The integrated login features works by using the login control system of Windows in place of the system that Sybase IQ uses to control access to the database.
Essentially, you pass through the database security if you can log in to the machine hosting the database, and if other conditions outlined in this chapter are met.
If you successfully log in to the Windows server as “dsmith”, you can connect to the database without any further proof of identification provided there is either an integrated login mapping or a default integrated login user ID.
When using integrated logins, database administrators should give special consideration to the way Windows enforces login security in order to prevent unwanted access to the database.
In particular, be aware that by default a “Guest” user profile is created and enabled when Windows Workstation or Server is installed.
If the Guest user profile is enabled and has a blank password, any attempt to log in to the server will be successful. It is not required that a user profile exist on the server, or that the login ID provided have domain login permissions. Literally any user can log in to the server using any login ID and any password: they are logged in by default to the Guest user profile.
This has important implications for connecting to a database with the integrated login feature enabled.
Consider the following scenario, which assumes the Windows server hosting a database has a “Guest” user profile that is enabled with a blank password.
An integrated login mapping exists between the user dsmith and the database user ID DBA. When the user dsmith connects to the server with her correct login ID and password, she connects to the database as DBA, a user with full administrative rights.
But anyone else attempting to connect to the server as “dsmith” will successfully log in to the server regardless of the password they provide because Windows will default that connection attempt to the “Guest” user profile. Having successfully logged in to the server using the “dsmith” login ID, the unauthorized user successfully connects to the database as DBA using the integrated login mapping.