MDAC 2.5 SDK - Technical Articles


 

Securing Windows to Prevent ODBC Tracing

The Microsoft® Windows NT®/Windows® 2000 operating system provides a rich set of security features. This article describes functionality in Windows NT 4.0 and Windows 2000 that provides a system administrator who requires enhanced security with the ability to keep non-administrative users from initiating an ODBC trace. This functionality is not available in Microsoft Windows 95 or Windows 98.

The following steps should be followed while logged in as an administrator:

  1. Log in to the machine you are protecting as the machine or domain administrator. Using Regedt32.exe, take ownership of the following key:

    HKEY_LOCAL_MACHINE\SOFTWARE\ODBC\ODBC.INI

  2. Set the value Trace to 0. The Trace value can be found under the following registry key:

    HKEY_LOCAL_MACHINE\SOFTWARE\ODBC\ODBC.INI\ODBC

  3. Set the value TraceDll to an empty string. The TraceDll value can be found under the following registry key:

    HKEY_LOCAL_MACHINE\SOFTWARE\ODBC\ODBC.INI\ODBC

  4. Set the permissions for Everyone to READ in the ODBC key.

  5. Remove explicit permissions on the ODBC key for any nonadministrative users.

For each user, there is a registry file. This file is named %SYSTEMROOT%\Profiles\Username\Ntuser.dat. These files can be loaded into Regedt32.exe by using the Load Hive command on the Registry menu:

  1. Make the HKEY_USERS window active, and click HKEY_USERS. Use the Load Hive command on the Registry menu to find the appropriate hive. When prompted for the key name, use the username you are editing.

  2. Take ownership of the ODBC key and its subkeys as was done in the preceding steps. The key will be found in the following location:

    HKEY_USERS\Username\SOFTWARE\ODBC\ODBC.INI\ODBC

  3. Set the value Trace to 0. The Trace value can be found under the following registry key:

    HKEY_LOCAL_MACHINE\Username\SOFTWARE\ODBC\ODBC.INI\ODBC

  4. Set the value TraceDll to an empty string. The TraceDll value can be found under the following registry key:

    HKEY_LOCAL_MACHINE\Username\SOFTWARE\ODBC\ODBC.INI\ODBC

  5. Set the permissions for Everyone to READ on the ODBC key.

  6. Remove explicit permissions on the ODBC key for any nonadministrative users.

  7. Unload the hive you just loaded.

The preceding steps secured currently existing registry keys. When creating new users, the seven steps above need to be followed.