Sunday 23 December 2007

Oracle: User Account Security ...

Oracle has a bewildering array of security features to help you to make sure that your users access only what they need and to ensure that you have very fine control over their abilities.

A couple of things you should look at first, the following parameters are off by default and you should make sure that unless you have a very good reason, they stay set to false:

O7_DICTIONARY_ACCESSIBILITY = FALSE
REMOTE_OS_AUTHENT = FALSE

In addition you should check the privileges that have been assigned to PUBLIC and remove any that you are not comfortable with. Remember the principle of ‘Least Privilege’.

You should also absolutely minimise the amount of users who have ADMIN access.

Whenever an Oracle database is created the users SYS and SYSTEM are also created. If you use DBCA (Database Configuration Assistant) to create your database you will also have SYSMAN and DNSNMP.

SYS - Data Dictionary Owner
SYSTEM - Admin Account
SYSMAN - Used by Enterprise Manager (EM)
DBSNMP - Used by Enterprise Manager (EM)

Check all the default accounts that are created and make sure that those you don’t initially need are locked and have their password expired. The following statement shows how this is accomplished:

ALTER USER pip PASSWORD EXPIRE ACCOUNT LOCK

Assuming you are using database authentication of your users, then password security rules are enforced through profiles. Listed below are some of the password security profile parameters that you can use:

FAILED_LOGIN_ATTEMPTS - maximum consecutive count
PASSWORD_LOCK_TIME - days (or part of ie: 5/1440 = 5 Minutes) to lock the account
PASSWORD_LIFE_TIME - maximum days for this password to exist
PASSWORD_GRACE_TIME - number of days following the first successful login after the password expiry and the users are reminded to change their password, but can still log in
PASSWORD_REUSE_TIME - minimum days before password reuse
PASSWORD_REUSE_MAX - minimum changes of password before reuse allowed

These parameters are set in the following way:

CREATE PROFILE passwordlimit LIMIT
PASSWORD_LOCK_TIME 1
FAILED_LOGIN_ATTEMPTS 3

"Courage is fear that has said its prayers." - Dorothy Bernard

Posted by Steve Cholerton at 23:32

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)