IT Baseline Protection Manual - The Information Warfare Site

Safeguard Catalogue - Communications Remarks
____________________________________________________________________ .........................................
S 5.58 Installation of ODBC drivers
Initiation responsibility: Head of IT Section, IT Security Management
Implementation responsibility: Administrators
ODBC (Open Database Connectivity) creates an additional layer between a
database application and the related database protocol, and thus does not
constitute a database protocol as such. The installation of an ODBC driver
matching with a database creates a standard interface between the application
and the database, via which communications (issue of database queries,
reading of data) with the database take place. The related ANSI-SQLcompliant
SQL interface permits the creation of applications without having to
take the different specific database products into account. For this reason, the
application does not need to be re-configured on a change of database
software; instead, it is sufficient to simply replace the ODBC driver.
Developed originally for Microsoft products, ODBC has now established itself
as a standard. ODBC drivers are available for all common databases supplied
by diverse manufacturers.
ODBC drivers must be so installed that access control of the database system
is not threatened by any security pitfalls.
Example:
In the case of MS Access databases, the employment of user IDs is optional. If
access control is activated however, the user IDs are managed via Systemdb, a
separate MS Access database which is also stored as an independent file.
During the installation of an ODBC driver for an MS Access database,
Systemdb is not integrated automatically. The default installation settings do
not take any existing Systemdb into account. Consequently, if Systemdb is not
specified explicitly during the installation of the ODBC driver, Systemdb does
not request any identification for database queries issued via ODBC. Access
control is thus circumvented.
To avoid this, a regular check can be made as to whether Systemdb is
integrated. However, as this mechanism can be undone or manipulated at any
time, a safer solution is to encrypt MS Access databases. In this case, all
attempts to access a database without Systemdb fail. For this purpose, the
encryption mechanism integrated in MS Access needs to be activated (under
Extras / Access Rights / encrypt/decrypt Database). Attempts to access the
database via the ODBC interface then fail, as Systemdb is also required for the
encryption mechanism.
Additional controls:
- Has an ODBC driver for the database been installed? If so, have the
optional installation parameters and their effects been taken into
consideration?
____________________________________________________________________ .........................................
IT-Baseline Protection Manual: Oktober 2000