Scripting Data Access Controls in Internet Explorer
New Information - SQL Server 2000 SP3.
Microsoft® SQL Server™ ships with several data access controls:
- SQL Namespace (SQL-NS)
- SQL Distribution control (replication)
- SQL Merge control (replication)
These controls are signed and marked "safe for initialization and scripting" and can be used in Microsoft Internet Explorer 5 or later.
Before deploying controls that can connect to data sources, you should thoroughly understand the security implications. When you use any of the SQL Server controls, the primary security concern is the ability to run under the authorized user's account through a Windows Authentication login to an instance of SQL Server. A Web page with a scripted control runs with the network identity of the user browsing the page. If the data source connection is based on the connected user's network identity (using Windows Authentication login), the control can access any data that the user browsing the page can access. If a Web page using the control is sent to a user, the control has the permissions of the user browsing the Web page. The control can then perform, without the user's knowledge, any actions the user has permission to perform in the database. This is one reason why it is important to limit database and server permissions as much as possible.
To help prevent unauthorized access or changes to a database, all the data access controls that are marked as "safe for scripting" take into account security zones settings when being loaded in Internet Explorer version 4.0 or later. If a control is not marked safe for scripting, it can run a script inside of Internet Explorer only at the Low security mode of Internet Explorer, and even then only after the user responded to a message stating that a script will be run.
Internet Explorer 4.0 does not provide an explicit security option for data access. Therefore, all the controls marked safe for scripting allow, prompt, or disallow scripting based on the security zone being used. The following table shows the Internet Explorer 4.0 settings.
|Security zone||Internet Explorer 4.0 notification|
|Local computer zone||Controls can be initialized or scripted regardless of data source or scripts.|
|Local intranet zone||User is warned of potential safety violation prior to loading the page. User can accept or reject initialization or scripting.|
|Trusted sites zone||Controls can be initialized or scripted regardless of data source or scripts.|
|Internet zone||User is warned of potential safety violation prior to loading the page. User can accept or reject initialization or scripting.|
|Restricted sites zone||Scripting errors occur if user attempts to view page and execute script.|
In contrast to Internet Explorer 4.0, Internet Explorer 5 supports an explicit security option for data access called "Access data sources across domains." This option can be customized, and the setting of this action is used to determine how the controls behave when they are run in Internet Explorer 5. The default settings in Internet Explorer 5 are the same as the programmed settings in Internet Explorer 4.0.
As with all security concerns, you must take specific actions to safeguard your system. SQL Server is protected from security problems only if users with the ability to use Windows Authentication logins configure the security settings correctly, and answer all security prompts correctly, and if the administrator properly limits the permissions of all users. When you grant database permissions, you should never grant permissions that you do not want users to have. Properly granting permissions will mitigate most security concerns.
Security Note These general steps to safeguard your system apply to any scripting host, including Microsoft Excel spreadsheets or Microsoft Word documents. Users should always enable the macro warning feature or similar security setting of an application to detect and prevent any attacks on data.