Sybase 12.4.2 Server User Manual


 
Using an integrated login
90
Setting the attribute ’Integrated=yes’ in an ODBC data source causes database
connection attempts using that DSN to attempt an integrated login. If the
LOGIN_MODE database option is set to
Standard, the ODBC driver prompts
the user for a database user ID and password.
Security concerns: unrestricted database access
The integrated login features works by using the login control system of
Windows NT in place of the system Adaptive Server IQ uses to control access
to the database. Essentially, you pass through the database security if you can
log in to the machine hosting the database, and if other conditions outlined in
this chapter are met.
If you successfully log in to the Windows NT server as “dsmith”, you can
connect to the database without any further proof of identification provided
there is either an integrated login mapping or a default integrated login user ID.
When using integrated logins, database administrators should give special
consideration to the way Windows NT enforces login security in order to
prevent unwanted access to the database.
In particular, be aware that by default a "Guest" user profile is created and
enabled when Windows NT Workstation or Server is installed.
Warning! Leaving the user profile Guest enabled can permit unrestricted
access to a database being hosted by that server.
If the Guest user profile is enabled and has a blank password, any attempt to
log in to the server will be successful. It is not required that a user profile exist
on the server, or that the login ID provided have domain login permissions.
Literally any user can log in to the server using any login ID and any password:
they are logged in by default to the Guest user profile.
This has important implications for connecting to a database with the
integrated login feature enabled.
Consider the following scenario, which assumes the Windows NT server
hosting a database has a "Guest" user profile that is enabled with a blank
password.