3.2.3 Disable Grants During Restore (DB2_RESTORE_GRANT_ADMIN_AUTHORITIES)

Information

The DB2_RESTORE_GRANT_ADMIN_AUTHORITIES registry variable determines whether the authorization ID of the user performing a restore is granted administrative authorities (SECADM, DBADM, DATAACCESS, and ACCESSCTRL authorities) on the restored database. It is typically used when restoring a database on a server where the original database creator account does not exist. It is recommended that this variable not be set except when specifically performing a restore where you wish these privileges to be granted so they are not accidentally granted.

Rationale:

Use of this registry variable may grant administrative authorities accidentally if the value is left on during normal operations and a restore is run.

Solution

Run the following command to set the DB2_RESTORE_GRANT_ADMIN_AUTHORITIES registry variable to OFF:

db2set DB2_RESTORE_GRANT_ADMIN_AUTHORITIES=OFF

Default Value:

The default value of DB2_RESTORE_GRANT_ADMIN_AUTHORITIES is OFF.

See Also

https://workbench.cisecurity.org/benchmarks/10752

Item Details

Category: ACCESS CONTROL, MEDIA PROTECTION

References: 800-53|AC-3, 800-53|AC-5, 800-53|AC-6, 800-53|MP-2, CSCv7|14.6

Plugin: Windows

Control ID: ad0b4c8adba17430c91e663e48c7f6794ce27621765583bddf674d2a0becbdf7