Oracle FAQ | Your Portal to the Oracle Knowledge Grid |
Home -> Community -> Usenet -> c.d.o.server -> Re: Oracle Software Owner WIndows 2K
"Paul Drake" <drak0nian_at_yahoo.com> wrote in message
news:1ac7c7b3.0309252049.6b40a427_at_posting.google.com...
> "Niall Litchfield" <niall.litchfield_at_dial.pipex.com> wrote in message
news:<3f735077$0$262$cc9e4d1f_at_news.dial.pipex.com>...
> > "Matt" <mccmx_at_hotmail.com> wrote in message
> > news:cfee5bcf.0309250449.3f714acf_at_posting.google.com...
> > > Hello everyone,
> > >
> > > I have a query about security/ownership of the Oracle software on
> > > Windows 2K.
> > >
> > > We have an 8.1.7 install on Windows that was installed using the
> > > Domain Admin account. Therefore the Oracle binaries and database
> > > files are owned by the domain admin account.
> > >
> > > The Oracle database is configured as a service on Win 2K and runs
> > > under the SYSTEM account. Therefore in theory it is independant of a
> > > user account.
> > >
> > > One of the security guys on site is planning to remove the domain
> > > admin accounts from all the servers and I'm concerned that this will
> > > affect the database setup.
> >
> > Assuming that your servers are members of an NT domain/or AD then
removing
> > all rights for domain accounts to admin them is one of the daftest
things I
> > have ever come across. I can't think of any reason why one would do
this -
> > other than to make windows admin harder than it should be obviously. As
far
> > as you are concerned ensuring that the relevant dba domain user accounts
are
> > members of the local ORA_DBA groups and that the services run under the
> > SYSTEM account (or one equally privileged) will do you just fine.
> >
> >
> > --
> > Niall Litchfield
> > Oracle DBA
> > Audit Commission UK
> > Niall, > > I have to disagree. > > No domain, no cry. > No NetBIOS, no cry.
I do understand what you are saying and it is sensible (though I wouldn't do it). What I understood the OP to be saying was that the servers would remain in the domain but be administered by local security accounts. That is what strikes me as daft.
Now I like the fact that I can sit at my desk and do
sqlplus /nolog
conn /@tnsnames as sysdba
because I am a member of a domain group that is a member of ora_dba on each
Oracle server in the domain, since the alternative is to sit under the
aircon unit in the server room and freeze :(. I also get an audit trail of
who did the action.
I also like the fact that scheduled jobs etc can all be run under the same security context and various other bits and bobs that make servers being in a domain 'easier'.
Now I can see that making the servers standalone would be more secure but I think that that is a different argument. What i can't see is why you would have a domain infrastructure and not use it.
-- Niall Litchfield Oracle DBA Audit Commission UKReceived on Fri Sep 26 2003 - 03:41:14 CDT