Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Usenet -> c.d.o.misc -> Re: same dba password for all instances : is it secure ?

Re: same dba password for all instances : is it secure ?

From: Stéphane ROMANET <sromanet53_at_hotmail.com>
Date: Thu, 31 Oct 2002 17:13:20 +0100
Message-ID: <aprl1t$34f$1@news-reader11.wanadoo.fr>


Yep, I think you're right, the most important is to secure the connexion for a potential hacker ....

But, more of that, if the password is always the same in any DataBase and if one time, a developer knows the password for a test Database for any reason ( as it can happend in some companies ;o) ), then that means he also knows the password for every Production Database, and it can make you encountering big security issues, even from a legal point of view !!

You know that in Germany for instance, it is absolutely forbidden for anyone out from Germany to access any data from German Companies ( it is one of the major issues for international consolidation etc. We even can not make any international test based on german data because of that !! ).

So, IMO there should at least existing 2 different passwords for any user, one for the Development and test databases, and one other for the production databases.

More, the experts on security always say : "The most important is to slow down as much as possible any hacker wanting to come inside your system". That means : If someone hack your development database and come into as SYSTEM, then there is more chances for you to have time enough for realizing that, and stopping other databases with confidential informations. I mean : M. Hacker comes to your database "TEST1" or even "PRODUCTION1", and he erases some data... then the user will call you as soon as they realize, and then, you'll have a look on what happend ... and as soon as you'll see an intrusion, you'll stop all other database servers with confidentials information !! and maybe some data will be saved or will be staying undiscovered thanks to that ...

This is my opinion ...

Stef

PS : Sorry for myy poor english, I'm french ... ;)

"Billy Verreynne" <vslabs_at_onwe.co.za> a écrit dans le message de news: apqp1e$8ic$1_at_ctb-nnrp2.saix.net...
> Fleury Marcel wrote:
>
> > SYS have his password for exemple syspwd, and SYSTEM also his password
> > for exemple systempwd.
> > But we use the same on all Oracle Instances.
> >
> > So if an someone knows a password, he can use it for all Instances.
>
> If someone manages to break into a single instance, you are already
> compromised IMO.
>
> Using the same password for the others, will make is much easier to access
> them... but seeing that he was able to crack the first one, he will also
be
> able to crack the others.
>
> The real issue is not using the same password IMO. It is preventing him
from
> getting access to hack the password in the first place. Assuming of course
> you properly protect the password.
>
> I had developers writing their userid & password on stick-ons and pasting
it
> to their terminals less they forget...
>
> > But it is difficult to ask the DBA to use a distinct password for each
> > Instance.
>
> Especially with 60 instances.
>
> > Suggestions to perform this security are welcome.
> > Or advices to remember each password
>
> A DBA I knew used to modify the password with something unique to that
> instance. E.g. if the password is ruby123 then it will be rubyorcl123 for
> instance orcl.
>
> But this is little different from using the exact same password for all
> instances IMO.
>
> In the far distant past, I used to sysadmin mainframes as part of my
> development job. I wrote a batch JCL that checked dialog (interactive)
> sessions in the sysadmin userid - any dialog job that was not from a
> certain hardware path (FEP, line, terminal, etc), was killed.
>
> Worked pretty well as no "hacker" (fellow developers ;-) had time to find
> and kill this JCL before is struck and killed their sysadmin session.
>
> You can consider something similar with Oracle. Using IP addresses, module
> names and even client session info. Have this running every few seconds
via
> DBMS_JOB or cron. A brute force method.
>
> The proper method would be to do an analysis of what the security and
access
> requirements and problems are - and then solve them. Something as simple
as
> a router reconfig can sometimes do the trick. Or you may need a firewall.
> IMO you won't know until you have a serious look at the whole network -
> Oracle security is just one part of it.
>
> --
> Billy
Received on Thu Oct 31 2002 - 10:13:20 CST

Original text of this message

HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US