Security

Following is a list of security enhancements introduced in SQL Anywhere version 16.0.

Raw encryption The ENCRYPT function can encrypt data inside the database server and output it into a raw format so that it can be decrypted outside of the database. The DECRYPT function can decrypt data encrypted outside of the database server. See ENCRYPT function [String] and DECRYPT function [String].
Support for TDS RSA encryption with nonce password exchange The new -tdsl database server option restricts the type of TDS login request that a database server supports. Set the TDS login mode to support all login requests, only RSA login requests, or only RSA with nonce login requests. See -tdsl database server option.
Secure features
- Secure feature keys can now be customized You can now create and view customized secure feature keys that can be assigned to individual users by using the following system procedures:
  - sp_create_secure_feature_key system procedure Creates a new secure feature key. See sp_create_secure_feature_key system procedure.
  - sp_alter_secure_feature_key system procedure Alters a previously defined secure feature key by modifying the authorization key and/or the feature list. See sp_alter_secure_feature_key system procedure.
  - sp_drop_secure_feature_key system procedure Deletes a secure feature key. See sp_drop_secure_feature_key system procedure.
  - sp_list_secure_feature_keys system procedure Returns a list of defined secure feature keys. See sp_list_secure_feature_keys system procedure.
  - sp_use_secure_feature_key system procedure Allows access to the secured features associated with the specified secure feature key. See sp_use_secure_feature_key system procedure.
- Secure features You can prevent users from manipulating directories and files on the same computer as the server. The following features, which correspond to system procedures, were added to the local_io feature set:
  - sp_list_directory
  - sp_create_directory
  - sp_copy_directory
  - sp_move_directory
  - sp_delete_directory
  - sp_copy_file
  - sp_move_file
  - sp_delete_file
  The manage_server feature set prevents users from accessing features related to the database server.
  
  The create_trace_file and _trace_system_event features prevent users from creating event tracing targets and user-defined events, respectively.
- Re-execute SQL after specifying the database server's secure feature key In Sybase Central, if you try to execute SQL that uses a secure feature, you are given the option of specifying the database server secure feature key, after which the SQL is re-executed. The database server must be started with a secure feature key (using the -sk option) to use this feature.

Disk sandboxing The disk sandboxing feature limits read-write file operations from the database to the directory where the main database file is located.

When disk sandboxing is enabled, relative path names are treated as relative to the directory where the main database file is located. When disk sandboxing is not enabled, relative path names are relative to the working directory of the database server. See SQL Anywhere behavior changes.

The following features have been added to support the disk sandboxing feature:

Feature	Description
Database server options (dbsrv16)	-sbx database server and database option This option sets the default disk sandbox behavior for all databases running on the database server or for an individual database. See -sbx database server option and -sbx database option.
Database options	disk_sandbox database option This database option controls whether read-write file operations on the database are restricted to the directory where the main database file is located. See disk_sandbox option.
Statements	START DATABASE statement Specify the DISKSANDBOX clause when executing the START DATABASE statement to restrict read-write file operations on the database to the directory where the main database file is located. See START DATABASE statement.
Secure features	manage_disk_sandbox secure feature Use the -sf database server option to control the manage_disk_sandbox secure feature. The manage_disk_sandbox secure feature prevents users from changing disk sandbox settings. By default, the manage_disk_sandbox secure feature is secured. See -sf database server option. disk_sandbox secure feature Use the -sf database server option to control the disk_sandbox secure feature. The disk_sandbox secure feature allows connected users to enable or disable disk sandboxing for their connection. By default, the disk_sandbox secure feature is secured. See Disk sandboxing.
System procedures	To use either the sa_server_option system procedure or the sa_db_option system procedure to change disk sandbox settings, provide the secure feature key for the manage_disk_sandbox secure feature. sa_server_option system procedure Changes the default disk sandbox behavior for the database server while the database server is running. See sa_server_option system procedure. sa_db_option system procedure Changes the disk sandbox behavior for the database while the database is running. See sa_db_option system procedure.
Properties	disk_sandbox connection property Returns whether the disk sandbox feature is ON or OFF for the user connection. See Propriété de connexion disk_sandbox. DiskSandbox database server property Returns whether the disk sandbox feature is ON or OFF for the database server. See Propriété de serveur DiskSandbox. DiskSandbox database property Returns whether the disk sandbox feature is ON or OFF for the database. See Propriété de base de données DiskSandbox.

Discuter à propos de cette page dans DocCommentXchange.