| Oracle FAQ | Your Portal to the Oracle Knowledge Grid | |
 |
 | |||
| Oracle FAQ | Your Portal to the Oracle Knowledge Grid | |
|
| |||
Home -> Community -> Usenet -> c.d.o.server -> Re: Oracle Software Owner WIndows 2K
drak0nian_at_yahoo.com (Paul Drake) wrote in message news:<1ac7c7b3.0309251133.4a13ae02_at_posting.google.com>...
> mccmx_at_hotmail.com (Matt) wrote in message news:<cfee5bcf.0309250449.3f714acf_at_posting.google.com>...
> > Hello everyone,
> >
> > I have a query about security/ownership of the Oracle software on
> > Windows 2K.
> >
> > We have an 8.1.7 install on Windows that was installed using the
> > Domain Admin account. Therefore the Oracle binaries and database
> > files are owned by the domain admin account.
> >
> > The Oracle database is configured as a service on Win 2K and runs
> > under the SYSTEM account. Therefore in theory it is independant of a
> > user account.
> >
> > One of the security guys on site is planning to remove the domain
> > admin accounts from all the servers and I'm concerned that this will
> > affect the database setup.
> >
> > I will still be able to log onto the server with a privileged account
> > which I will add to the ORA_DBA group in order to gain SYSDBA
> > privileges.
> >
> > Is anyone aware of any issues that will arise after dropping the
> > Oracle software owner account (i.e. domain admin) from the system....?
> > Metalink was not much help on this issue.
> >
> > Matt
>
> Matt,
>
> If they did not make any changes to the default installation, the
> filesystems are accessed by the group "Everyone" as "Full Control".
> Ownership of the files would still be by the local administrators
> group, which the domain admin group would have membership in.
>
> Most likely, he's going to remove the server from the domain, or not
> permit domain users to logon on that server console. Removing it from
> the domain would prevent NetBIOS-based attacks that traverse domains
> that rely on being authenicated in the domain. This would not have
> helped with Blaster, as that did not need authentication to crash the
> service.
>
> Most simply, create a local account and grant it membership in the
> local administrators and local ORA_DBA groups.
>
> create a local group ORA_OPER and grant read/list/execute on all files
> under the oracle_base (e.g. D:\Oracle) to ORA_OPER. This will get you
> 90% of the way there.
>
> Login as the local oracle software owner/user and take ownership of
> all files under the oracle_base (e.g. D:\Oracle) and all
> subdirectories.
>
> grant the local group ORA_OPER to non-dba users that need to connect
> to the database from the server console, like backup software
> accounts.
>
> grant the local group ORA_DBA to dba users.
>
> run the oracle services as a local account that has membership in the
> local ORA_DBA group.
>
> you can get much more fine-grained that that, but it gets much more
> elaborate.
> got to finish that paper some day.
>
> Pd
Paul,
Cheers for the info. You are correct in your assumptions, basically the security consultant wants to disallow domain account access to the server console.
My plan was to do as you recommend, i.e. create a local admin account and add it to the ORA_DBA group. And then create ORA_OPER to provide more granularity of privileges.
However I will keep the Oracle services running under the SYSTEM account.
Thanks again for you help.
Matt Received on Thu Oct 02 2003 - 04:58:37 CDT
 |
 |