Enhanced Security Features
DB2 UDB v8.2 introduced a number of new or enhanced security features. Many of these features are
designed specifically for the Windows platform. These include:
Group & User Accounts
– Support for group and user account names has been enhanced to include better
integration into the Windows operating system. Group names are no longer restricted to 8 characters on the
Windows platform. Group names can now be up to 30 characters in length and the names can now include
the &, - , and blank characters. User account names can now also include the &, - , and blank characters.
The instance ATTACH and database CONNECT statements now support two part names including
domain\userid and userid@domain. This support has been provided to reduce the overhead typically
associated with locating the domain a user account belongs too when only one part user accounts are used
for the ATTACH and CONNECT statements. Note that these features are only supported on the Windows platform (not on UNIX or Linux).
– Support for group enumeration has been extended to enable the use of Access
Tokens. Group enumeration which occurs by default at the server where the user account is authenticated
provides an enumerated list of groups for the user account. The location in which group enumeration is
performed can be changed from the default to either local or domain allowing the user account group
enumeration process to be performed on the local database server or on the domain in which the database
server is a member, regardless of where the user account is actually authenticated. The enablement of group
enumeration to utilize Access Tokens allows the database server to use the information contained within the
access token to enumerate both local groups and domain groups including global groups, domain local
groups, and universal groups. In the event that the domain controller is not available to authenticate a user
account, the database server can reference the information contained within the access token cached on the server from a previous user logon.
Local System Account
– Support for the Windows Local System Account (LSA) has been extended in
version 8.2 of the product. In addition to previous support for the various DB2 UDB services that can run
under this Windows built-in account, support has been extended to allow “LocalSystem” to be specified
during the installation process of DB2 UDB products. Support has also been extended to allow processes
running under the LSA to both ATTACH to an instance and CONNECT to a database. This support has been
provided to allow ISVs the option to utilize the built-in Local System Account to install and run DB2 UDB
products without the maintenance typically associated with managing a user account and password.
External System Level Security
– Support for external system level security has been added to the product in version 8.2. This new security feature is enabled by default during installation and provides
additional security for DB2 UDB objects at the system level. During a typical or minimal installation of DB2
UDB the DB2 registry variable db2_extsecurity is enabled and two security groups, DB2ADMNS and
DB2USERS, are defined at the operating system level. These groups are given privileges to the DB2 UDB file
system \SQLLIB\ and granted various User Rights Assignments. During a custom installation the names of
these security groups can be changed from the defaults to any supported group name or the external security feature can be disabled altogether.
– Support for data encryption has been enhanced to include encryption of user data flows
between DB2 clients and servers. The default authentication type for DB2 servers is SERVER and provides
no support for data encryption. The SERVER_ENCRYPT authentication type provides support for encryption
of userid and password. In order to support the encryption of user data two new authentication types
(DATA_ENCRYPT and DATAENCRYPT_CMP) were introduced in version 8.2 of the product. Both
authentication types DATA_ENCRYPT and DATA_ENCRYPT_CMP provide support for encryption of; SQL
statements, SQL program variable data, Output data from the server processing of an SQL statement and
including a description of the data, some or all of the answer set data resulting from a query, large object (LOB) data streaming and SQLDA descriptors.