i can just see it now, user ids generated by the security group, there must be lots of little yellow stickers on everyone's pc :)
>>> [EMAIL PROTECTED] 01/31/02 10:25AM >>> Stephane, Thanks. Yes, we are properly fenced.... None of the databases have those default accounts with default passwords. We do not use OEM and that agent. Passwords of critical accounts get changed regularly and often. Database user ids are generated & approved by Data Security group before DBAs can add them to databases (so others do not know and can not guess who has what id), and they request reports of access privileges when least expected. So, it's all how you manage your set up. When I joined this company I was going nuts about such things (remote_os_authent, default links by virtue of Oracle Names etc), but as I learned the environment I was comfortable.. And it is helping us more than creating problems and concerns. Cheers ! - Kirti -----Original Message----- Sent: Thursday, January 31, 2002 2:20 AM To: Multiple recipients of list ORACLE-L "Deshpande, Kirti" wrote: > > We use REMOTE_OS_AUTHENT in many of our databases. I know we shouldn't do > this, but we have to, and that's another topic... > > We also use a specific auth prefix. > > Now, can someone show me how a Windoze user, 'GOD' get in the database when > I do not have a user, '<Auth_Prefix>GOD' in my database. > > I say, I have nothing to worry about this setup as long as 'GOD' user in my > database is controlled appropriately via roles, grants, profile etc.... > > Sure, if I had <auth_prefix>GOD in the database, I will be looking for > another job.... > Right? > > - Kirti > The problem as I see it is that it's fairly easy to get the names of users on a database. The number of databases you can connect to using dbsnmp/dbsnmp or outln/outln is desperately high, and from there you can query ALL_USERS. I must say that I am truly hopeless with any Microsoft OS, so you could safely let me with admin rights on the box when I feel at my most mischievous. But imagine I come with Linux on my laptop, I plug (like many 'nomad' users often do) into your network, manage to connect (as a less-than-nothing user), check the user list, spot something looking like a prefix, and use this information to add with linuxconf a suitably named account to my machine? I am certain that in your case everything is correctly fenced, but I have met many many many databases where the standard in terms of grants was 'TO PUBLIC', and where database links were PUBLIC as well, and usually connected to the other database as the owner of most tables (even as DBA). IMHO, if you really want to be secure, you must first know Oracle and your environment well, and also audit sensitive information. -- Regards, Stephane Faroult Oriole Ltd -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: Stephane Faroult INET: [EMAIL PROTECTED] -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: Deshpande, Kirti INET: [EMAIL PROTECTED] Fat City Network Services -- (858) 538-5051 FAX: (858) 538-5051 San Diego, California -- Public Internet access / Mailing Lists -------------------------------------------------------------------- To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing). -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: Gene Sais INET: [EMAIL PROTECTED] Fat City Network Services -- (858) 538-5051 FAX: (858) 538-5051 San Diego, California -- Public Internet access / Mailing Lists -------------------------------------------------------------------- To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing).