Information
During installation, the Sybase ASE installer will prompt to create the designated install
directory if it does not exist. On Windows systems the default installation path is
c:\sybase. The newly created folder will inherit the NTFS permissions of the parent
folder.
Installing Sybase ASE to the default directory typically permits standard authenticated
users to read all files in the directory, potentially exposing sensitive information if the
databases themselves are located there. Furthermore, the default permissions also allow a
standard authenticated user to write new files in the directory. Note that users would need
sufficient privilege to logon to the system locally or remotely via Terminal Services.
The NTFS permissions on the installation directory should be reviewed and modified if
necessary ensure that only Administrators and the user that the Sybase ASE server is
configured to run as (typically NT AUTHORITY\SYSTEM) have full control of the directory and
that all others users have no permissions on the folder.
Note that removing permissions for a particular user is likely to impact that users ability to
run standard database connectivity tools such as isql.exe. It is recommended that
modifications to permissions are extensively tested on non-production systems first.
Rationale:
Weak NTFS permissions may allow a standard domain user to access sensitive data or
elevate privilege.
Solution
1. Open a command prompt and execute the following command to remove standard
user access to the Sybase directory. Repeat this command specifying appropriate
usernames/groups until only Administrators and the user that the Sybase ASE
server runs as have permissions on the directory.
cacls %SYBASE% /E /R 'BUILTIN\Users'
2. The above command should return processed dir: C:\sybase (or an appropriate
path if Sybase is installed elsewhere). If an error is returned, consult the cacls
documentation.