SQL Anywhere Studio Security Guide
Restrictions and Other Security Concerns
This page describes operation of Adaptive Server Anywhere in a manner equivalent to a C2-security-certified configuration. It does not provide general-purpose information on the topic.
The following restrictions are required for Adaptive Server Anywhere to run in the certified C2 configuration.
Do not delete, modify, or replace any files under the Adaptive Server Anywhere installation directory, with the following exceptions:
win32\util_db.ini - this file may be modified as required.
win32\asasrv.ini - this file may be modified or deleted as required.
win32\rebuild.bat - this file may be modified as required.
win32\backup.syb - this file may be modified or deleted as required.
win32\procdebug.bat - this file may be modified as required.
win32\custom.SQL - this file may be modified as required.
win32\tjava.pdf - this file may be deleted as required.
Do not add any new files under the Adaptive Server Anywhere installation directory.
The sybase account password should only be given to one person.
The path for the sybase account should not contain any directories other than %SystemRoot%\system32, %SystemRoot%, and the Adaptive Server Anywhere win32 directory.
Grant only the Login as a Service privilege to the sybase account.
DBA authority is very powerful. Only grant DBA authority to those users who require it. The number of DBA users should be kept to a minimum. However, each person who requires DBA authority should be given a separate account with DBA authority granted to it (for example, do not use shared DBA accounts).
DBAs who will be using the database outside of their DBA capacity should be given two different Adaptive Server Anywhere user accounts—one with DBA authority and one without. DBAs should only use the account with DBA authority when necessary.
The password for the DBA account must be changed upon creation of a new database.
The value for the min_password_length public option must be set to at least 6 upon creation of a new database.
The database engine or server must be run as a Windows NT service. Adaptive Server Anywhere is only certified when running as a service.
The following switches must be specified on the engine or server start line
-sc -gd DBA -gk DBA -gl DBA -gu DBA -x namedpipes(TDS=NO)
The engine or server start line is specified when executing the dbsvc utility, so these switches must be included in the Details part of the dbsvc command.
For more information, see Service creation utility for details on dbsvc.
Do not use the -x
parameter to start up any ports other than Named Pipes. Adaptive Server Anywhere is only certified in a standalone environment.
Do not grant REMOTE_DBA authority to any user.
Do not grant execute permission on the following system procedures to any user or group:
xp_cmdshell
xp_startmail
xp_sendmail
xp_stopmail
xp_read_file
xp_write_file
sp_audit_string
java_debug_version
java_debug_connect
java_debug_disconnect
java_debug_get_existing_vms
java_debug_free_existing_vms
java_debug_wait_for_debuggable_vm
java_debug_get_vm_name
java_debug_release_vm
java_debug_attach_to_vm
java_debug_detach_from_vm
java_debug_detach_request
Any system procedures introduced after version 7.
Do not create stored procedures or functions owned by any user with DBA authority.
Do not create triggers on any tables owned by any user with DBA authority.
Upgrade older databases by running the dbupgrad utility before using them.
For more information about upgrading a database, see Upgrading a database using the dbupgrad command-line utility.
Databases must use a transaction log file. Do not use the -n
switch (no transaction log) when creating a database and do not execute dblog -n
(do not use a transaction log or mirror) on a database.
All database, transaction log, dbspace, write file, and mirror files should be stored in non-shared, protected directories.
For guidelines on how to protect a directory, see Adaptive Server Anywhere software installation.
The java.net package is disabled in the engine or server. Java running in the database will not be able to use this package.
The java_input_output public option must always be set to OFF (the default).
Do not create a database user called guest. Such a user would allow any Windows NT user to connect to the database using integrated login.
Always set the login_mode public option to Integrated during database installation.
For more information, see Creating a database.
All connections to the database must use the integrated login mechanism. Standard connections to the database (that is, those specifying user ID and password) are not allowed in the certified configuration.
All integrated login mappings must be one-to-one. No two Windows NT user names may be mapped to the same database user.
Embedded SQL programs must not use the db_delete_file function because the name of the file being deleted is not audited.
Do not grant SELECT access on sys.sysuserperm or sys.syslogin to any non-DBA user.