Enhanced Security Features

DB2 UDB v8.2 introduced a number of new or enhanced security features. Many of these features are designed specifically for the Windows platform. These include:

Group & User Accounts – Support for group and user account names has been enhanced to include better integration into the Windows operating system. Group names are no longer restricted to 8 characters on the Windows platform. Group names can now be up to 30 characters in length and the names can now include the &, - , and blank characters. User account names can now also include the &, - , and blank characters. The instance ATTACH and database CONNECT statements now support two part names including domain\userid and userid@domain. This support has been provided to reduce the overhead typically associated with locating the domain a user account belongs too when only one part user accounts are used for the ATTACH and CONNECT statements. Note that these features are only supported on the Windows platform (not on UNIX or Linux).

Group Enumeration – Support for group enumeration has been extended to enable the use of Access Tokens. Group enumeration which occurs by default at the server where the user account is authenticated provides an enumerated list of groups for the user account. The location in which group enumeration is performed can be changed from the default to either local or domain allowing the user account group enumeration process to be performed on the local database server or on the domain in which the database server is a member, regardless of where the user account is actually authenticated. The enablement of group enumeration to utilize Access Tokens allows the database server to use the information contained within the access token to enumerate both local groups and domain groups including global groups, domain local groups, and universal groups. In the event that the domain controller is not available to authenticate a user account, the database server can reference the information contained within the access token cached on the server from a previous user logon.

Local System Account – Support for the Windows Local System Account (LSA) has been extended in version 8.2 of the product. In addition to previous support for the various DB2 UDB services that can run under this Windows built-in account, support has been extended to allow “LocalSystem” to be specified during the installation process of DB2 UDB products. Support has also been extended to allow processes running under the LSA to both ATTACH to an instance and CONNECT to a database. This support has been provided to allow ISVs the option to utilize the built-in Local System Account to install and run DB2 UDB products without the maintenance typically associated with managing a user account and password.

External System Level Security – Support for external system level security has been added to the product in version 8.2. This new security feature is enabled by default during installation and provides additional security for DB2 UDB objects at the system level. During a typical or minimal installation of DB2 UDB the DB2 registry variable db2_extsecurity is enabled and two security groups, DB2ADMNS and DB2USERS, are defined at the operating system level. These groups are given privileges to the DB2 UDB file system \SQLLIB\ and granted various User Rights Assignments. During a custom installation the names of these security groups can be changed from the defaults to any supported group name or the external security feature can be disabled altogether.

Data Encryption – Support for data encryption has been enhanced to include encryption of user data flows between DB2 clients and servers. The default authentication type for DB2 servers is SERVER and provides no support for data encryption. The SERVER_ENCRYPT authentication type provides support for encryption of userid and password. In order to support the encryption of user data two new authentication types (DATA_ENCRYPT and DATAENCRYPT_CMP) were introduced in version 8.2 of the product. Both authentication types DATA_ENCRYPT and DATA_ENCRYPT_CMP provide support for encryption of; SQL statements, SQL program variable data, Output data from the server processing of an SQL statement and including a description of the data, some or all of the answer set data resulting from a query, large object (LOB) data streaming and SQLDA descriptors.


Copyright © 1998 - 2016 Ten Digit Consulting, LLC | All rights Reserved.