Securing the MSCS Cluster

The Sybase integration software that interfaces MSCS to Adaptive Server requires a login (with ha_role and sa_role) and password for the Adaptive Server you are configuring as a companion server. This allows the integration software to log into Adaptive Server when it needs to control it for cluster operations.

The login and its password are stored as part of the Windows NT registry Cluster Database (under HKLM\Cluster). This information is encrypted to prevent users from obtaining privileged login information by browsing the registry using tools like REGEDIT.EXE and REGEDT32.EXE. However, as with any reversible encryption, there is a possibility that a user could break the encryption. To address this possibility, Sybase recommends that you protect the appropriate area of the registry using a Discretionary Access Control List (DACL) that allows only administrators access to the information.

Perform the following to encrypt the cluster login and password

  1. Run REGEDT32.EXE.

  2. From the window titled HKEY_LOCAL_MACHINE on Local Machine, Double click on the Cluster folder. A subtree opens containing registry keys.

  3. Select the Resources registry key.

  4. Select Permissions from the Security menu. A dialog called Registry Key Permissions is displayed.

  5. Select Remove from the Registry Key Permissions dialog box to remove all entries displayed except CREATOR OWNER and machine_name\Administrators, where machine_name is the local machine name. This prevents anyone except administrative users from reading this part of the registry

  6. Click OK to commit the changes

Repeat this process on both cluster nodes.