Article ID: 230680
Article Last Modified on 9/30/2003
APPLIES TO
- Remote Data Service for ADO 2.0
- Microsoft Remote Data Services 2.0
- Microsoft Remote Data Services 2.1
- Microsoft Remote Data Services 2.1
- Microsoft Remote Data Services 2.1
- Remote Data Service for ADO 2.5
- Remote Data Service for ADO 2.6
- Microsoft Remote Data Services 2.0
This article was previously published under Q230680
SUMMARY
With the advent of Microsoft Data Access (MDAC) 2.0, Remote Data Service (RDS) implements a new security feature called Handlers. These handlers are located in your Operating System root directory (that is, C:\Winnt\) inside the file Msdfmap.ini.
The file is divided into three different types of Handlers:
- Connect Handler - defined by [connect YourHandlerName]
- SQL Handler - defined by [sql YourHandlerName]
- Userlist Handler - defined by [userlist ConnectHandlerName]
MORE INFORMATION
Each type of handler is designed to cover a different area of security. A Connect Handler allows the developer to alias a data source name (DSN). A developer can use the handler name in place of the actual DSN in their code. The Connect Handler also allows for basic access privileges/>
Here is an example of a Connect Handler:
Inside Msdfmap.ini:
[connect CustomerDatabase]
Access=ReadOnly
Connect="DSN=AdvWorks"
Sample VBScript code using the handler:
AdvancedDataControl.Connect="CustomerDatabase"
Here, whenever the connect string is CustomerDatabase, RDS automatically substitutes DSN=AdvWorks. This keeps sensitive information out of the client application where the source may be viewed or otherwise reverse engineered.
SQL Handlers function much like Connect Handler, with the exception that they replace SQL code.
Consider this SQL Handler example:
Inside Msdfmap.ini:
[sql AuthorList]
SQL="SELECT * FROM AUTHORS"
Sample VBScript code using this handler with the preceding Connect Handler:
AdvancedDataControl.Connect="CustomerDatabase"
AdvancedDataControl.SQL="AuthorList"
Whenever RDS detects a query on AuthorList (either through the AdvancedDataControl or the DataFactory,) RDS replaces it with the appropriate SQL statement.
The final type of handler is the Userlist Handler. The Userlist handler only works with Windows NT Challenge/Response and allows the developer or administrator to set access levels similar to the Connect Handler, but based on the user connecting.
Here is a code sample using the Userlist Handler:
Inside Msdfmap.ini:
[connect CustomerDatabase]
Access=NoAccess
Connect="DSN=AdvWorks"
[userlist CustomerDatabase]
Administrator=ReadWrite
UserX=ReadOnly
With the preceding code sample, the Administrator will have full rights to the AdvWorks DSN, whereas UserX will have Read Only permissions. Everyone else will have No Access to the DSN.
If RDS cannot find a user-defined handler to perform a specific task, RDS will use the default handler. The default handler is specified by placing default after the type of handler desired.
Some example default handlers:
[connect default]
;this handler is called if RDS cannot find another handler
;we set the access level to NoAccess to close any possible security holes
Access=NoAccess
[sql default]
;to disable unknown or unauthorized statements, set SQL to an invalid query
SQL=" "
[userlist default]
;let's give the Administrator full permissions
Administrator=ReadWrite
Here is a list of valid Access levels for both the Connect and Userlist handlers:
- NoAccess - Absolutely No Access
- ReadOnly - Read Only Access
- ReadWrite - Read/Write Access
If handlers are not required, handlers can be disabled by running 'C:\Program Files\Common Files\System\msadc\Handunsf.reg' from the root drive.
REFERENCES
For more information, see the About RDS Customization Handlers topic under the Platform SDK in the MSDN Library. (c) Microsoft Corporation 1999, All Rights Reserved. Contributions by Jonathan Johnson, Microsoft Corporation.
Keywords: kbinfo KB230680
