Protect your website from RDS attacks

The fastest and most thorough cancellation of RDS support. (But if you really need RDS, you 'd better read it down)
----------------------------------------------------------------------
-

---- [1. Problem
RDS attacks are not a simple problem. Although IIS 4.0 has many security vulnerabilities,
However, Microsoft has never released so many patches for the same security vulnerability. A total of three different patches have been released, but RDS still has problems.
So what we need is to really master what RDS is. Then you will know how to fix it yourself.
This problem. This problem is fundamentally caused by Jet 3.5's permission to call the shell () function of VBA.
This function allows you to execute shell commands. The specific process is not detailed.
The problem is that by default, IIS 4.0 is installed with MDAC 1.5, which includes RDS,
To allow remote access to ODBC components through a browser, the specific implementation is through a single bit
In/msadc/msadcs. dll
. Now you can understand that the problem is actually composed of two parts. In fact, there is a "third party", that is, to install the example program component VbBusObj with the rds sdk package, which allows you
For more information, see installing RDS patches released by Microsoft.
The following describes the solution in detail for the above three cases.

---- [2. Solution
The problem is that there are many methods to solve the problem, and these methods can be used in different combinations.
Try to describe the details here.
-Solution #1: Remove cmd.exe (the patch method recommended by ULG)
Http://www.aviary-mag.com/News/Powerful_Exploit/ULG_Fix/ulg_fix.html

I recommend the ULG solution, although this method still has problems. Because although mdac. pl is used
Cmd.exe
To implement RDS attacks, but you need to know
CMD. EXE is not the only way to implement RDS attack methods.

-Solution #2: Upgrade MDAC 1.5 to 2.0

MDAC 2.0 upgrades Jet 3.5 to Jet 3.52. But there are still VBA shell () attacks (and this happens to be
(Required for RDS attacks), and RDS is supported by default. In fact, the RDS system will be reinstalled after you delete it. Some of the following should be noted:

* The default Jet engine is 3.52 (security vulnerabilities still exist)
* Allow custom processing (solves anonymous RDS usage issues)
* Generate Microsoft. Jet. OLEDB.3.51 *
Note that the default setting of this solution is not very good. You need to modify the Registry to restrict the use of RDS for custom processing. The location in the registry is:
HKEY_LOCAL_MACHINESoftwareMicrosoftDataFactoryHandlerInfo

Keyname: HandlerRequired
Value: DWORD: 1 (safe) or 0 (unsafe)
We recommend that you change the value to 1. This is also done using the patch handsafe.exe/. reg of the soft environment.
Now, you can protect your system from remote RDS attacks, but you still have the possibility of being attacked by other ODBC methods,
Including Excel, Word, and Access trojan files. Therefore, this solution also has some shortcomings.

-Solution #3: Upgrade Your MDAC 1.5 to 2.1

MDAC 2.1 upgraded Jet 3.5 to the Jet 4.0 engine, which has no RDS attack security vulnerability.
But at the same time, it also proves an immutable law. The more secure things are, the worse its compatibility will be,
Since there is a big difference between 3.5 and 4.0, many people are reluctant to upgrade for these compatibility.
Because after the upgrade, many programs currently in use will be completely unavailable. Details:

* The default database engine is Jet 4.0 (without this security vulnerability)
* Supports custom processing (you can disable anonymous use of RDS)

However, custom processing is not used by default. You also need to modify the registry like above.

-Solution #4: Upgrade Your MDAC 1.5 to 2.0, and then to 2.1
Now, if you are a good administrator, you should ensure that you have been upgrading your system. If you upgrade frequently, you should follow the upgrade order in sequence. Although you also need to modify the Registry
HandlerRequired
Because 2.1 of Jet 4.0 (no vulnerability) is used as the default database engine. However
From 2. 0, so you will have Microsoft. Jet. OLEDB.3.51.
This means that your application (including RDS) can be recorded in logs for database calls. And those
Earlier versions of OLEDB cannot be implemented.
You should remove the old hooks/providers value from the registry. One way is to delete the following key-value entry:
HKEY_CLASSES_ROOTMicrosoft.Jet.OLEDB.3.51
HKEY_CLASSES_ROOTMicrosoft.Jet.OLEDB.3.51Errors
However, you still need to face compatibility issues.

-Solution #5: Install jetcopkg.exe (see Microsoft's Security Bulletin MS99-030)

JetCopkg.exe is a modified Jet 3.5 engine. It enhances more security features to prevent attacks.
It mainly modifies the following key values in the registry:
HKEY_LOCAL_MACHINESoftwareMicrosoftJet3.5enginesSandboxMode
The value is as follows:
0. disable everything.
1 enable ACCESS, but Disable other
2. ACCESS is forbidden, but other
3. Enable everything

(For more information, see
Http://support.microsoft.com/support/kb/articles/q239/1/04.asp)
It is worth noting that the default permission to modify the key value is insecure. You must only allow authorized
Account to modify the key value. Otherwise, this key value may cause many security risks. Remember, remember.
As long as the key value is set to 2 or 3, all attacks against RDS can be rejected. Therefore, this solution is the best.
And because it still uses the Jet 3.5 engine, you don't have to worry about compatibility. At the same time, you can
Even though RDS cannot be used for attacks, the problem is that Using RDS anonymously still gives the information in your database
Leaked. Therefore, you need to have a deep programming foundation for RDS. I suggest you disable RDS or upgrade ODBC
MDAC 2.0, so that you can only allow authorized users to use RDS, and reject anonymous users.

-Solution #6: delete/disable RDS
This is the method I mentioned at the beginning of this article. Delete the following file:
? : Program FilesCommon FilesSystemMsadcmsadcs. dll
That is, it provides the RDS call interface. Below are some more detailed steps to completely clear the RDS (if you are sure that your website does not need this function:

* Delete the/msadc virtual directory from the IIS Console
* Delete the following registry key values:
HKEY_LOCAL_MACHINESystemCurrentControlSetServicesW3SVCParameters
ADCLaunch
* Delete the following file directory
? : Program FilesCommon FilesSystemMsadc

---- [3. Situation
-Case #1: I do need RDS
First, you need to upgrade your system to MDAC 2.0. Remember to install JetCopkg, or upgrade to MDAC 2.1.
Make sure that you have modified the value in the HandlerRequired registry. For more information, see. Make sure that you have deleted all
RDS example program. At the same time, the anonymous account's access to the/msadc directory is revoked, and the user-defined account is used for processing.
For detailed steps, refer:
Http://www.microsoft.com/Data/ado/rds/custhand.htm

-Case #2: I still want to use those examples. What should I do?
The only way is to prohibit anonymous accounts from accessing RDS. However
VbBusObjcls skips the custom
Access restrictions, if the example is installed in
? : Program FilesCommon FilesSystemMsadcSamples
Then you should follow the steps below to solve the problem:
* Delete all the items in the directory below
? : Progam FilesComman FilesSystemMsadcSamples
* Delete the key value in the registry.
HKEY_LOCAL_MACHINESystemCurrentControlSetServicesW3SVCParameters
ADCLaunchVbBusObj. VbBusObjCls