Enables and disables features for databases running on the current database server.
Syntax
iqsrv15 -sf feature-list ...
Allowed values
The following feature-name values are supported:
- none – Specifies that no features are disabled.
- all – Disables all features that can be disabled including the following groups.
- client – Disables all features that allow access to client-related input/output. This includes access to the client computing environment. This set consists of the following features.
- read_client_file – Disables the use of statements that can cause a client file to be read. For example, the READ_CLIENT_FILE function and the LOAD TABLE statement.
- write_client_file – Disables the use of all statements that can cause a client file to be written to. For example, the UNLOAD statement and the WRITE_CLIENT_FILE function.
- local – Disables all local-related features. This includes access to the server computing environment. This set consists of the local_call, local_db, local_io, and local_log feature subsets described below.
- local_call – Disables all features that provide the ability to execute code that is not directly part of the server and is not controlled by the server. This set consists of the following features.
- cmdshell – Disables the use of the xp_cmdshell procedure.
- external_procedure – Disables the use of external stored procedures. This setting does not disable the use of the xp_* system procedures (such as xp_cmdshell, xp_readfile, and so on) that are built into the database server. Separate feature control options are provided for these system procedures.
- external_procedure_v3 – See the User-Defined Functions guide.
- java – Disables the use of Java-related features, such as Java procedures.
- local_db – Disables all features related to database files. This set consists of the following features.
- backup – Disables the use of the BACKUP statement, and therefore, the ability to run server-side backups. You can still perform client-side backups using dbbackup.
- restore – Disables the use of the RESTORE DATABASE statement.
- database – Disables the use of the CREATE DATABASE, ALTER DATABASE, DROP DATABASE, CREATE ENCRYPTED FILE, CREATE DECRYPTED FILE, CREATE ENCRYPTED DATABASE, and CREATE DECRYPTED DATABASE statements.
- dbspace – Disables the use of the CREATE DBSPACE, ALTER DBSPACE, and DROP DBSPACE statements.
- local_io – Disables all features that allow direct access to files and their contents. This set consists of the following features.
- read_file – Disables the use of statements that can cause a local file to be read. For example, the xp_read_file system procedure, the LOAD TABLE statement, and the use of OPENSTRING( FILE ... ). The alternate names load_table and xp_read_file are deprecated.
- write_file – Disables the use of all statements that can cause a local file to be written to. For example, the UNLOAD statement and the xp_write_file system procedure. The alternate names unload_table and xp_write_file are deprecated.
- delete_file – Disables the use of all statements that can cause a local file to be deleted. For example, it disables the use of the db_delete_file DBLib function, which deletes database files. The db_delete_file function is used by the dbbackup -x and -xo options, so securing db_delete_file causes dbbackup to fail if the -x or -xo options are specified.
- directory – Disables the use of directory class proxy tables. This feature is also disabled when remote_data_access is disabled.
- local_log – Disables all logging features that result in creating or writing data directly to a file on disk. This set consists of the following features.
- request_log – Disables the ability to change the request log file name and also disables the ability to increase the limits of the request log file size or number of files. You can specify the request log file and limits on this file, in the command to start the database server; however, they cannot be changed once the server is started. When request log features are disabled, you can still turn request logging on and off, and reduce the maximum file size and number of request logging files.
- console_log – Disables the ability to change the database server message log file name using the ConsoleLogFile option of the sa_server_option system procedure. It also disables the ability to increase the maximum size of the log file using the ConsoleLogMaxSize option of the sa_server_option system procedure. You can specify a server log file and its size when starting the database server.
- webclient_log – Disables the ability to change the web service client log file name using the WebClientLogFile option of the sa_server_option system procedure. You can specify a web service client log file when starting the database server.
- local_call – Disables all features that provide the ability to execute code that is not directly part of the server and is not controlled by the server. This set consists of the following features.
- remote – Disables all features that allow remote access or communication with remote processes. This set consists of the following features.
- remote_data_access – Disables the use of any remote data access services, such as proxy tables.
- send_udp – Disables the ability to send UDP packets to a specified address using the sa_send_udp system procedure.
- web_service_client – Disables the use of web service client stored procedure calls (that is, stored procedures that issue HTTP requests).
- client – Disables all features that allow access to client-related input/output. This includes access to the client computing environment. This set consists of the following features.
Applies to
All operating systems and database servers.
This option does not apply to servers in the cloud.
Remarks
This option allows you to enable and disable features for a database server. These settings affect all databases running on the database server. You can enable all disabled (secured) features for a connection by setting the secure_feature_key option to the key specified by the -sk option. Any connection that sets the secure_feature_key option to the key specified by -sk can also change the set of secured features for a database server using the SecureFeatures property of the sa_server_option system procedure.
The feature-list is a comma-separated list of feature names or feature sets to secure for the database server. Use feature-name to indicate that the feature should be disabled, and -feature-name to indicate that the feature should be removed from the disabled features list. For example, the following command indicates that only dbspace features are enabled:
iqsrv15 -n secure_server -sf all,-dbspace
Feature set hierarchy
The following diagram lists all the feature set keywords and their hierarchy. For example, local_io encompasses the read_file, write_file, delete_file, and directory features.
Example
The following command starts a database server named secure_server with access to the request log and with all remote data access features disabled. The key specified by the -sk option can be used later with the secure_feature_key database option to enable these features for a specific connection.
iqsrv15 -n secure_server -sf request_log,remote -sk j978kls12
If a user connected to a database running on the secure_server database server sets the secure_feature_key option to the value specified by -sk, that connection has access to the request log and remote data access features:
SET TEMPORARY OPTION secure_feature_key = 'j978kls12';
The following command disables all features, with the exception of local database features:
iqsrv15 -n secure_server -sf all,-local_db