Microsoft® SQL Server™ version 7.0 ships with several data access controls:
These controls are signed and marked “safe for initialization and scripting” and can be used in Microsoft Internet Explorer (IE) version 4.0 or later.
Before deploying controls that can connect to data sources, you should thoroughly understand the security implications of opening this access. When you use any of the SQL Server controls, the primary security concern is the ability to run under the authorized user’s account through a Windows NT Authentication login to SQL Server. A Web page with a scripted control runs with the network identity of the user browsing the page. If the data source connection is based on the connected user’s network identity (using Windows NT Authentication login to SQL Server), the control can access any data that the user browsing the page can access. If a malicious Web page using the control is sent to a user, the control has the permissions of the user browsing the Web page. The control can then read or make changes to databases without the user's knowledge.
To prevent unauthorized access or changes to a database, all the data access controls shipped with SQL Server 7.0 that are marked as “safe for scripting” take into account security zones settings when being loaded in Internet Explorer 4.0 or later. (If a control is not marked safe for scripting, it can run a script inside of IE only at the Low security mode of IE, and even then only after the user responded to a message stating that a script will be run.) Another way to deal with the issue is to remove the user’s ability to do an Windows NT Authenticated login to SQL Server.
IE 4.0 does not provide an explicit security option for data access. Therefore, all the controls marked safe for scripting allow, prompt, or disallow scripting based on the security zone being used. The table shows the IE 4.0 settings.
| Security zone | Internet Explorer 4.0 notification |
|---|---|
| (local machine zone) | Controls can be initialized or scripted regardless of data source or scripts. |
| Local intranet zone | User is warned of potential safety violation prior to loading the page. User can accept or reject initialization or scripting. |
| Trusted sites zone | Controls can be initialized or scripted regardless of data source or scripts. |
| Internet zone | User is warned of potential safety violation prior to loading the page. User can accept or reject initialization or scripting. |
| Restricted sites zone | Scripting errors occur if user attempts to view page and execute script. |
In contrast to IE 4.0, IE version 5.0 supports an explicit security option for data access called “Access data sources across domains.” This option can be customized, and the setting of this action is used to determine how the controls behave when they are run in IE 5.0. The default settings in IE 5.0 are the same as the programmed settings in IE 4.0.
As with all security concerns, you must take specific actions to safeguard your system. The capabilities described above provide the mechanics to do so. SQL Server is protected from security attacks only if users with the ability to do Windows NT Authenticated logins to SQL Server configure the security settings correctly, and that they answer all security prompts correctly. Users with access to secure data sources should be educated about the potential security risks and how to configure the IE security settings and respond to data access prompts.
Note These general steps to safeguard your system apply to any scripting host, including Microsoft Excel spreadsheets or Microsoft Word documents. Users that have the ability to Windows Authenticated logins should always enable the macro warning feature or similar security setting of an application to detect and actively prevent any malicious attacks on your data.
| Developing SQL-DMO Applications | Creating DTS ActiveX Scripts |
| Programming SQL-NS Applications | Programming Replication ActiveX Controls |