Windows: S-TAP authentication guidelines
Most the S-TAP® services run under a standard nonprivileged user account. Learn about this account, and the Guardium Services group.
During a typical, fresh installation, the majority of the S-TAP services are installed under the Local Service account by default, except for GIM, FAM for NAS/SP and FDEC for NAS/SP services, which default to Local System.
During a fresh, custom, install users can select the custom account of their choice, including standard, nonprivileged, user accounts.
Upgrades continue to use whatever service account was in place at the time of the fresh install with one important exception. Services that run under Local System (except for GIM and NAS/SP) are converted to run under Local Service during an upgrade to one of V10.6.0.178, V11.0.1.x, and V11.1.0.x and higher. This effectively transitions an installation to run under a standard user account rather than an account with full privileges. If the original fresh installation used a custom account, you can remove that account from all privileged groups (like Administrators) after the upgrade.
The focal point of all S-TAP security checks is a local group named "Guardium Services" that are created during installation. The service account selected for the Guardium services by the user, whether it be Local Service or some custom account, is added as a member to the Guardium Services group. All service, file, and registry access are then granted to the Guardium Services group on behalf of those services, files, and registry keys that the Guardium services must access and control. If the system administrator manually changes the service account for the Guardium services at a later date, the new account must be manually added into the local system's Guardium Services group as a member.
The Guardium Services group grants only those privileges that are required to the services that require them. In most cases, there are no special requirements and the services run completely non-privileged. The Guardium Database Monitor service and the DB2 Tap service must, however, be granted the privilege SeDebugPrivilege.