Databases Reference
In-Depth Information
An excellent resource for hardening SQL Server is a script written by
Chip Andrews that you can download from www.sqlsecurity.com/
DesktopDefault.aspx?tabid=25 (or go to www.sqlsecurity.com and select
Tools -> Lockdown Script from the menu bar).
1.1.3
Hardening a DB2 UDB (LUW) environment
Physically secure the server on which the DB2 instance lives.
Do not run DB2 as root (or as LocalSystem on Windows). On
Windows, run the service as a local nonprivileged user and lock
down registry permissions on DB2 keys.
Verify that all DB2 files have restrictive file permissions. On UNIX
this means 0750 or more restrictive.
Remove default accounts that are not used.
Remove the sample database and any other databases that are not
needed.
Check for default passwords. Check password strengths, especially
in db2admin, db2inst?, db2fenc?, and db2as. (More on this in
Chapter 4.)
Enable password profiles (lockout and expiration).
Never use CLIENT authentication. Use SERVER_ENCRYPT,
DCE_ENCRYPT, or KRB_SERVER_ENCRYPT if possible. (More
on this in Chapter 4.)
Close unnecessary ports and services (e.g., the JDBC applet service
and ports 6789 and 6790).
Remove all permissions granted to PUBLIC. At the very least, revoke
IMPLICIT_SCHEMA database authority from PUBLIC.
Restrict who has SYSADM privileges. The installation may assign
SYSADM privileges to too many of the default users, and it is impor-
tant to remove these privileges.
Revoke privileges on system catalogs: SYSCAT.COLAUTH,
SYSCAT.DBAUTH, SYSCAT.INDEXAUTH, SYSCAT.PACKAGE-
AUTH, SYSCAT.PASSTHRUAUTH, SYSCAT.ROUTINEAUTH,
SYSCAT.SCHEMAAUTH, and SYSCAT.TABAUTH.
If running on Windows, add all normal users to the DB2USERS
group and all administrators to the DB2ADMINS group.
Search WWH ::
Custom Search