I working in a IAG dept.
I need to disable access to Oracle from OS groups leaving only access via local accounts, at least from v$pwfile_users.
It's possible?
Thanks
Related
I'm new to Oracle and I'm currently hardening a database.
It's a good idea to drop SYS and SYSTEM users? normally default accounts are dropped because of security reasons, I can do that on Oracle, or I will break something?
From the documentation (emphasis added):
All databases include the administrative accounts SYS, SYSTEM, and DBSNMP. Administrative accounts are highly privileged accounts, and are needed only by individuals authorized to perform administrative tasks such as starting and stopping the database, managing database memory and storage, creating and managing database users, and so on. You log in to Oracle Enterprise Manager Database Express (EM Express) with SYS or SYSTEM. You assign the passwords for these accounts when you create the database with Oracle Database Configuration Assistant (DBCA). You must not delete or rename these accounts.
And:
All base (underlying) tables and views for the database data dictionary are stored in the SYS schema. These base tables and views are critical for the operation of Oracle Database.
So no, it is not a good idea, and it would destroy your database.
normally default accounts are dropped because of security reasons, I can do that on Oracle, or I will break something?
The first documentation link above also says (emphasis added again):
All databases also include internal accounts, which are automatically created so that individual Oracle Database features or components such as Oracle Application Express can have their own schemas. To protect these accounts from unauthorized access, they are initially locked and their passwords are expired. (A locked account is an account for which login is disabled.) You must not delete internal accounts, and you must not use them to log in to the database.
And it mentions sample schema accounts, which you can choose not to install in the first place, but which could be dropped if required.
The main thing is to secure all accounts, and you should limit any accounts you create to only have the minimum privileges necessary.
You can also read more about this in the database administrator's guide,
It is a very bad idea. I don't think the database will even work without them and doubt that the drop is allowed. Make sure the accounts are safe instead.
I've been testing a software I helped develop, which resides on a 32-bit application server. It is to connect to a 64-bit database server, which uses IBM DB2 v10.1.
I was the one to setup the DB2, but I'm pretty sure it has since been modified; I am no longer able to connect using the Username/Password: db2admin/db2admin.
Instead, I have to use Administrator/p#ssw0rd. I do not recall creating that user myself - it is a local account on the computer itself - but from my ODBC tests, it can connect to the database.
However, it appears it doesn't have any privileges. My attempts to see where this 'user' is using Data Studio 3.2.0 have failed, though given my experience (lack thereof) with DB2, this is not surprising.
My concerns are two-fold:
To find where this 'Administrator' resides.
And to modify its privileges to replicate that of db2admin, which, iirc, is a Database Administrator.
My attempts to research the problem on the net was met with failure - either the so called solution doesn't work, or it is too complex for me to understand if it did work (it didn't).
I have tried the following:
Modifying the Database directly via Data Studio 3.2.0; Right clicking on the database, selecting Manage Privileges, and checking everything I could find - note that I did not find any 'Administrator', just a 'PUBLIC', 'DB2ADMIN', 'SYSDEBUG'. Also, it doesn't seem to save.
'Select * from SYSCAT.DBAUTH where GRANTEE = 'Administrator'; This produces a long list of tables, I guess. Don't know what to do with them, but if I replace 'Administrator' with 'db2admin', I get exactly the same result.
Creating a new user called 'Administrator' using Data Studio;
Please, I'd like some light shed on this; DB2 is an extremely frustrating database. I'm using DB2 v10.1, Data Studio 3.2.0, and Windows Server 2008.
DB2 authentication relies on an external mechanism, such as OS security or ldap. If your case, it seems it is Windows security.
DB2 authorisation is internal, so any grant is inside the database, with some exceptions.
There are several authorities in DB2, some at instance level and other at database level. Those at database level, you can find them inside the database, by querying the catalog, and they can be assigned to a user or to a group.
The other authorities, at instance level, are associated to a OS group (external mechanism)
The highest authority in a database is DBADM, and the highest authority at an instance level is SYSADM. Every user in the associated group to SYSAMD becomes automatically DBADM in all database inside the instance.
Well, this is just a short explanation of how DB2 security is. It means that you 'Administrator' user has the 'connect' privilege (sometime 'connect' privilege is public, it means, any user can connect), but it does not have any other privilege, nor authority.
Finally, in Windows environment, there is another security layer, that associates users in two groups DB2ADMNS and DB2USERS. For more information check this link http://publib.boulder.ibm.com/infocenter/db2luw/v10r1/topic/com.ibm.db2.luw.admin.sec.doc/doc/c0023391.html
Well, I solved it, but it remains to be seen why this occurred in the first place;
After creating the user 'Administrator', I modified the privilege by checking everything. It seemed to work.
you have to GRANT a SELECT on the TABLE to the USER.
GRANT SELECT, INSERT ON mytable TO USER peter
"db2 is not frustrating!"
We're installing some Oracle XE servers (the free one) on people's desktops for development use.
What's a good default role to assign to these developers? Since these instances contain scratch data only, data security is not a concern.
If you want the developers to be able to do anything grant the DBA on the development DB. Of course there is a risk with this; if they develop and run the code as themselves they will not address the security needs of the application.
If you want the developers to work with the security context of the application grant them the same roles that the application has in Prod.
So; if you want them to be able to do anything on the Dev instance but still code in the same security context as on Prod, create 2 users for them. The first is there usual users with the same rights as the code will execute under in Prod and the second is a DBA user with teh DBA role.
Its odd to some people who are used to the Windows approach (where a domain admin user reads email, browses the web, etc with domain admin rights) but very familiar to a Unix user who redas email as a low level user but can SUDO if needed.
As a developer all I ask for on dev databases is the SYSTEM password, as well as enough space in some tablespace(s) to create my objects. That gives me enough to get going - I can create my users, grant them the access they need, and get started developing.
Situation:
Oracle 10g database migrated to 11g - users migrated
Migrated users who call utl_http.request(...) fail with error:
ORA-29273: HTTP request failed
ORA-06512: at "SYS.UTL_HTTP", line 1722
ORA-24247: network access denied by access control list (ACL)
ORA-06512: at line 8
We've created an ACL and added the users/host permissions (connect and resolve), and the users have execute permission to utl_http
Newly created users have no problems with the call once their ACL and execute permissions have been set
At least one migrated user, dba_monitor, is able to make the call (though that user has other, elevated permissions)
The only difference we've found between the accounts is in dba_user.password_versions... the new ones say 10g 11g, while the migrated ones say 10g.
We've tried changing the password for the accounts that can't make the call... this changed the password_versions to 10g 11g, but still no dice
Dropped and re-added the ACL permissions and grants a number of times, no success.
Does anyone know of known issues with migrating existing Oracle accounts, or have any thoughts on where we can look for more clues?
Thanks!
Update:
We went to another 11g instance and created a new user with the same name, CSS_WEB, and set permissions in the ACL. That user was also unable to connect. We created a new user, CSS_WEB1, and that user was ABLE to connect.
This has gotten really, really strange... at this point I'm not expecting answers, just ideas of where we can look.
Just trying a guess here:
Is it possible that the one user which is working is always the last one ?
Because if you assigned the same host to multiple ACLs then only the last one will take effect
We resolved this as an OID-related problem.
Somehow, there were OID entries for these accounts, even though they were db local. When we removed the OID data for them, everything worked.
I know that it is possible to use "OS authentication" to authenticate Windows users in Oracle database. The process is basically passing current Windows user id to Oracle for authentication.
The question is - is it possible to authenticate domain group in Oracle (as it is possible with SQL Server integrated security), so that there would be no need to create separate database user for each domain member?
It is possible.
Oracle has a whitepaper on this, and here's a tutorial,
I don't think this is possible, but I would love to be proven wrong.