IIS RDS

general discussion
1

hi
My current Business Objects Environment configuration is below. BO 5.1.6,Webi 2.7.3,oracle 8.0, IIS 6.0, Windows NT SP6. Our security team has done a scan on the servers and they found that having ISS RDS is an big security risk
.My questions for you is the following.
1.IF we remove IIS RDS is going to affect the Business Objects application.
2. If we remove IIS RDS is going to affect webi & ZABO users who are running reports of the server.
3. Can we upgrade IIS RDS or do you have any solution for this. I have attached scan file i got from them for your information.

Security team quote “IIS RDS: ISS unauthorized ODBC data access with RDS(CVE 1999-1011) Microsoft Data Access Components (MDAC) verions 2.1 & earlier ,in the deafault configuration , could a allow a a remote hacket to access OLE database sources.
Remote Data services (RDS), one of the components of MDAC is desgigned to permit data access to authencticated users through Microsoft information Server(IIS).
IS we remove RDS Fuctionality is not needed ,can we delete the /msadc virtual directory from the default web site & registry keys.”

Thanks for your help
proecatia

proecatia1 (BOB member since 2005-07-26)

2

I’d be surprised if you have a version of MDAC as low as 2.1…the way I read it is if you don’t, then there is no issue?

Nick Daniels :uk: (BOB member since 2002-08-15)

3

Hi Nick

[quote=“Nick Daniels”]I’d be surprised if you have a version of MDAC as low as 2.1…the way I read it is if you don’t, then there is no issue?[/quote

We do have a version of MDAC version 2.1.
So do you think it is a good idea to delete MDAC folder or just upgrade it to an higher version.
I have attached the snap shot of the file i got from the security team.
Please advise on how to move ahead.

Thanks
Arun
IIS RDS.doc (43.0 KB)

proecatia1 (BOB member since 2005-07-26)

4

Good lord, well personally I’d do an upgrade if that would keep your security team happy, but I know nothing about IIS RDS, just noticed the strange reference to MDAC 2.1.

Nick Daniels :uk: (BOB member since 2002-08-15)

5

Hi Nick
My only worry is if i upgrade the version of MDAC higher than 2.1 is going to affect the business objects application.
Is this upgrade in any way going to affect the reports or the users in any way.

Thanks
proecatia

proecatia1 (BOB member since 2005-07-26)

6

I just don’t know. If you are using oracle through oracle client, then Microsoft Database Access Components is in theory irrelevant as you are not using oledb or odbc…but that is just my understanding.

Hopefully someone will chip in about IIS RDS.

Nick Daniels :uk: (BOB member since 2002-08-15)