| Oracle FAQ | Your Portal to the Oracle Knowledge Grid | |
 |
 | |||
| Oracle FAQ | Your Portal to the Oracle Knowledge Grid | |
|
| |||
Home -> Community -> Usenet -> c.d.o.server -> Re: Oracle Software Owner WIndows 2K
mccmx_at_hotmail.com (Matt) wrote in message news:<cfee5bcf.0309250449.3f714acf_at_posting.google.com>...
> Hello everyone,
>
> I have a query about security/ownership of the Oracle software on
> Windows 2K.
>
> We have an 8.1.7 install on Windows that was installed using the
> Domain Admin account. Therefore the Oracle binaries and database
> files are owned by the domain admin account.
>
> The Oracle database is configured as a service on Win 2K and runs
> under the SYSTEM account. Therefore in theory it is independant of a
> user account.
>
> One of the security guys on site is planning to remove the domain
> admin accounts from all the servers and I'm concerned that this will
> affect the database setup.
>
> I will still be able to log onto the server with a privileged account
> which I will add to the ORA_DBA group in order to gain SYSDBA
> privileges.
>
> Is anyone aware of any issues that will arise after dropping the
> Oracle software owner account (i.e. domain admin) from the system....?
> Metalink was not much help on this issue.
>
> Matt
Matt,
If they did not make any changes to the default installation, the filesystems are accessed by the group "Everyone" as "Full Control". Ownership of the files would still be by the local administrators group, which the domain admin group would have membership in.
Most likely, he's going to remove the server from the domain, or not permit domain users to logon on that server console. Removing it from the domain would prevent NetBIOS-based attacks that traverse domains that rely on being authenicated in the domain. This would not have helped with Blaster, as that did not need authentication to crash the service.
Most simply, create a local account and grant it membership in the local administrators and local ORA_DBA groups.
create a local group ORA_OPER and grant read/list/execute on all files under the oracle_base (e.g. D:\Oracle) to ORA_OPER. This will get you 90% of the way there.
Login as the local oracle software owner/user and take ownership of all files under the oracle_base (e.g. D:\Oracle) and all subdirectories.
grant the local group ORA_OPER to non-dba users that need to connect to the database from the server console, like backup software accounts.
grant the local group ORA_DBA to dba users.
run the oracle services as a local account that has membership in the local ORA_DBA group.
you can get much more fine-grained that that, but it gets much more
elaborate.
got to finish that paper some day.
Pd Received on Thu Sep 25 2003 - 14:33:12 CDT
 |
 |