted the \msadc\samples directory, including vbbusobj.dll - probably
overkill since I had already deleted the following registry key:

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W3SVC\Parameters\
                ADCLaunch\VbBusObj.VbbusObjCls

Now here's the interesting part.  All the Microsoft junk I read implied very
strongly that the much-discussed RDSServer.DataFactory class receives all
incoming RDS requests, and that to fix its security problem, you need to
write a custom replacement handler that sits in between the DataFactory and
the (ADO) data layer.  This may apply for some people, but what isn't
explained at all in any of the MS article (surprise!!) is that you only need
this generic replacement if you are passing connect strings and SQL right
from the client.  They describe using DataFactory (I forget where) as "true
3-tier computing".  Well it ain't, because all the SQL stuff (which is
business logic) is still in the client.

Someone please correct me if I am wrong, but I believe that when using
custom business objects, the DataFactory is not involved at all.  So on the
client, if you are doing this (VB),

    Dim MyRDS as New RDS.Dataspace
    dim obj as object

    Set obj = MyRDS.CreateObject("MyProgID", http://blahblahblah.com)

    the RDS request gets routed by IIS to the ADISAPI filter, which parses
the RDS MIME packets (that's how the method calls/arguments are transmitted)
and maps the request to the custom business object.  The DataFactory "don't
enter into it".   What I did next was this:

2) Deleted these keys:

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W3SVC\Parameters\
                ADCLaunch\RDSServer.DataFactory

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W3SVC\Parameters\
                ADCLaunch\AdvancedDataFactory

    as well as the whole tree under

        HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DataFactory

   3) Ran my app.  Everything came up roses.  I didn't write a handler to
explicitly replace DataFactory - I (and others - gotta be fair) just wrote a
set of custom business objects that contain the specific methods we need to
execute for our apps.  So no generic "Execute" ability as in DataFactory.

I would also suggest using SSL and not just plain vanilla http, so that the
RDS packets are encrypted.

Comments and criticism welcome - just trying to confirm what I seem to have
figured out recently.

Cheers,

John




It says, "Insert disk #3", but only two will fit!

John Price, Microsoft Certified Professional, Visual Basic