RE: oracle authentication from windows

All,

Oracle has rounded all this discussion up in Note:207959.1 'All About Security: User, Privilege, Role, SYSDBA, O/S Authentication, Audit, Encryption, OLS' which is a jump off point to *lots* of other Notes.

John

> -----Original Message-----
> From: Arup Nanda [mailto:[EMAIL PROTECTED]
> Sent: Friday, June 20, 2003 12:16 PM
> To: Multiple recipients of list ORACLE-L
> Subject: Re: oracle authentication from windows
>
>
> Pete,
>
> Apprciate your comments. You are right in stating that if the
> OPS$ accounts
> have special privs they might be abused. But how it is any
> different than
> any other user id with special privileges whose password is
> not guarded
> well? The security hole does not come from the fact that
> remote_os_authent
> is true, but due to lax security management. Removing OPS$
> accounts will not
> help increase the security any more than simply evaluating
> who has what
> privileges.
>
> Instead of fighting the introduction of ops$ accounts, what I
> suggested was
> to have a safe practice of setting a prefix. Of course, the
> privileges of
> such accounts should be carefully monitored and accesses
> should be provided
> to the bare minimum; dba accounts are certainly a big no. In
> your example
> you specified, this is rather ridiculous to have a form for a
> dba user. Why
> not use OEM, for free?
>
> In my book I have addressed some of these issues and common
> misconceptions
> and tried to separate myths from facts.
>
> Thanks.
>
> Arup
>
>
>
> ----- Original Message -----
> To: "Multiple recipients of list ORACLE-L" <[EMAIL PROTECTED]>
> Sent: Friday, June 20, 2003 6:19 AM
>
>
> > Hi Arup,
> >
> > Remote OS authentication whether with OPS$ or not is still
> a risk. You
> > are intimating that SYSTEM is the only risky account
> involved here. What
> > if any of the newly created OPS$ accounts have useful
> privileges. I have
> > seen a similar application to the one described recently. There were
> > forms within the application for administration and user
> management (in
> > oracle, not the application) and the users who had access
> to these were
> > assigned the DBA role and were of course external accounts.
> >
> > I think what you should add to your comment is that the issue is
> > overrated is that any OPS$ / external accounts should not have any
> > dangerous privileges granted and certainly not DBA. If you
> can guess the
> > name of an admin account even if its OPS$ then the issue is still
> > severe.
> >
> > cheers
> >
> > Pete
> >
> > --
> > Pete Finnigan
> > email:[EMAIL PROTECTED]
> > Web site: http://www.petefinnigan.com - Oracle security
> audit specialists
> > Book:Oracle security step-by-step Guide - see
http://store.sans.org for
details.
>
> --
> Please see the official ORACLE-L FAQ: http://www.orafaq.net
> --
> Author: Pete Finnigan
> INET: [EMAIL PROTECTED]
>
> Fat City Network Services -- 858-538-5051 http://www.fatcity.com
> San Diego, California -- Mailing list and web hosting services
> ---------------------------------------------------------------------
> To REMOVE yourself from this mailing list, send an E-Mail message
> to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in
> the message BODY, include a line containing: UNSUB ORACLE-L
> (or the name of mailing list you want to be removed from). You may
> also send the HELP command for other information (like subscribing).
>

-- 
Please see the official ORACLE-L FAQ: http://www.orafaq.net
-- 
Author: Arup Nanda
  INET: [EMAIL PROTECTED]

Fat City Network Services    -- 858-538-5051 http://www.fatcity.com
San Diego, California        -- Mailing list and web hosting services
---------------------------------------------------------------------
To REMOVE yourself from this mailing list, send an E-Mail message
to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in
the message BODY, include a line containing: UNSUB ORACLE-L
(or the name of mailing list you want to be removed from).  You may
also send the HELP command for other information (like subscribing).
-- 
Please see the official ORACLE-L FAQ: http://www.orafaq.net
-- 
Author: John Kanagaraj
  INET: [EMAIL PROTECTED]

Fat City Network Services    -- 858-538-5051 http://www.fatcity.com
San Diego, California        -- Mailing list and web hosting services
---------------------------------------------------------------------
To REMOVE yourself from this mailing list, send an E-Mail message
to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in
the message BODY, include a line containing: UNSUB ORACLE-L
(or the name of mailing list you want to be removed from).  You may
also send the HELP command for other information (like subscribing).