Windows: S-TAP authentication guidelines

Most S-TAP (Software TAP) services run under a standard nonprivileged user account.

During a typical fresh installation, most of the S-TAP services are installed under the Local Service account by default. However, GIM, FAM for NAS/SP and FDEC for NAS/SP services, default to Local System.

During a fresh custom installation, you can select the custom account that you like, including standard, nonprivileged, user accounts.

During upgrades, the service account from the initial installation remains in use, with one key exception. Services that operate under Local System (excluding GIM and NAS/SP) transition to Local Service during upgrades to one of the following versions: V10.6.0.178, V11.0.1.x, and V11.1.0.x or higher. This change effectively shifts the installation to run under a standard user account instead of one with full privileges. If the initial installation used a custom account, you can remove it from privileged groups, such as Administrators, after the upgrade.

The focal point of all S-TAP security checks is a local group named "Guardium Services" that are created during installation. The service account that is selected for the Guardium services by the user is added as a member to the Guardium Services group. All service, file, and registry access are then granted access to the Guardium Services group on behalf of those services, files, and registry keys that the Guardium services must access and control. If the system administrator manually changes the service account for the Guardium services at a later time, the new account must be manually added into the local system's Guardium Services group as a member.

The Guardium Services group grants only those privileges that are needed to the services that require them. Usually, no special requirements are needed and the services run nonprivileged. However, the Guardium Database Monitor service and the Db2® TAP service must be granted the privilege SeDebugPrivilege.