Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Usenet -> c.d.o.misc -> Re: Oracle Security Question

Re: Oracle Security Question

From: DA Morgan <damorgan_at_x.washington.edu>
Date: Tue, 07 Dec 2004 08:32:47 -0800
Message-ID: <1102437063.404477@yasure> 





amerar_at_iwc.net wrote:



> Hi All,

> 

> I am hving real trouble with this one.  Basically I've been asked to

> crack down on database security.  Everyone knows all the passwords to

> all the schemas.

> 

> The problem is this place has several Visual Basic applications where

> the password is hard coded into the code.  This does me no good,

> because once I change the password, I need to tell the developer what

> it is......it defeats the purpose of changing the password.

> 

> What options are available to me?  We are running Oracle 8.1.7.3.  I

> need to hide the passwords from everyone.  But I'm not sure what

> options I have over a network......

> 

> Thanks,

> 

> Arthur




I agree with Bricklen about Pete Finnigan's web site.



Additionally you might want to look at several possible techniques
in combination:



    
  
  1.   tcp.validnode_checking=yes and tcp.invited_nodes=(address1, address2, 
...) in a file named protocol.ora

  
  2.   an after logon trigger that validates the users based on the
application that is registered in v_$session (yes it can be spoofed
but spoofing is highly unlikely if you don't advertise what you are
doing






But in the end the basic problem you are confronting is one of a
management team that has no real understanding of security. No doubt
they will someday learn the lesson: Just hopefully not on your watch.

-- 
Daniel A. Morgan
University of Washington
damorgan_at_x.washington.edu
(replace 'x' with 'u' to respond)


Received on Tue Dec 07 2004 - 10:32:47 CST












Original text of this message













  HOME |
  ASK QUESTION |
  ADD INFO |
  SEARCH |
  E-MAIL US