The integrated login features works by using the login control system of Windows in place of the system Sybase IQ uses to control access to the database. Essentially, you pass through the database security if you can log in to the machine hosting the database, and if other conditions outlined in this chapter are met.
If you successfully log in to the Windows server as “dsmith”, you can connect to the database without any further proof of identification provided there is either an integrated login mapping or a default integrated login user ID.
When using integrated logins, database administrators should give special consideration to the way Windows enforces login security in order to prevent unwanted access to the database.
In particular, be aware that by default a “Guest” user profile is created and enabled when Windows Workstation or Server is installed.
WARNING! Leaving the user profile Guest enabled can permit unrestricted access to a database being hosted by that server.
If the Guest user profile is enabled and has a blank password, any attempt to log in to the server will be successful. It is not required that a user profile exist on the server, or that the login ID provided have domain login permissions. Literally any user can log in to the server using any login ID and any password: they are logged in by default to the Guest user profile.
This has important implications for connecting to a database with the integrated login feature enabled.
Consider the following scenario, which assumes the Windows server hosting a database has a “Guest” user profile that is enabled with a blank password.
An integrated login mapping exists between
the user dsmith
and the database
user ID DBA
. When the user dsmith
connects
to the server with her correct login ID and password, she connects
to the database as DBA
, a user
with full administrative rights.
But anyone else attempting to connect to the server
as “dsmith” will successfully log in to the server
regardless of the password they provide because Windows will default
that connection attempt to the “Guest” user profile.
Having successfully logged in to the server using the “dsmith” login
ID, the unauthorized user successfully connects to the database
as DBA
using the integrated
login mapping.
Disable the “Guest” user profile for security. The safest integrated login policy is to disable “Guest” on any Windows machine hosting a Sybase IQ database. This can be done using the Windows User Manager utility.