Re: Remote data services in IIS 5

From: Michael Katz (mike@procinct.com)
Date: 09/20/02 

Date: Fri, 20 Sep 2002 13:15:43 -0700
To: focus-ms@securityfocus.com
From: Michael Katz <mike@procinct.com>

At 9/19/2002 04:09 PM, Greene Paul wrote:

>In IIS 4.0 there were some holes in RDS Datafactory related to the
>following registry settings:
>
> RDSServer.DataFactory
> AdvancedDataFactory
> VbBusObj.VbBusObjCIs
>
>I can't find these listed in any of the security references I have for IIS
>5.0 security. Do these holes no longer exist in IIS 5.0?

With a clean installation of IIS5 (not an upgrade), I don't think that the
hole exists. It might if you have upgraded from IIS4. However, since the
MSADC virtual directory provides access to a number of dlls and is part of
the standard IIS5 default, best practices would dictate that you remove the
registry entries and the virtual directory MSADC if the IIS5 installation
isn't using RDS functionality other functionality dependent on the MSADC
directory.

For IIS4 and IIS5, these keys are located at
\Registry\Machine\SYSTEM\CurrentControlSet\Services\W3SVC\Parameters\ADCLaunch.
In a default installation of IIS5, RDSServer.DataFactory and
AdvancedDataFactory are present, but not VbBusObj.VbBusObcCls.

These registry settings are normally removed if one doesn't require Remote
Data Service (RDS) functionality (most people don't). These changes were
recommended in the following Microsoft Security Bulletins:
http://www.microsoft.com/technet/security/bulletin/ms98-004.asp and
http://www.microsoft.com/technet/security/bulletin/MS99-025.asp. The
removal of the /msadc virtual directory was also recommended as part of
disabling RDS.

Michael Katz
mike@procinct.com
Procinct Security