Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Usenet -> c.d.o.server -> Re: Oracle Software Owner WIndows 2K

Re: Oracle Software Owner WIndows 2K

From: Niall Litchfield <n-litchfield_at_audit-commission.gov.uk>
Date: Fri, 26 Sep 2003 09:41:14 +0100
Message-ID: <3f73fbaa$0$250$ed9e5944@reading.news.pipex.net> 






"Paul Drake" <drak0nian_at_yahoo.com> wrote in message
news:1ac7c7b3.0309252049.6b40a427_at_posting.google.com...
> "Niall Litchfield" <niall.litchfield_at_dial.pipex.com> wrote in message
 news:<3f735077$0$262$cc9e4d1f_at_news.dial.pipex.com>...


> > "Matt" <mccmx_at_hotmail.com> wrote in message

> > news:cfee5bcf.0309250449.3f714acf_at_posting.google.com...

> > > Hello everyone,

> > >

> > > I have a query about security/ownership of the Oracle software on

> > > Windows 2K.

> > >

> > > We have an 8.1.7 install on Windows that was installed using the

> > > Domain Admin account.  Therefore the Oracle binaries and database

> > > files are owned by the domain admin account.

> > >

> > > The Oracle database is configured as a service on Win 2K and runs

> > > under the SYSTEM account.  Therefore in theory it is independant of a

> > > user account.

> > >

> > > One of the security guys on site is planning to remove the domain

> > > admin accounts from all the servers and I'm concerned that this will

> > > affect the database setup.

> >

> > Assuming that your servers are members of an NT domain/or AD then

 removing


> > all rights for domain accounts to admin them is one of the daftest

 things I


> > have ever come across. I can't think of any reason why one would do

 this -


> > other than to make windows admin harder than it should be obviously. As

 far


> > as you are concerned ensuring that the relevant dba domain user accounts

 are


> > members of the local ORA_DBA groups and that the services run under the

> > SYSTEM account (or one equally privileged) will do you just fine.

> >

> >

> > --

> > Niall Litchfield

> > Oracle DBA

> > Audit Commission UK


>
> Niall,
>
> I have to disagree.
>
> No domain, no cry.
> No NetBIOS, no cry.





I do understand what you are saying and it is sensible (though I wouldn't do
it). What I understood the OP to be saying was that the servers would remain
in the domain but be administered by local security accounts. That is what
strikes me as daft.



Now I like the fact that I can sit at my desk and do
sqlplus /nolog


conn /@tnsnames as sysdba


because I am a member of a domain group that is a member of ora_dba on each
Oracle server in the domain, since the alternative is to sit under the
aircon unit in the server room and freeze :(. I also get an audit trail of
who did the action.



I also like the fact that scheduled jobs etc can all be run under the same
security context and various other bits and bobs that make servers being in
a domain 'easier'.



Now I can see that making the servers standalone would be more secure but I
think that that is a different argument. What i can't see is why you would
have a domain infrastructure and not use it.



-- 
Niall Litchfield
Oracle DBA
Audit Commission UK


Received on Fri Sep 26 2003 - 03:41:14 CDT












Original text of this message













  HOME |
  ASK QUESTION |
  ADD INFO |
  SEARCH |
  E-MAIL US