Re: oracle authentication from windows

Hi Arup,

Thanks for the reply, I agree with you that ops$ accounts are definitely weaker than database authenticated accounts. I would always advocate trying to find another way to allow access if possible, i understand that in some cases remote authentication is what an organisation chooses to use because other options are not as useful to them. What i said in my first email still stands "least privilege principle" but if possible don't use external accounts and even less so remote external accounts, try to find another solution. BUT yes sometimes they have to be used and you are right to suggest a sound way to use them.

cheers

Pete

In article <[EMAIL PROTECTED]>, Arup Nanda <[EMAIL PROTECTED]> writes
>Hi Pete,
>
>I think you misunderstood. OPS$ accounts are weaker than the regular
>accounts; but I maintain that they are not so insecure that they should be
>outright banned. My position is they can be created if needed, but the
>privileges should be granted judiciously, something that has to be done even
>in regular accounts. OPS$ accounts with DBA privs - a big NO NO.

-- 
Pete Finnigan
email:[EMAIL PROTECTED]
Web site: http://www.petefinnigan.com - Oracle security audit specialists
Book:Oracle security step-by-step Guide - see http://store.sans.org for details.

-- 
Please see the official ORACLE-L FAQ: http://www.orafaq.net
-- 
Author: Pete Finnigan
  INET: [EMAIL PROTECTED]

Fat City Network Services    -- 858-538-5051 http://www.fatcity.com
San Diego, California        -- Mailing list and web hosting services
---------------------------------------------------------------------
To REMOVE yourself from this mailing list, send an E-Mail message
to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in
the message BODY, include a line containing: UNSUB ORACLE-L
(or the name of mailing list you want to be removed from).  You may
also send the HELP command for other information (like subscribing).