Microsoft Office 2000/Visual Basic Programmer's Guide   

Preventing Unauthorized Access from Malicious Scripts

A data access page uses the Microsoft Office Data Source control (MSODSC) to connect to its data source. When a data access page is open in Internet Explorer or in an HTML-capable mail reader that uses Internet Explorer browsing components, such as Outlook 98 or Outlook 2000, the MSODSC on the page is using the identity of the user to log on to the database. A malicious user could exploit this fact to use script running against the MSODSC to attempt to access databases on servers other than the one the page was downloaded from. Attempts to use the MSODSC to access databases on servers other than the one the page originated from are referred to as cross-domain data access.

The mode of data access used by the MSODSC determines whether a data access page is considered inherently safe, or if cross-domain data access is possible from the page. The MSODSC can be configured to use two modes of data access: two-tier or three-tier data access.

Two-tier data access refers to using a direct connection to a data source in a traditional client/server fashion — the client (first tier) makes a direct connection to the database server (second tier). To perform two-tier data access, the MSODSC makes a direct connection to its data source through an OLE DB provider registered on the user's computer. For an Access database, two-tier data access uses the local computer's Microsoft Jet 4.0 OLE DB provider to connect to an .mdb file located on a network share. For a SQL Server database, two-tier data access uses the local computer's Microsoft OLE DB provider for SQL Server to connect to a database server available on your local network.

Three-tier data access refers to using a third, remote component between the client and database components. Three-tier data access is typically used to access data across the Internet or an intranet. For three-tier data access that uses the MSODSC, this third component is the ADO Remote Data Service (RDS) component running on an Internet Information Server (IIS). To perform three-tier data access, the MSODSC sends a request via HTTP to IIS, and IIS passes the connection information to the RDS component, which then uses an OLE DB provider running on the server computer to connect to the database. Once RDS is connected to the database, it passes the retrieved data back through IIS to the client.

Note   If a user opens a data access page that is configured to use three-tier data access through an Internet firewall, that user will be authenticated twice: once as the page is initially opened, and again as the MSODSC binds data to the page. As a result, if the server is configured to use Basic Authentication, the user will have to enter his or her user name and password twice. This occurs because two separate HTTP connections are being made: (1) the connection from Internet Explorer to the Web server to retrieve the page, and (2) the connection from the Microsoft OLE DB Remoting Provider (MSRemote) to the Web server to bind the data.

Any data access page that uses two-tier data access is considered by Internet Explorer to be making a cross-domain access attempt. Depending on the security settings in Internet Explorer, when a user opens a data access page by using two-tier data access, one of three things occurs: the page is automatically disabled, the user is asked whether to allow data access, or the page is automatically enabled.

Internet Explorer security settings also define different security zones. If a page is published from a server in a trusted zone, the cross-domain attempt can be enabled automatically. In a controlled environment, such as a corporate intranet, your data access pages will perform better if you use two-tier data access and make sure that they are published from a server located in a trusted security zone. This is the simplest way to provide security against unauthorized access from malicious scripts. For more information about Internet Explorer data access security settings, see "Configuring Internet Explorer Data Access Security Settings" later in this chapter.

Important   If your data access page is connected to multidimensional data through the OLAP Services component of Microsoft SQL Server, you must use two-tier data access because the PivotTable Service, which is the OLE DB for OLAP provider for the OLAP Services component that is used to connect to multidimensional data, doesn’t support three-tier data access.

A data access page that uses three-tier data access to connect to a database is considered to be inherently safe regardless of what Internet Explorer security zone it is published from, and will not warn the user about cross-domain access attempts when it is opened if authentication settings have been configured correctly. There are three forms of authentication you can use for HTML pages published with Microsoft Internet Information Server:

Each method has certain advantages and disadvantages, and requires additional configuration to work correctly.

Before you can use any of these methods to prevent cross-domain access attempts, you must configure the data access method for the MSODSC on the data access page to use three-tier data access. To configure the data access method used for a data access page, set the UseRemoteProvider property of the MSODSC. The default setting is False, which configures the MSODSC to use two-tier data access. Using the default two-tier data access method is appropriate while you are developing the data access page (and, in fact, is the only data access method that will work if you are authoring the page using a local HTML file, or against a local copy of a database), but if you want to deploy the page using three-tier data access, you must change a property setting for the MSODSC. By setting the UseRemoteProvider property to True, you configure the MSODSC to use three-tier data access. The simplest method of configuring the UseRemoteProvider property is in the data access page's Design view, as described in the following procedure.

To configure the data access method used for a data access page

  1. Start Access and open the data access page you want work with in Design view.

  2. Click the title bar of the data access page (to ensure that no other items are selected on the page), and then click Properties on the View menu.

  3. On the Data tab, set the UseRemoteProvider property to determine how you want to perform data access:
  4. Close the property sheet, and save your changes to the data access page.

Configuring Authentication Methods Used on Internet Information Server

After configuring the data access page for three-tier data access, you can determine what form of authentication you want to use with the page. You can configure an authentication method for an individual page or for the entire folder where you are publishing the page on your IIS server. The following procedure describes how to configure an authentication method.

To configure an authentication method used for a data access page

  1. On the computer running Internet Information Server, start the Internet Service Manager.

  2. Navigate to the Web Site folder where you are publishing your page.

  3. Do one of the following:
  4. Select the authentication method(s) you want to use: Anonymous Access, Windows NT Challenge/Response, or Basic. The following sections describe the options available for each method of authentication.

Using Anonymous Access Authentication

If you select Allow Anonymous Access for the page or the folder the page is in, IIS will always use the IIS Anonymous Access user account (Internet Guest Account) to access the page's data source. You can work with this account by running the User Manager for the IIS server computer's local domain. The account's name will have this format: IUSR_ComputerName. For example, if the name of the computer your IIS server is running on is OurWebServer, the IIS Anonymous Access user account will be named IUSR_OURWEBSERVER. If your page is authored against a SQL Server database, this Windows NT user account must be able to make a connection to the SQL Server database and access the data requested by the page. If the SQL Server database is set up to require Windows NT Authentication, the SQL Server administrator must specifically grant database permissions to that user account. If your page is authored against an Access database, the Anonymous User account must be able to access the network share where the database resides. In most cases this will require you to add the Anonymous User account as a domain account so that it will be recognized by both the IIS machine and the database machine, or to define a local account by using the same name and password on both IIS and database machines.

Using Windows NT Challenge/Response Authentication

If you clear the Allow Anonymous Access option for the page or the folder the page is in, and select the Windows NT Challenge/Response Authentication option, the IIS server will attempt to connect to the database by using the account of the user who opens the page in a browser. An important restriction in Windows NT Server 4.0 is that this connection appears to another computer as a "Null" session attempt with no security context, because a connection's security context can't be delegated to another computer under Windows NT Server 4.0. This means that if the SQL Server or Access database is located on a different computer than the IIS server that was used to publish the page, the connection will usually fail.

The only way to avoid the Windows NT Server restriction is to put the database on the same computer as the one that is running IIS to publish the data access page. For an Access database, the database must reside in a local folder on that computer. Additionally, because an Access database can't recognize Window NT logon accounts, you must secure the database by using the method described in the section "Securing Your Database Without Asking Users to Log On" earlier in this chapter. For a SQL Server database, SQL Server must be installed and running on that computer. Then use a local computer address for the connection's data source. For example, for an Access database, you must set the data source to use a path on the IIS server's local drive, and for a SQL Server database, you need to set the connection's data source to (local).

When you initially author a data access page that uses an Access database as a data source, you may be working against a local copy of the database before you publish it. If this is the case, after you finish authoring the page, create a public share on the computer that is running the copy of IIS that will be used to publish the page, and put a copy of the database in that share. Then reset the page's data source to the path that is local to the computer running IIS (for example, "C:\Databases\MyDatabase.mdb" not "\\MyServer\Databases\MyDatabase.mdb"). Similarly, when you initially author a data access page by using a SQL Server database as a data source, the server the database resides on is identified by its network name, such as DATASERVER1. Before you publish the page, you must reset the page's data source to (local) so that the MSODSC control treats the database as local to the IIS server computer. The following procedure describes how to do this for both Access and SQL Server data sources.

To set a data access page to use the copy of the database that is local to the computer running IIS to publish the page

  1. Start Access and open the data access page you want to work with in Design view.

  2. On the View menu, click Field List.

  3. On the Database tab, right-click the database name, and then click Connection.

  4. Do one of the following:
  5. Click OK, and save your changes to the data access page.

Using Basic Authentication

If you clear the Allow Anonymous Access and Windows NT Challenge/Response Authentication options for the page or the folder the page is in, and select the Basic Authentication option, the IIS server will prompt the user to enter his or her Windows NT user account and password before opening the page. This method of authentication doesn't use delegation and for this reason doesn't have the restrictions described for Windows NT Challenge/Response authentication. However, basic authentication sends user account and password information across the network in an unencrypted format that could be intercepted by a malicious user. If you want to avoid this risk, you can set up your server to publish the data access page by using a Secure Sockets Layer (SSL) encrypted connection. For information about how to enable encryption, see the documentation for Microsoft Internet Information Server.

Strategies for Maintaining Secured Data Access Pages That Use Three-Tier Data Access

There are several ways you can manage how data access pages that use secure three-tier data access are authored and maintained:

Configuring Internet Explorer Data Access Security Settings

To configure the security settings in Internet Explorer, you use the Security tab of the Internet Options dialog box. In Internet Explorer 5, cross-domain data access is controlled by using the Access data sources across domains security setting. To view this setting, click Internet Options on the View menu, click the Security tab, click the zone you want to view settings for, and then click Customize Settings. To prevent all attempts to use cross-domain data access, set the Access data sources across domains setting to Disable. To allow a user who is browsing a data access page to decide whether to allow cross-domain data access, set the Access data sources across domains setting to Prompt. The default settings for the Access data sources across domains setting for each zone in Internet Explorer 5 are shown in the following table.

Zone Setting
Internet Disable
Local intranet Prompt
Trusted sites Enable
Restricted sites Disable

If you can't or don't want to use three-tier data access with your data access pages, you can publish your pages from a Web site that is located in the Trusted sites zone. Using this strategy assumes either that all users who can publish pages to folders on that site are trusted, or that pages are examined and approved by an administrator before they are published on that site.

To control security settings for all users who install and use Internet Explorer 5, a system administrator can use the Internet Explorer Administration Kit (IEAK). For more information about the IEAK, see the Internet Explorer Administration Kit Web site at http://ieak.microsoft.com. For more information about creating and deploying secure data access pages, see the white paper "Creating Secure Data Access Pages" (DAP Security.doc), located in the ODETools\V9\Samples\OPG\Appendixes folder on the Office 2000 Developer CD-ROM.