Securing Oracle Databases CSS-DSG JTrumbo. Audit Recommendations -Make sure databases are current with patches. -Ensure all current default accounts &

Slides:



Advertisements
Similar presentations
Auditing Oracle Lisa Outlaw CISA, CISSP, ITIL Foundation
Advertisements

MySQL Access Privilege System
Password Management for Oracle8 Ari Kaplan Independent Consultant.
An investigation into the security features of Oracle 10g R2 Enterprise Edition Supervisor: Mr J Ebden.
1 Chapter 8 Fundamentals of System Security. 2 Objectives In this chapter, you will: Understand the trade-offs among security, performance, and ease of.
Oracle 10g Database Administrator: Implementation and Administration
Chapter 9 Auditing Database Activities
System Administration Accounts privileges, users and roles
11 SUPPORTING LOCAL USERS AND GROUPS Chapter 3. Chapter 3: Supporting Local Users and Groups2 SUPPORTING LOCAL USERS AND GROUPS  Explain the difference.
F HEPNT/HEPIX Sept, 1999 Use of SPQuery and STAT At FNAL.
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 4 Profiles, Password Policies, Privileges, and Roles.
Administering User Security
Database Security Managing Users and Security Models.
1 Chapter Overview Creating User and Computer Objects Maintaining User Accounts Creating User Profiles.
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 3 Administration of Users.
Oracle Database Security …from the application perspective Martin Nystrom September 2003.
This presentation will guide you though the initial stages of installation, through to producing your first report Click your mouse to advance the presentation.
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 3 Administration of Users.
Enforcing Concurrent Logon Policies with UserLock.
Managing User Accounts, Passwords and Logon Chapter 5 powered by dj.
Hands-On Microsoft Windows Server Security Enhancements in Windows Server 2008 Windows Server 2008 was created to emphasize security –Reduced attack.
14 Copyright © Oracle Corporation, All rights reserved. Managing Password Security and Resources.
CHAPTER 6 Users and Basic Security. Progression of Steps for Creating a Database Environment 1. Install Oracle database binaries (Chapter 1) 2. Create.
Windows Server 2003 Overview 1 Windows 2003 Server Overview Ayaz
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 6 Virtual Private Databases.
9 Copyright © 2005, Oracle. All rights reserved. Administering User Security.
Database Security DB0520 Authentication and password security Authentication options – strong, weak Review security environment - Sys Admin privileges.
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 4 Profiles, Password Policies, Privileges, and Roles.
Brent Mosher Senior Sales Consultant Applications Technology Oracle Corporation.
Profiles, Password Policies, Privileges, and Roles
8.1 © 2004 Pearson Education, Inc. Exam Designing a Microsoft ® Windows ® Server 2003 Active Directory and Network Infrastructure Lesson 8: Planning.
Chapter 13 Users, Groups Profiles and Policies. Learning Objectives Understand Windows XP Professional user accounts Understand the different types of.
September 18, 2002 Windows 2000 Server Active Directory By Jerry Haggard.
IS 221: DATABASE ADMINISTRATION Lecture 6:Create Users & Manage Users. Information Systems Department 1.
The protection of the DB against intentional or unintentional threats using computer-based or non- computer-based controls. Database Security – Part 2.
IT Database Administration SECTION 01. Starting Up and Shutting Down the Database Database Administration Facilities – A number of tools are available.
Managing users and security Akhtar Ali. Aims Understand and manage profiles Understand and manage users Understand and manage privileges Understand and.
Dale Roberts 1 Department of Computer and Information Science, School of Science, IUPUI Dale Roberts, Lecturer Computer Science, IUPUI
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 9 Auditing Database Activities.
Database Role Activity. DB Role and Privileges Worksheet.
Page 1 User Accounts Lecture 3 Hassan Shuja 09/21/2004.
Database Security. Multi-user database systems like Oracle include security to control how the database is accessed and used for example security Mechanisms:
Module 7: Implementing Security Using Group Policy.
Database Security Cmpe 226 Fall 2015 By Akanksha Jain Jerry Mengyuan Zheng.
Chapter 4- Part3. 2 Implementing User Profiles A local user profile is automatically created at the local computer when you log on with an account for.
Oracle Applications 11i Concepts II Brian Hitchcock OCP 11i DBA -- OCP 10g DBA Sun Microsystems Brian Hitchcock.
Chapter 6 Virtual Private Databases
7 Copyright © 2007, Oracle. All rights reserved. Administering User Security.
Intro To Oracle :part 1 1.Save your Memory Usage & Performance. 2.Oracle Login ways. 3.Adding Database to DB Trees. 4.How to Create your own user(schema).
LINUX Presented By Parvathy Subramanian. April 23, 2008LINUX, By Parvathy Subramanian2 Agenda ► Introduction ► Standard design for security systems ►
Chapter 5 Managing Multi-user Databases 1. Multi-User Issues Database Administration Concurrency Control Database Security Database Recovery Page 307.
C Copyright © 2007, Oracle. All rights reserved. Security New Features.
Database Systems Slide 1 Database Systems Lecture 4 Database Security - Concept Manual : Chapter 20 - Database Security Manual : Chapters 5,10 - SQL Reference.
By the end of this lesson you will be able to: 1. Determine the preventive support measures that are in place at your school.
Chapter 6 Password, Profiles, Privileges, and Roles
15 Copyright © Oracle Corporation, All rights reserved. Managing Users.
19 Copyright © 2008, Oracle. All rights reserved. Security.
6 Copyright © 2005, Oracle. All rights reserved. Administering User Security.
Oracle structures on database applications development
Security+ All-In-One Edition Chapter 1 – General Security Concepts
Chapter One: Mastering the Basics of Security
Configuring Windows Firewall with Advanced Security
Managing Multi-user Databases
Audit Findings: SQL Database
Limiting SQL Server Exposure
Lesson 16-Windows NT Security Issues
Information Security Awareness
Limiting SQL Server Exposure
MySQL User Privileges: Grant
Greta Mameniskyte IV course 3rd group
Presentation transcript:

Securing Oracle Databases CSS-DSG JTrumbo

Audit Recommendations -Make sure databases are current with patches. -Ensure all current default accounts & passwords (for example, scott/tiger) are disabled or changed -Institute a password change for existing accounts; minimally those where the password=username (a large effort in itself, but the audit team and countless others /probably/ have most or all of the password hashes) -Make it difficult to query the TNS Listener for available databases. The listener password accomplishes this, but may cause problems with database restarts.

Audit Recommendations -Hide the password field in the SYS.USERS$ table from normal users (if possible) -Hide data on the SYS tables that would allow identification of users with high privilege. -Encrypt database links -If you have multiple logons, use different passwords for each. -Audit and lockout accounts with higher than normal invalid password counts. -Use Oracle’s Audit tools. We have found this too expensive in disk and cpu cycles. We have a home grown solution instead.

Basic Maintenance Keep database up to current version Keep database up to current patch level Keep OS up to current version Keep OS to current patch level No excuses on this. The Lab Director has dictated that patches will be applied in a timely manner. Reasonable downtime must be planned & granted to accomplish patching. Restrict OS access Restrict database server machines to the database only and db monitoring. NO web servers, NO users except Oracle.

Passwords Change all the default pwds upon installation including: –Sys –System –Dbsnmp (edit snmp_rw.ora) –Scott/tiger –A host of others See The Database Hackers Handbook, Litchfield/Anley/Heasman/Grindlay for complete list. NOTE*** some db installations, (mysql), auto start with the default pwds. These must be changed IMMEDIATELY, as a hack can occur within minutes. Make a reasonable parameter list in utlpwdmg.sql, and run it against your databases to enforce complex passwords. Make sure the utlpwdmg includes a max # of login attempts an lock out accounts trying unsuccessfully to log in.

Enforce Complex Passwords Make sure pwds have a recycle schema (no recyclability is an option) Annual resetting of pwds (hopefully oracle will get kerberos working) The password complexity verification routine ensures that the password meets the following requirements: –Is at least eight characters long –Differs from the username –Has at least one alpha, one numeric, and one punctuation mark character (underscore counts!) –Is not simple or obvious, such as welcome, account, database, or user –Differs from the previous password by at least 3 characters Accounts that do not update the database can be the exception to complex password/expiration requirements, with the exception of any read only accounts that has access to SYS tables.

Database Roles Practice principle of least privilege. Insure users have only the roles & privs they need to complete their function.

Dictionary Sys and system tables need to be hidden from users. Do not allow users with see sensitive hashed password columns in the dictionary. –change the 07_dict=false in the init.ora –retain 'select any table' for users allowing them can look at each others stuff if necessary –grant select any dictionary table only to the user that needs dictionary read access. (this is probably limited to dba or monitoring users, not application owners or end users). –Create a role with the limited and acceptable SYS tables users need to monitor their apps, (v$session, v$instance), and apply role as needed.

Steps Taken Password protect listeners, although till 10g, this opens up other issues. Drop obsolete dblinks, drop any dev-prod links. Where possible made links read only. Change external authenticated accounts to password protected accounts. Implement the complex pwd function (utlpwdmg). Set up additional login profile(s) to handle read only and group accounts (accounts with globally known passwords that are read only). Protected the read-only accounts from the modification of the password. Force password changes for blatantly soft accounts, locking the accounts if necessary.

Steps Taken Restricting access to the oracle dictionary (SYS objects). We wished to use fine grain access to mask the sensitive columns, however we discovered fine grain was not available to be used on dictionary tables. This forced a review of all the applications’ use of dictionary tables and creation of new role(s) to handle the needed but very limited access to some dictionary tables containing no sensitive columns. Kerberize logins – on the docket with Oracle, should automatically force & synchronize regular scheduled password changes. Currently, standard MIT kerberos is not supported by Oracle thus kerberos cannot be implemented.

References Oracle Database Security Checklist y/pdf/twp_security_checklist_db_database.pdf y/pdf/twp_security_checklist_db_database.pdf The Database Hackers Handbook, Litchfield/Anley/Heasman/Grindlay A copy of the Oracle baseline security document available css.fnal.gov/dsg/internal/briefings_and_projects/i ndex.html CIS_ORACLE_BASELINE. css.fnal.gov/dsg/internal/briefings_and_projects/i ndex.html

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.