Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Usenet -> c.d.o.server -> Re: Restrict TOAD from accessing a DB?

Re: Restrict TOAD from accessing a DB?

From: Rauf Sarwar <rs_arwar_at_hotmail.com>
Date: 5 Mar 2003 19:32:55 -0800
Message-ID: <92eeeff0.0303051932.1d383f26@posting.google.com> 





yong321_at_yahoo.com (Yong Huang) wrote in message news:<b3cb12d6.0303051520.2dce519c_at_posting.google.com>...


> navaed7024_at_hotmail.com (E. Navarro) wrote in message news:<b86354ef.0303051201.34b7908e_at_posting.google.com>...

> > Oracle EE 8.1.7.4

> > Sun OS 5.7

> > 

> > All,

> > 

> > Does anyone know of a solution to prevent users from logging into a

> > database with certain applications.  In my case, I want to prevent users

> > from logging into our production databases using TOAD.

> > 

> > I can monitor who is logging in and how they are logging in using OEM,

> > but what I would like is to be alerted the second someone tries to log

> > in using TOAD.  Can this be done?

> > 

> > TIA,


> > Daniel N.

> > Oracle DBA

> 

> You can check for v$session for module = 'T.O.A.D', or if the user

> hasn't renamed the toad program name, program = 'TOAD.exe', and kill

> the session. But it's trivial to even change the binary toad.exe to

> hide the 'T.O.A.D' string. Open it with a binary file editor, or even

> a text editor that is binary-file friendly such as (g)vim. Find the

> string "begin sys.dbms_application_info.set_module('T.O.A.D.', null);

> end;" and replace 'T.O.A.D' with any 7 character long string. In a

> nutshell, there's no absolute way to prevent it. You may better off

> block connections from any terminal other than designated ones using

> $TNS_ADMIN/protocol.ora (or .protocol.ora if it's before 8.1.6.2).

> 

> If you wish to use product_user_profile table to restrict connections

> from third party tools such as Toad, it's not possible. That table can

> only block sqlplus connection.

> 

> Yong Huang





To add to above, serve the applications that are supposed to have
access to the database from a file server. Give users only read access
to the executables so that they cannot change file name. Only allow
those executables via a logon trigger.... Kick everything else out.
Ofcourse you would need to tweek it a bit if you want users with admin
rights to logon using OEM, Sqlplus etc.



Regards


/Rauf Sarwar
Received on Wed Mar 05 2003 - 21:32:55 CST












Original text of this message













  HOME |
  ASK QUESTION |
  ADD INFO |
  SEARCH |
  E-MAIL US