Presentation is loading. Please wait.

Presentation is loading. Please wait.

Database Security Managing Users and Security Models.

Published byAmy Chapman Modified over 9 years ago

Similar presentations

Presentation on theme: "Database Security Managing Users and Security Models."— Presentation transcript:

1 Database Security Managing Users and Security Models

2 Managing Users Authorization & Authentication Creating Users Check for Default Users Check for weak passwords Lock & Remove Accounts

3 Operating System Authentication Many databases (including Microsoft SQL Server 2000) depend on OS to authenticate users Reasons: –Once an intruder is inside the OS, it is easier to access the database –Centralize administration of users Users must be authenticated at each level –(defense in depth)

4 Creating Users Must be a standardized, well-documented, and securely managed process In Oracle10g, use the CREATE USER statement: –Part of the a Data Definition Language (DDL)

5 Creating an Oracle10g User IDENTIFIED clause –Tells Oracle how to authenticate a user account –BY PASSWORD option: encrypts and stores an assigned password in the database –EXTERNALLY option: user is authenticated by the OS –GLOBALLY AS option: depends on authentication through centralized user management method Example: CREATE USER smith identified by s9 default tablespace users; ALTER USER smith IDENTIFIED EXTERNALLY; -- by OS ALTER USER scott ACCOUNT LOCK -- lock a user account ALTER USER scott ACCOUNT UNLOCK; ALTER USER scott PASSWORD EXPIRE; -- Force new pwd

6 DEFAULT TABLESPACE clause: specifies default storage for the user TEMPORARY TABLESPACE clause QUOTA clause: tells Oracle 10g how much storage space a user is allowed for a specified tablespace PROFILE clause: indicates the profile used for limiting database resources and enforcing password policies Creating Users (continued)

7

8

9 Creating a SQL Server User Create a login ID first; controls access to SQL Server system Associate login ID with a database user Must be member of fixed server roles (SYSADMIN or SECURITYADMIN) Two types of login IDs: –Windows Integrated (trusted) login –SQL Server login

10 Creating Windows Integrated Logins

11 Creating SQL Server Logins

12 Removing Users Make a backup first Obtain a written request (for auditing purposes) Or Lock a user’s account

13 Removing an Oracle User DROP command CASCADE option: when user owns database objects Recommendations: –Backup the account for one to three months –Listing all owned objects –Lock the account or revoke the CREATE SESSION privilege

14 Modifying an Oracle User ALTER USER statement Oracle Enterprise Manager: graphical tool

15 Modifying an Oracle User (continued)

16 Default Users Oracle default users: –SYS, owner of the data dictionary –SYSTEM, performs almost all database tasks SQL Server default users: –SA, system administrator

17 Database Links Connection from one database to another: allow DDL and SQL statements Public or Private Authentication Methods Example: CREATE DATABASE LINK sales.hq.acme.com CONNECT TO scott IDENTIFIED BY tiger USING 'sales'; SELECT * FROM emp@sales.hq.acme.com;

18 Database Links (continued)

19 Linked Servers Allow you to connect to almost any: –Object Linking and Embedding Database (OLEDB) –Open Database Connectivity (ODBC)

20 Linked Servers (continued)

21 Best Practices Follow company’s policies and procedures Always document and create logs Educate users Keep updated on database and security technology Review and modify procedures Block direct access to database tables Limit and restrict access to the server Use strong passwords Patches, patches, patches

22 Defining and Using Profiles Profile: –Describes limitation of database resources –Defines database users behavior –Prevents users from wasting resources Not offered by every database system: –Oracle does –Microsoft SQL Server does not

23 Creating Profiles in Oracle (continued)

24 ALTER PROFILE: modifies a limit for a profile ALTER USER: assigns a profile to a user Oracle Enterprise Manager Security Tool: view all details about users and profiles in a GUI

25 Creating Profiles in Oracle (continued)

26 Creating Profiles in SQL Server 2000 Profiles are not available in Microsoft SQL Server 2000 or 2005 Query and connection time-outs: handled at application level within OLEDB

27 Designing and Implementing Password Policies Password is the key to open a user account; strong passwords are harder to break User authentication depends on passwords Hacker violations begin with breaking a password Companies spend on: –Training –Education

28 What Is a Password Policy? Set of guidelines: –Enhances the robustness of a password –Reduces the likelihood of password breaking Deals with: –Complexity –Change frequency –Reuse

29 Importance of Password Policies First line of defense Most companies invest considerable resources to strengthen authentication by adopting technological measures that protect their assets Forces employees to abide by the guidelines set by the company and raises employee awareness of password protection Helps ensure that a company does not fail audits

30 Designing Password Policies Complexity: set of guidelines for creating passwords Aging: how long a password can be used Usage: how many times a password can be used Storage: storing a password in an encrypted manner

31 Implementing Password Policies Oracle; using profiles: –CREATE PROFILE –Oracle Enterprise Manager –PASSWORD_VERIFY_FUNCTION

32 Implementing Password Policies (continued)

33 Grant and Revoke User Privileges

34 In SQL Server (continued): –Database privileges: Fixed database roles Statement permissions –Grant permission using the GRANT statement –Revoke permission using the REVOKE statement –Enterprise Manager –Deny permission using the DENY statement

35 Grant and Revoke User Privileges (continued)

36 Security Models Access Matrix Model: –Represents two main entities: objects and subjects: Columns represent objects Rows represent subjects –Objects: tables, views, procedures, db objects –Subjects: users, roles, privileges, modules –Authorization cell

37 Main vulnerabilities People Having too many privileges Default Users and Passwords Known vulnerabilities that are not patched Too many open ports by default Solution –Must be trained to put yourself in the place of the hacker [Pete Finnigan]

38 Who has DBA ROLES ?

39

40 Default Passwords Easiest way to log into an Oracle database is to use a default account with a known password [Finnigan] http://www.petefinnigan.com/default/default_password_checker.htm This site has scripts that will identify all default users and lets you know if they still have their default passwords. You may download these scripts.

41 Password Cracking At http://www.toolcrypt.org/index.html there are tools that you can download to crack the passwords. You need to verify this against the DB, because you can be sure that the hacker has these tools.http://www.toolcrypt.org/index.html

42 Find all Privileges http://www.petefinnigan.com/find_all_privs. sqlhttp://www.petefinnigan.com/find_all_privs. sql Script to find which privileges have been granted to a particular user. This scripts lists ROLES, SYSTEM privileges and object privileges granted to a user. If a ROLE is found -- then it is checked recursively. Output can be directed to the screen or to a file.

43 Benchmark your DB http://www.cisecurity.org/bench_oracle.ht mlhttp://www.cisecurity.org/bench_oracle.ht ml Set of tools that will tell you how secure your Oracle DB is compared to other Oracle DB and allows you to fix vulnerabilities.

44 Encrypted Passwords http://www.cqure.net allows you to extract encrypted passwords (hashes) from a Windows system and use the hashes, without knowing the password, in order to authenticate to other Windows systems with users having the same passwords.

45 Listener Password http://www.integrity.com/downloads.lsnrcheck.ex e In Oracle, by default you don’t need a password to activate to run lsnrctl.exe. Verify that there is a password to activate listener, otherwise create one using Oracle Net manager. Otherwise, somebody can hijack listener and avoid future connections by 1) Installing oracle on their local machine 2) Update the listener.ora file on local machine to include access to remote server 3) From OS prompt: “lsnrctl stop”

46 Linux Vulnerabilities http://www.remote- exploit.org/backtrack.htmlhttp://www.remote- exploit.org/backtrack.html Tools to verify Linux vulnerabilities

47 More Oracle tools www.databasesecurity.com/dbsec/OAK.zip Checks for SID, Database users, etc.

48 Security Models (continued)

49 Application Security Models Models: –Database role based –Application role based –Application function based –Application role and function based –Application table based

50 DB Security Models Plan, Policy, Procedure, Model Model: scheme to implement Plan, Policy, Procedure MAC versus DAC (two extremes) Many different Models –Bell LaPadula Model (MAC, focus on confidentiality) –Harrison-Ruzzo-Ullman Access Matrix Model –Sea View Model (Relational Imp. Of LaPadula) –Jajodia Sandhu Model (adaptation of Sea View) –Biba Model (focus on Integrity) MLS, Polyinstantiation

51 Document User Administration Part of the administration process Reasons to document: –Provide a paper trail –Ensure administration consistency What to document: –Administration policies, staff and management –Security procedures –Procedure implementation scripts or programs –Predefined roles description

52 http://www.oreilly.com/catalog/orasec/chapter/ch07.html

Download ppt "Database Security Managing Users and Security Models."

Similar presentations

Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 3 Administration of Users.

Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 3 Administration of Users.
An investigation into the security features of Oracle 10g R2 Enterprise Edition Supervisor: Mr J Ebden.

An investigation into the security features of Oracle 10g R2 Enterprise Edition Supervisor: Mr J Ebden.
Chapter 23 Database Security and Authorization Copyright © 2004 Pearson Education, Inc.

Chapter 23 Database Security and Authorization Copyright © 2004 Pearson Education, Inc.
Oracle 10g Database Administrator: Implementation and Administration

Oracle 10g Database Administrator: Implementation and Administration
Oracle9i Database Administrator: Implementation and Administration 1 Chapter 12 System and Object Privileges.

Oracle9i Database Administrator: Implementation and Administration 1 Chapter 12 System and Object Privileges.
Advantage Data Dictionary. agenda Creating and Managing Data Dictionaries –Tables, Indexes, Fields, and Triggers –Defining Referential Integrity –Defining.

Advantage Data Dictionary. agenda Creating and Managing Data Dictionaries –Tables, Indexes, Fields, and Triggers –Defining Referential Integrity –Defining.
Securing Oracle Databases CSS-DSG JTrumbo. Audit Recommendations -Make sure databases are current with patches. -Ensure all current default accounts &

Securing Oracle Databases CSS-DSG JTrumbo. Audit Recommendations -Make sure databases are current with patches. -Ensure all current default accounts &
Database Management System

Database Management System
Chapter 9 Auditing Database Activities

Chapter 9 Auditing Database Activities
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 5 Database Application Security Models.

Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 5 Database Application Security Models.
System Administration Accounts privileges, users and roles

System Administration Accounts privileges, users and roles
11 SUPPORTING LOCAL USERS AND GROUPS Chapter 3. Chapter 3: Supporting Local Users and Groups2 SUPPORTING LOCAL USERS AND GROUPS  Explain the difference.

11 SUPPORTING LOCAL USERS AND GROUPS Chapter 3. Chapter 3: Supporting Local Users and Groups2 SUPPORTING LOCAL USERS AND GROUPS  Explain the difference.
Oracle8 - The Complete Reference. Koch a& Loney1 By What Authority? Presented by Victor Matos.

Oracle8 - The Complete Reference. Koch a& Loney1 By What Authority? Presented by Victor Matos.
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 4 Profiles, Password Policies, Privileges, and Roles.

Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 4 Profiles, Password Policies, Privileges, and Roles.
Chapter 5 Database Application Security Models

Chapter 5 Database Application Security Models
Chapter 10 Overview  Implement Microsoft Windows Authentication Mode and Mixed Mode  Assign login accounts to database user accounts and roles  Assign.

Chapter 10 Overview  Implement Microsoft Windows Authentication Mode and Mixed Mode  Assign login accounts to database user accounts and roles  Assign.
7-Access Control Fundamentals Dr. John P. Abraham Professor UTPA.

7-Access Control Fundamentals Dr. John P. Abraham Professor UTPA.
Database Auditing Models Dr. Gabriel. 2 Auditing Overview Audit examines: documentation that reflects (from business or individuals); actions, practices,

Database Auditing Models Dr. Gabriel. 2 Auditing Overview Audit examines: documentation that reflects (from business or individuals); actions, practices,
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 3 Administration of Users.

Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 3 Administration of Users.
Administration of Users Dr. Gabriel. 2 Documentation of User Administration Part of the administration process Reasons to document: –Provide a paper trail.

Administration of Users Dr. Gabriel. 2 Documentation of User Administration Part of the administration process Reasons to document: –Provide a paper trail.

Similar presentations

Ads by Google