Over the past few weeks, there have been a number of inquiries about security on the Sybase ASE Server, but also the client connections. Whether the client connection uses JConnect, Open Client, ODBC, ctlib or dblib, all of these clients have certain configuration options that can help invoke a higher level of secure communications, which are becoming legally mandated by the way.

Lets list a few properties of interest:

• Open Client Library
  CS_SEC_ ENCRYPTION = CS_TRUE
• ADO.Net
  EncryptPassword =1
• ODBC
  EncryptPassword can be set in the Administraion Properties Sheet
• JConnect
  ENCRYPT_PASSWORD = TRUE

These are the password encryption properties (more…)

Earlier this month, CI Security posted a complete security benchmark of the Sybase ASE 15 release. This benchmark document contains a complete review of the issues that all DBA’s face when installing, configuring and maintaining an ASE Server. This was announced on Reuters on Oct 7, 2009.

There are two things that should be noted that are spectacular about this document, which is thoroughly described in the document, however, i am going to parapharse here. First is the concept of ‘Level’. There are two levels for actions posted. Level I is for configurations, options or defaults that have no impact on the operational aspects of the server. Level II which is basically everything not Level I, which is to say, actions, options or configurations that can have direct impact on the server’s performance or operation.

The second part is what has got me hooked on reviewing this benchmark. ‘Scoreable’ is the term the author is using to clearly show whether or not an automated test can be run against the recommendation. ‘Not Scoreable’ refers to those things that are difficult or impossible to test with a consistent result.

So, why am I so keen on this document?

IT HAS SAMPLE CODE! WOOHOO!

I created a few scripts files to run the recommended configuration changes, then output the checks on two items, password complexity and protect database object text in syscomments. These are just two of the ever so many cases that are covered in this doc.

Enjoy!

I am going to play with a few more of these recommendations and get back to you next week on this. Let me know if you find it helpful.