what a concept... changing production passwords! hm, I knew I liked your company as my phone provider :)
--- "Deshpande, Kirti" <[EMAIL PROTECTED]> wrote: > Stephane, > Thanks. Yes, we are properly fenced.... > None of the databases have those default accounts with default > passwords. > We do not use OEM and that agent. Passwords of critical accounts get > changed > regularly and often. Database user ids are generated & approved by > Data > Security group before DBAs can add them to databases (so others do > not know > and can not guess who has what id), and they request reports of > access > privileges when least expected. > So, it's all how you manage your set up. When I joined this company > I was > going nuts about such things (remote_os_authent, default links by > virtue of > Oracle Names etc), but as I learned the environment I was > comfortable.. And > it is helping us more than creating problems and concerns. > > Cheers ! > > - Kirti > > -----Original Message----- > Sent: Thursday, January 31, 2002 2:20 AM > To: Multiple recipients of list ORACLE-L > > > "Deshpande, Kirti" wrote: > > > > We use REMOTE_OS_AUTHENT in many of our databases. I know we > shouldn't do > > this, but we have to, and that's another topic... > > > > We also use a specific auth prefix. > > > > Now, can someone show me how a Windoze user, 'GOD' get in the > database > when > > I do not have a user, '<Auth_Prefix>GOD' in my database. > > > > I say, I have nothing to worry about this setup as long as 'GOD' > user in > my > > database is controlled appropriately via roles, grants, profile > etc.... > > > > Sure, if I had <auth_prefix>GOD in the database, I will be looking > for > > another job.... > > Right? > > > > - Kirti > > > > The problem as I see it is that it's fairly easy to get the names of > users on a database. The number of databases you can connect to using > dbsnmp/dbsnmp or outln/outln is desperately high, and from there you > can > query ALL_USERS. I must say that I am truly hopeless with any > Microsoft > OS, so you could safely let me with admin rights on the box when I > feel > at my most mischievous. But imagine I come with Linux on my laptop, I > plug (like many 'nomad' users often do) into your network, manage to > connect (as a less-than-nothing user), check the user list, spot > something looking like a prefix, and use this information to add with > linuxconf a suitably named account to my machine? I am certain that > in > your case everything is correctly fenced, but I have met many many > many > databases where the standard in terms of grants was 'TO PUBLIC', and > where database links were PUBLIC as well, and usually connected to > the > other database as the owner of most tables (even as DBA). > IMHO, if you really want to be secure, you must first know Oracle and > your environment well, and also audit sensitive information. > > -- > Regards, > > Stephane Faroult > Oriole Ltd > -- > Please see the official ORACLE-L FAQ: http://www.orafaq.com > -- > Author: Stephane Faroult > INET: [EMAIL PROTECTED] > > -- > Please see the official ORACLE-L FAQ: http://www.orafaq.com > -- > Author: Deshpande, Kirti > INET: [EMAIL PROTECTED] > > Fat City Network Services -- (858) 538-5051 FAX: (858) 538-5051 > San Diego, California -- Public Internet access / Mailing > Lists > -------------------------------------------------------------------- > To REMOVE yourself from this mailing list, send an E-Mail message > to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in > the message BODY, include a line containing: UNSUB ORACLE-L > (or the name of mailing list you want to be removed from). You may > also send the HELP command for other information (like subscribing). __________________________________________________ Do You Yahoo!? Great stuff seeking new owners in Yahoo! Auctions! http://auctions.yahoo.com -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: Rachel Carmichael INET: [EMAIL PROTECTED] Fat City Network Services -- (858) 538-5051 FAX: (858) 538-5051 San Diego, California -- Public Internet access / Mailing Lists -------------------------------------------------------------------- To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing).
