SQL Anywhere Studio Security Guide
Installation
This page describes operation of Adaptive Server Anywhere in a manner equivalent to a C2-security-certified configuration. It does not provide general-purpose information on the topic.
Next, you have to install Adaptive Server Anywhere in a C2-compliant manner. For C2 compliance you must use Adaptive Server Anywhere version 7.0.0, English only, without any EBFs (express bug fixes), in a standalone environment. Most of this book describes how to operate the current version of the software, but this section refers specifically to the C2-certified release.
To install Adaptive Server Anywhere 7.0.0
Log in to Windows NT as administrator.
Download the Adaptive Server Anywhere C2 patch from www.sybase.com/developer.
Run ASAC2Patch.exe and save the files into the default directory (C:\ASAC2Patch).
ASAC2Patch.exe is a self-extracting archive.
For information on this patch, see The Adaptive Server Anywhere C2 patch.
Open a command prompt window.
The Adaptive Server Anywhere installation includes MDAC (Microsoft Data Access Components). The MDAC installation replaces some Windows NT system DLLs which are part of the Windows NT TCB (trusted computing base). To avoid this, you must first make copies of these DLLs, and then replace them after the Adaptive Server Anywhere installation. The Adaptive Server Anywhere C2 Patch includes three batch files to facilitate this procedure.
The first batch file creates a temporary directory and copies fourteen .dll files and one .exe file from the C:\winnt\system32 directory. To run the first batch file, enter the following commands at the command prompt:
C: cd \ASAC2Patch mdac1 exit
Install the Adaptive Server Anywhere 7.0.0 software, using the following guidelines:
Clear the Adaptive Server Anywhere for NetWare checkbox.
Clear the Adaptive Server Anywhere for Windows CE checkbox.
Clear the UltraLite development components checkbox.
Clear all options under Synchronization.
Clear the PowerDynamo 3.5, PowerDesigner, and Infomaker 7 options.
If available, clear the Encryption for MobiLink Synchronization checkbox.
Use the default values for installation directories.
Reboot your machine after the installation is complete.
Log in to Windows NT as an administrator.
Install the Adaptive Server Anywhere C2 patch according to the directions in readme.txt (located in C:\ASAC2Patch).
You do not need to reboot the machine after this step.
Set permissions on the software directory as follows:
Double-click My Computer. Right-click the directory containing the Adaptive Server Anywhere software (it should be C:\Program Files\Sybase), and choose Properties.
Open the Security tab and then click the Permissions button.
Select Everyone, and change the Type of Access to Read.
Click Add. On the dialog that appears, select \\machine_name from the List Names From dropdown list. Select Administrators from the Names list and click Add.
Click Show Users. Select sybase from the Names list and click Add. Change Type of Access to Full Control, and click OK.
Make sure the list contains only the three entries mentioned above.
Check the Replace Permissions on Subdirectories checkbox.
Click OK, and answer Yes to the prompt.
Create a folder for the database and transaction log files. For example, you may create a folder C:\Databases. In the remainder of this document, this folder is referred to as the C2 database folder. Set the permissions on this folder as follows:
Double-click My Computer. Right-click the Databases folder and select Properties.
Click the Security tab and click the Permissions button.
Remove the Everyone entry.
Click Add. On the dialog that appears, select \\machine_name in the List Names From dropdown list, and then type sybase in the Add Names field. Change Type of Access to Full Control, and click OK.
Click OK.
Create a folder under C:\ called ASTMP for the engine to use as temporary storage space. Set the same permissions as for the Databases folder in the previous step.
Set the System environment variable ASTMP to the temporary folder just created by right-clicking the My Computer icon, and choosing Properties. Click the Environment tab. In the Upper listbox, click any entry. Change the Variable entry to ASTMP, and change the Value entry to C:\ASTMP. Click Set, and then click OK.
The second batch file contained in the Adaptive Server Anywhere C2 Patch copies the .dll and .exe files from the temporary directory created by mdac1.bat into the C:\winnt\system32 directory. To run the second batch file, from the Start menu, choose Programs
C: cd \ASAC2Patch mdac2 exit
When putting Windows NT into the certified configuration, several registry keys are deleted. During Adaptive Server Anywhere installation, two of these keys are re-created. For Windows NT to remain in its certified configuration, these keys must be deleted again. Use regedt32.exe to delete the following registry keys:
Key | HKEY_LOCAL_MACHINE\SOFTWARE |
---|---|
Subkey | Microsoft\OS/2 Subsystem for Windows NT |
Entry | delete all subkeys |
Key | HKEY_LOCAL_MACHINE\SYSTEM |
---|---|
Subkey | CurrentControlSet\Control\Session Manager\Environment |
Entry | Os2LibPath |
Value | delete entry |
You must also ensure that these files have the correct permissions as shown below:
Files | C2-Level Permissions |
---|---|
BOOT.INI, NTDETECT.COM, NTLDR | Administrators: Full Control SYSTEM: Full Control |
Close all open windows and reboot your machine.
You must reboot your machine for the Service Control Manager to read changes to system environment variables.
Log in to Windows NT as administrator.
The third batch file contained in the Adaptive Server Anywhere C2 Patch cleans up the temporary directory created by mdac1.bat. To run the third batch file, open a command prompt window. At the command prompt, enter the following commands:
C: cd \ASAC2Patch mdac3 exit