91 lines
5.4 KiB
HTML
91 lines
5.4 KiB
HTML
<?xml version="1.0" encoding="UTF-8"?>
|
|
<!DOCTYPE html
|
|
PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
|
|
<html lang="en-us" xml:lang="en-us">
|
|
<head>
|
|
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
|
|
<meta name="security" content="public" />
|
|
<meta name="Robots" content="index,follow" />
|
|
<meta http-equiv="PICS-Label" content='(PICS-1.1 "http://www.icra.org/ratingsv02.html" l gen true r (cz 1 lz 1 nz 1 oz 1 vz 1) "http://www.rsac.org/ratingsv01.html" l gen true r (n 0 s 0 v 0 l 0) "http://www.classify.org/safesurf/" l gen true r (SS~~000 1))' />
|
|
<meta name="DC.Type" content="concept" />
|
|
<meta name="DC.Title" content="Common ODBC strategies that are not secure" />
|
|
<meta name="abstract" content="Avoid some common ODBC security techniques to ensure your environment is secure." />
|
|
<meta name="description" content="Avoid some common ODBC security techniques to ensure your environment is secure." />
|
|
<meta name="DC.Relation" scheme="URI" content="rzaiiodbc09.htm" />
|
|
<meta name="DC.Relation" scheme="URI" content="../books/sc415302.pdf" />
|
|
<meta name="DC.Relation" scheme="URI" content="../books/sc415304.pdf" />
|
|
<meta name="copyright" content="(C) Copyright IBM Corporation 1998, 2006" />
|
|
<meta name="DC.Rights.Owner" content="(C) Copyright IBM Corporation 1998, 2006" />
|
|
<meta name="DC.Format" content="XHTML" />
|
|
<meta name="DC.Identifier" content="rzaiiodbc13" />
|
|
<meta name="DC.Language" content="en-us" />
|
|
<!-- All rights reserved. Licensed Materials Property of IBM -->
|
|
<!-- US Government Users Restricted Rights -->
|
|
<!-- Use, duplication or disclosure restricted by -->
|
|
<!-- GSA ADP Schedule Contract with IBM Corp. -->
|
|
<link rel="stylesheet" type="text/css" href="./ibmdita.css" />
|
|
<link rel="stylesheet" type="text/css" href="./ic.css" />
|
|
<title>Common ODBC strategies that are not secure</title>
|
|
</head>
|
|
<body id="rzaiiodbc13"><a name="rzaiiodbc13"><!-- --></a>
|
|
<!-- Java sync-link --><script language="Javascript" src="../rzahg/synch.js" type="text/javascript"></script>
|
|
<h1 class="topictitle1">Common ODBC strategies that are not secure</h1>
|
|
<div><p>Avoid some common ODBC security techniques to ensure your environment
|
|
is secure.</p>
|
|
<p>Sometimes system administrators attempt to secure access to the data, rather
|
|
than securing the data itself. This is extremely risky, as it requires that
|
|
administrators understand ALL of the methods by which users can access data.
|
|
Some common ODBC security techniques to avoid are:</p>
|
|
<div class="section"><h4 class="sectiontitle">Command line security</h4><p>This may be useful for a character-based
|
|
interface or for 5250 emulation-based applications. However, this method assumes
|
|
that if you prevent users from entering commands in a 5250 emulation session,
|
|
they can access data only through the programs and menus that the system administrator
|
|
provides to them. Therefore, command line security is never truly secure.
|
|
The use of iSeries™ Access
|
|
policies and Application Administration improve security, and use of object
|
|
level authority improves it even more.</p>
|
|
<p>Potentially, iSeries Access
|
|
for Windows<sup>®</sup> policies
|
|
can restrict ODBC access to a particular data source that might be read only.
|
|
Application Administration in iSeries Navigator can prevent ODBC access.</p>
|
|
<p>For
|
|
additional information, see the IBM<sup>®</sup> Security - Reference.</p>
|
|
</div>
|
|
<div class="section"><h4 class="sectiontitle">User exit programs</h4><p>A user exit program allows the
|
|
system administrator to secure an IBM-supplied host server program. The iSeries Access
|
|
ODBC driver uses the Database host server: exit points QIBM_QZDA_INIT; QIBM_QZDA_NDBx;
|
|
and QIBM_QZDA_SQLx. Some ODBC drivers and iSeries Access for Windows data
|
|
access methods (such as OLE DB) may use other host servers.</p>
|
|
</div>
|
|
<div class="section"><h4 class="sectiontitle">Journals</h4><p>Journaling often is used with client/server
|
|
applications to provide commitment control. The journals contain detailed
|
|
information on every update made to a file that is being journaled. The journal
|
|
information can be formatted and queried to return specific information, including:</p>
|
|
<ul><li>The user profiles that updated the file</li>
|
|
<li>The records that were updated</li>
|
|
<li>The type of update</li>
|
|
</ul>
|
|
<p>Journaling also allows user-defined journal entries. When used with
|
|
a user exit program or trigger, this offers a relatively low-overhead method
|
|
of maintaining user-defined audits. For further information, see the Backup
|
|
and Recovery.</p>
|
|
</div>
|
|
<div class="section"><h4 class="sectiontitle">Data Source Name (DSN) restrictions</h4><p>The iSeries Access
|
|
ODBC driver supports a DSN setting to give read-only access to the database.
|
|
The iSeries Access
|
|
ODBC driver supports a read-only and a read-call data source setting. Although
|
|
not secure, these settings can assist in preventing inadvertent delete and
|
|
update operations.</p>
|
|
</div>
|
|
</div>
|
|
<div>
|
|
<div class="familylinks">
|
|
<div class="parentlink"><strong>Parent topic:</strong> <a href="rzaiiodbc09.htm" title="Highlights a few security considerations when working with ODBC, and provides references to more detailed security instructions.">iSeries Access for Windows ODBC security</a></div>
|
|
</div>
|
|
<div class="relinfo"><strong>Related information</strong><br />
|
|
<div><a href="../books/sc415302.pdf" target="_blank">iSeries Security - Reference</a></div>
|
|
<div><a href="../books/sc415304.pdf" target="_blank">Backup and Recovery</a></div>
|
|
</div>
|
|
</div>
|
|
</body>
|
|
</html> |