S 5.58 Installation of ODBC drivers

Initiation responsibility: Head of IT Section, IT Security Management

Implementation responsibility: Administrators

ODBC (Open Database Connectivity) creates an additional layer between a database application and the related database protocol, and thus does not constitute a database protocol as such. The installation of an ODBC driver matching with a database creates a standard interface between the application and the database, via which communications (issue of database queries, reading of data) with the database take place. The related ANSI-SQL-compliant SQL interface permits the creation of applications without having to take the different specific database products into account. For this reason, the application does not need to be re-configured on a change of database software; instead, it is sufficient to simply replace the ODBC driver. Developed originally for Microsoft products, ODBC has now established itself as a standard. ODBC drivers are available for all common databases supplied by diverse manufacturers.

ODBC drivers must be so installed that access control of the database system is not threatened by any security pitfalls.

Example:

In the case of MS Access databases, the employment of user IDs is optional. If access control is activated however, the user IDs are managed via Systemdb, a separate MS Access database which is also stored as an independent file.

During the installation of an ODBC driver for an MS Access database, Systemdb is not integrated automatically. The default installation settings do not take any existing Systemdb into account. Consequently, if Systemdb is not specified explicitly during the installation of the ODBC driver, Systemdb does not request any identification for database queries issued via ODBC. Access control is thus circumvented.

To avoid this, a regular check can be made as to whether Systemdb is integrated. However, as this mechanism can be undone or manipulated at any time, a safer solution is to encrypt MS Access databases. In this case, all attempts to access a database without Systemdb fail. For this purpose, the encryption mechanism integrated in MS Access needs to be activated (under Extras / Access Rights / encrypt/decrypt Database). Attempts to access the database via the ODBC interface then fail, as Systemdb is also required for the encryption mechanism.

Additional controls:

• Has an ODBC driver for the database been installed? If so, have the optional installation parameters and their effects been taken into consideration?