Oracle FAQ | Your Portal to the Oracle Knowledge Grid |
Home -> Community -> Usenet -> c.d.o.server -> Looking for Security book
Pete Finnigan <pete_at_peterfinnigan.demon.co.uk> wrote in message news:<PvE7YuAHStS+EwDM_at_peterfinnigan.demon.co.uk>...
> Hi Paul
>
> Thanks very much for sharing these thoughts with us. I have a number of
> similar schemes and ideas on paper for securing file permissions on Win
> 2K and Win NT from a number of different sources.
>
> In general it is not as easy as Unix to make the file system secure..:-(
> When I was writing the guide I had detailed discussions with a number of
> people on this subject and we came to the list of recommendations
> regarding windows file permissions in action 1.2.4 in the guide, rather
> than detailed steps to set individual file permissions.
>
> I agree with you that in a book like this that is intended to be a
> "cookbook" style we couldn't include detailed steps to set every file
> permission and directory permissions, the book would have become too
> huge if so.
>
> If i get chance I will test out your permissions list on a spare server
> i have and come back to you.
>
> thanks for the comments and for sharing your info.
>
> kind regards
>
> Pete
> --
> Pete Finnigan
>
> Email : pete_at_peterfinnigan.demon.co.uk
> Email : pete_at_petefinnigan.com
>
> Web site: http://www.petefinnigan.com
>
> Independent consultant specialising in Oracle security. Pete Finnigan is the
> author of the recently published book about Oracle security from the SANS
> Institute "Oracle security Step-by-step (A survival guide for Oracle security)"
> - see http://store.sans.org for details.
>
> Some recently published articles include:
>
> http://online.securityfocus.com/infocus/1644 - "SQL injection and Oracle - part
> one"
>
> http://online.securityfocus.com/infocus/1646 - "SQL injection and Oracle - part
> two"
Pete,
it is impossible to secure the filesystem. once a user gains local administrator, or an account in the local administrator's group, they can take ownership or grant filesystem permissions on files to which they previously did not have access rights. All that one can hope to do is to generate alerts (not in the local event logs) that would be tracked in the event of such filesystem (or local user group, e.g. ORA_DBA) permissions being granted.
If local administrator can be gained, the battle is certainly lost. At least if the box does not participate in a domain, that limits the number of members of the Domain Admins group that can cause damage, such as the deletion of online redo log group members. (it happened today).
Testing backups is important, though.
here's a couple of additions/corrections:
a user logging in as a member of the local group users should also have access to (as read/execute)
%ORACLE_HOME%\
network\ admin* mesg* oracore\mesg ocommon\nls\mesg rdbms\mesg* sqlplus\mesg sysman\mesg
now, the easy way to accomplish this is to just assign
read/browse/execute at the level of %ORACLE_BIN%\ (and all
subfolders).
This exposes read/exec on \rdbms\admin. Based upon the tone of the
rest of the book, I would expect that you would find this as not being
a good idea.
not wanting to cause anyone that followed this thread to give up, based upon an error message or 2 ...
Paul Received on Wed Feb 12 2003 - 21:13:30 CST