Extended Windows security using the DB2ADMNS and DB2USERS groups
Extended security is enabled by default in all Db2® database products on Windows operating systems except IBM® Data Server Runtime Client and Db2 Drivers. IBM Data Server Runtime Client and Db2 Drivers do not support extended security on Windows platforms.
An Enable operating system security check box appears on the Enable operating system security for Db2 objects panel when you install Db2 database products. Unless you disable this option, the installer creates two new groups, DB2ADMNS and DB2USERS. DB2ADMNS is the Db2 Administrators Group and DB2USERS is the Db2 Users Group. DB2ADMNS and DB2USERS are the default group names; optionally, you can specify different names for these groups at installation time (if you select silent installation, you can change these names within the installation response file). If you choose to use groups that exist on your system, be aware that the privileges of these groups are modified. They are given the privileges, as required, listed in the table, below.
It is important to understand that these groups are used for protection at the operating-system level and are in no way associated with Db2 authority levels. However, the Db2 Administrators Group (ex. DB2ADMNS) is used as the default group for SYSADM, SYSMAINT, and SYSCTRL when no values are specified for database manager configuration parameters SYSADM_GROUP, SYSMAINT_GROUP and SYSCTRL_GROUP. It is recommended that if you are specifying a SYSADM group, then that group should be the Db2 Administrators Group. This setting can be established after installation, by an administrator.
- Open a command prompt.
- Run the db2extsec command to update security
settings:
db2extsec -a new computer name\DB2ADMNS -u new computer name\DB2USERS
Abilities acquired through the DB2ADMNS and DB2USERS groups
- DB2ADMNS
Full control over all Db2 objects (see the following list of protected objects)
- DB2USERS
Read and Execute access for all Db2 objects located in the installation and instance directories, but no access to objects under the database system directory and limited access to IPC resources
For certain objects, there may be additional privileges available, as required (for example, write privileges, add or update file privileges, and so on). Members of this group have no access to objects under the database system directory.Note: The meaning of Execute access depends on the object; for example, for a .dll or .exe file having Execute access means you have authority to execute the file, however, for a directory it means you have authority to traverse the directory.
- Launch the Users and Passwords Manager tool.
- Select the user name to add from the list.
- Click Properties. In the Properties window, click the Group membership tab.
- Select the Other radio button.
- Select the appropriate group from the drop-down list.
Adding extended security after installation (db2extsec command)
If the Db2 database system was installed without extended security enabled, you can enable it by executing the command db2extsec. To execute the db2extsec command you must be a member of the local Administrators group so that you have the authority to modify the ACL of the protected objects.
You can run the db2extsec command multiple times, if necessary, however, if this is done, you cannot disable extended security unless you issue the db2extsec -r command immediately after each execution of db2extsec.
Removing extended security
You can remove extended security by running the command db2extsec -r, however, this will only succeed if no other database operations (such as creating a database, creating a new instance, adding table spaces, and so on) have been performed after enabling extended security. The safest way to remove the extended security option is to uninstall the Db2 database system, delete all the relevant Db2 directories (including the database directories) and then reinstall the Db2 database system without extended security enabled.
Protected objects
- File system
- File
- Directory
- Services
- Registry keys
- IPC resources, including:
- Pipes
- Semaphores
- Events
- Shared memory
Privileges owned by the DB2ADMNS and DB2USERS groups
Privilege | DB2ADMNS | DB2USERS | Reason |
---|---|---|---|
Create a token object (SeCreateTokenPrivilege) | Y | N | Token manipulation (required for certain token manipulation operations and used in authentication and authorization) |
Replace a process level token (SeAssignPrimaryTokenPrivilege) | Y | N | Create process as another user |
Increase quotas (SeIncreaseQuotaPrivilege) | Y | N | Create process as another user |
Act as part of the operating system (SeTcbPrivilege) | Y | N | LogonUser |
Generate security audits (SeSecurityPrivilege) | Y | N | Manipulate audit and security log |
Take ownership of files or other objects (SeTakeOwnershipPrivilege) | Y | N | Modify object ACLs |
Increase scheduling priority (SeIncreaseBasePriorityPrivilege) | Y | N | Modify the process working set |
Backup files and directories (SeBackupPrivilege) | Y | N | Profile/Registry manipulation (required to perform certain user profile and registry manipulation routines: LoadUserProfile, RegSaveKey(Ex), RegRestoreKey, RegReplaceKey, RegLoadKey(Ex)) |
Restore files and directories (SeRestorePrivilege) | Y | N | Profile/Registry manipulation (required to perform certain user profile and registry manipulation routines: LoadUserProfile, RegSaveKey(Ex), RegRestoreKey, RegReplaceKey, RegLoadKey(Ex)) |
Debug programs (SeDebugPrivilege) | Y | N | Token manipulation (required for certain token manipulation operations and used in authentication and authorization) |
Manage auditing and security log (SeAuditPrivilege) | Y | N | Generate auditing log entries |
Log on as a service (SeServiceLogonRight) | Y | N | Run Db2 as a service |
Access this computer from the network (SeNetworkLogonRight) | Y | Y | Allow network credentials (allows the Db2 database manager to use the LOGON32_LOGON_NETWORK option to authenticate, which has performance implications) |
Impersonate a client after authentication (SeImpersonatePrivilege) | Y | N | Client impersonation (required for Windowsto allow use of certain APIs to impersonate Db2 clients: ImpersonateLoggedOnUser, ImpersonateSelf, RevertToSelf, and so on) |
Lock pages in memory (SeLockMemoryPrivilege) | Y | N | Large Page support |
Create global objects (SeCreateGlobalPrivilege) | Y | Y | Terminal Server support (required on Windows) |