Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Mailing Lists -> Oracle-L -> RE: oracle authentication from windows

RE: oracle authentication from windows

From: Seefelt, Beth <Beth.Seefelt_at_TetleyUSA.com>
Date: Sun, 22 Jun 2003 14:25:11 -0700
Message-ID: <F001.005B7497.20030622140417@fatcity.com>

No, that's not true. It actually uses your NT security token to validate that you are authenticated in the domain. You can't just give a rogue PC the same domain name, boot it up, and log into the database with external authentication. The PC would have to be a domain member, which means you have to have the domain admin password to join the domain, along with the users password so that you could log into the domain as them. The same is not true if you use another prefix such as OPS$. -----Original Message-----
Sent: Friday, June 20, 2003 4:00 PM
To: Multiple recipients of list ORACLE-L

Beth,

You are right in stating that OPS$ accounts are not inherently insecure.

How is teh inclusion of domain name any more secure than using OPS$? Granted, the hacker has to guess the domain name in addition to user name, but so is using any other prefix other than OPS$.

Besides if the users are not static, the domain names will be different. How will you address that issue? For instance, you domina name is MYCODOMAIN1 and your windows userid is mycodomain1\bseefelt, so the Oracle userid, as you propose should be "mydomain\bseeth". If you login to another domain, say, MYDOMAIN2, this account is no longer valid. So, I would say, mixing domains with username may not be a good idea, unless ofourse you have a single domain.

Arup

>
> I disagree. Remote OS authentication is not inherently insecure in
> Windows like it is in Unix. If you prefix the account names with the
> domain name, a user would not only have to spoof the username, he
> would have to spoof the domain name too. At that point, you probably
> have bigger problems than access to your database. Also, in that
> situation, only the security token is going over the network, not your

> password in clear text. The caveat is that you should be using the
> *domain name* as the prefix, not OPS$.
>
> -----Original Message-----
> Sent: Friday, June 20, 2003 6:20 AM
> To: Multiple recipients of list ORACLE-L
>
>
> Hi Arup,
>
> Remote OS authentication whether with OPS$ or not is still a risk. You

> are intimating that SYSTEM is the only risky account involved here.
> What if any of the newly created OPS$ accounts have useful privileges.

> I have seen a similar application to the one described recently. There

> were forms within the application for administration and user
> management (in oracle, not the application) and the users who had
> access to these were assigned the DBA role and were of course external

> accounts.
>
> I think what you should add to your comment is that the issue is
> overrated is that any OPS$ / external accounts should not have any
> dangerous privileges granted and certainly not DBA. If you can guess
> the name of an admin account even if its OPS$ then the issue is still
> severe.
>
> cheers
>
> Pete
>
> --
> Pete Finnigan
> email:[EMAIL PROTECTED]
> Web site: http://www.petefinnigan.com - Oracle security audit
> specialists Book:Oracle security step-by-step Guide - see
> http://store.sans.org for details.
>
> --
> Please see the official ORACLE-L FAQ: http://www.orafaq.net
> --
> Author: Pete Finnigan
> INET: [EMAIL PROTECTED]
>
> Fat City Network Services -- 858-538-5051 http://www.fatcity.com
> San Diego, California -- Mailing list and web hosting services
> ---------------------------------------------------------------------
> To REMOVE yourself from this mailing list, send an E-Mail message
> to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in
> the message BODY, include a line containing: UNSUB ORACLE-L (or the
> name of mailing list you want to be removed from). You may also send
> the HELP command for other information (like subscribing).
> --
> Please see the official ORACLE-L FAQ: http://www.orafaq.net
> --
> Author: Seefelt, Beth
> INET: [EMAIL PROTECTED]
>
> Fat City Network Services -- 858-538-5051 http://www.fatcity.com
> San Diego, California -- Mailing list and web hosting services
> ---------------------------------------------------------------------
> To REMOVE yourself from this mailing list, send an E-Mail message
> to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in
> the message BODY, include a line containing: UNSUB ORACLE-L (or the
> name of mailing list you want to be removed from). You may also send
> the HELP command for other information (like subscribing).
>

-- 
Please see the official ORACLE-L FAQ: http://www.orafaq.net
-- 
Author: Arup Nanda
  INET: [EMAIL PROTECTED]

Fat City Network Services    -- 858-538-5051 http://www.fatcity.com
San Diego, California        -- Mailing list and web hosting services
---------------------------------------------------------------------
To REMOVE yourself from this mailing list, send an E-Mail message
to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the
message BODY, include a line containing: UNSUB ORACLE-L (or the name of
mailing list you want to be removed from).  You may also send the HELP
command for other information (like subscribing).
-- 
Please see the official ORACLE-L FAQ: http://www.orafaq.net
-- 
Author: Seefelt, Beth
  INET: [EMAIL PROTECTED]

Fat City Network Services    -- 858-538-5051 http://www.fatcity.com
San Diego, California        -- Mailing list and web hosting services
---------------------------------------------------------------------
To REMOVE yourself from this mailing list, send an E-Mail message
to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in
the message BODY, include a line containing: UNSUB ORACLE-L
(or the name of mailing list you want to be removed from).  You may
also send the HELP command for other information (like subscribing).
Received on Sun Jun 22 2003 - 16:25:11 CDT

Original text of this message

HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US