Microsoft KB Archive/818490

= INFO: Handunsf.reg File Has Been Removed in MDAC 2.8 Redist Setup for Security Reasons =

Article ID: 818490

Article Last Modified on 4/25/2003

-

APPLIES TO


 * Microsoft Data Access Components 2.8
 * Microsoft Remote Data Services 2.1

-



SUMMARY
This article discusses the Handunsf.reg file, which is removed from MDAC 2.8 Redist Setup Program. By running this Handunsf.reg file, you can change the default secure setting of the WWW Publishing Server and make the server to run in Unsafe Mode. Running the Server in Unsafe Mode is destructive because it can allow the malicious remote user to issue privileged (shell) commands.



Remote Data Service (RDS) Vulnerability Described
Remote Data Service (RDS) is a known vulnerability that affects Microsoft Windows servers that are running Internet Information Server (IIS). This vulnerability allows a malicious remote user to use a Web browser to force a Windows server to return information from relational databases or to run system commands.

An intruder can also use the vulnerability to issue shell commands, which can be very destructive to the Web server. Because the RDS Datafactory Object is a part of Microsoft Data Access Components (MDAC), you can make the Web server run in Unsafe mode by running the Handunsf.reg file.

RDS Datafactory Object uses a handler to read information from the Registry about unrestricted (Unsafe mode) access. The registry file Handunsf.reg has been provided to set up the handler registry entries for an unrestricted configuration. As a result, by running Handunsf.reg, you can make the server run in unrestricted (Unsafe) mode.

Removed for Security Reasons
Because of the vulnerability described earlier, Handunsf.reg has been removed by the MDAC 2.8 Redist setup. This does not affect installing and using MDAC components because there are no dependencies on this file.

Versions Affected
Handunsf.reg file is removed by MDAC 2.8 Redist setup from Windows Server build 3692 and later versions.

Note: Administrators can still make the server run in Unsafe mode because they can still use msdfmap.handler and edit the .ini file.

MDAC Default Configurations

 * MDAC version 2.1 and all later versions are, by default, configured to work in Safe Mode.
 * MDAC 1.5 and 2.0 are, by default, configured to work in Unsafe Mode.
 * When you upgrade to MDAC 2.1 from the earlier version, the default configuration is Unsafe Mode.

To work with Safe Mode, the following registry value has to be changed.

