Re: oracle authentication from windows

Hi Beth

OK, I get your point but Arup was talking about automatic connections by setting remote_os_authent to true where you can either set the prefix to OPS$ or use identified externally. For these connections the user should not be prefixed by the domain name in the database. On the other hand using windows NT authentication and prefixing with the domain name can be spoofed by using a client that is not trusted such as windows 95 or 98 and setting the context to any domain you wish and adding the correct user. The other option is to insert a linux bootable CD and alter the username as it is sent.

I agree with you that use of the domain method is better, BUT the point i was trying to make is still valid. That is to ensure that any external account observes the least privilege principle.

cheers

Pete

In article <[EMAIL PROTECTED]>, Seefelt, Beth <[EMAIL PROTECTED]> writes
>
>I disagree. Remote OS authentication is not inherently insecure in
>Windows like it is in Unix. If you prefix the account names with the
>domain name, a user would not only have to spoof the username, he would
>have to spoof the domain name too. At that point, you probably have
>bigger problems than access to your database. Also, in that situation,
>only the security token is going over the network, not your password in
>clear text. The caveat is that you should be using the *domain name* as
>the prefix, not OPS$.
>
>-----Original Message-----
>Sent: Friday, June 20, 2003 6:20 AM
>To: Multiple recipients of list ORACLE-L
>
>
>Hi Arup,
>
>Remote OS authentication whether with OPS$ or not is still a risk. You
>are intimating that SYSTEM is the only risky account involved here. What
>if any of the newly created OPS$ accounts have useful privileges. I have
>seen a similar application to the one described recently. There were
>forms within the application for administration and user management (in
>oracle, not the application) and the users who had access to these were
>assigned the DBA role and were of course external accounts.
>
>I think what you should add to your comment is that the issue is
>overrated is that any OPS$ / external accounts should not have any
>dangerous privileges granted and certainly not DBA. If you can guess the
>name of an admin account even if its OPS$ then the issue is still
>severe.
>
>cheers
>
>Pete
>
>--
>Pete Finnigan
>email:[EMAIL PROTECTED]
>Web site: http://www.petefinnigan.com - Oracle security audit
>specialists
>Book:Oracle security step-by-step Guide - see http://store.sans.org for
>details.
>
>--
>Please see the official ORACLE-L FAQ: http://www.orafaq.net
>--
>Author: Pete Finnigan
> INET: [EMAIL PROTECTED]
>
>Fat City Network Services -- 858-538-5051 http://www.fatcity.com
>San Diego, California -- Mailing list and web hosting services
>---------------------------------------------------------------------
>To REMOVE yourself from this mailing list, send an E-Mail message
>to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in
>the message BODY, include a line containing: UNSUB ORACLE-L
>(or the name of mailing list you want to be removed from). You may
>also send the HELP command for other information (like subscribing).
>--
>Please see the official ORACLE-L FAQ: http://www.orafaq.net

-- 
Pete Finnigan
email:[EMAIL PROTECTED]
Web site: http://www.petefinnigan.com - Oracle security audit specialists
Book:Oracle security step-by-step Guide - see http://store.sans.org for details.

-- 
Please see the official ORACLE-L FAQ: http://www.orafaq.net
-- 
Author: Pete Finnigan
  INET: [EMAIL PROTECTED]

Fat City Network Services    -- 858-538-5051 http://www.fatcity.com
San Diego, California        -- Mailing list and web hosting services
---------------------------------------------------------------------
To REMOVE yourself from this mailing list, send an E-Mail message
to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in
the message BODY, include a line containing: UNSUB ORACLE-L
(or the name of mailing list you want to be removed from).  You may
also send the HELP command for other information (like subscribing).