Windows: S-TAP authentication guidelines

Edit online

Most S-TAP® (Software TAP) services run under a standard nonprivileged user account.

During a typical fresh installation, most of the S-TAP services are installed under the Local Service account by default. However, GIM, FAM for NAS/SP and FDEC for NAS/SP services, default to Local System.

During a fresh custom installation, you can select the custom account that you like, including standard, nonprivileged, user accounts.

During upgrades, the service account from the initial installation remains in use, with one key exception. Services that operate under Local System (excluding GIM and NAS/SP) transition to Local Service during upgrades to one of the following versions: V10.6.0.178, V11.0.1.x, and V11.1.0.x or higher. This change effectively shifts the installation to run under a standard user account instead of one with full privileges. If the initial installation used a custom account, you can remove it from privileged groups, such as Administrators, after the upgrade.

The focal point of all S-TAP security checks is a local group named "Guardium Services" that are created during installation. The service account that is selected for the Guardium services by the user is added as a member to the Guardium Services group. All service, file, and registry access are then granted access to the Guardium Services group on behalf of those services, files, and registry keys that the Guardium services must access and control. If the system administrator manually changes the service account for the Guardium services at a later time, the new account must be manually added into the local system's Guardium Services group as a member.

The Guardium Services group grants only those privileges that are needed to the services that require them. Usually, no special requirements are needed and the services run nonprivileged. However, the Guardium Database Monitor service and the Db2® TAP service must be granted the privilege SeDebugPrivilege.

Windows™ S-TAP services

The service names for Windows S-TAP services are GUARDIUM_STAP, DbMonitorx64, DbMonitorx86, and Guardium Resource Monitor.

DbMonitorx64 and DbMonitorx86 are the only services that are installed by using the Local System account. This account has the highest privileges on the Windows server.

GUARDIUM_STAP and Guardium Resource Monitor use the Local Service account. This account has sufficient privileges to capture traffic and sufficient privileges for features such as Firewall, Query Rewrite, scrub, Ignore, and Log full details. But it might lack the privileges for S-TAP health check function such as verifying the presence of Guardium binaries in the database process.