To add further, what I have read is, on Windows NT, being able to edit the registry, could allow one to change the ORA_PWFILE value, and point to their own password file. Hence, access to the registry should be resticted.
Raj Jared.Still@r adisys.com To: Multiple recipients of list ORACLE-L <[EMAIL PROTECTED]> Sent by: cc: root@fatcity. Subject: Re: OPS$ com January 31, 2002 12:20 PM Please respond to ORACLE-L I just remembered why remote_os_authent was so insecure in v7 sqlnet v2: you could become SYSTEM just by setting USER_ID=SYSTEM in Oracle.ini, but the SYSTEM user did *not* need to be identified externally. That's what was so insecure. I've just been trying to see if any similar insecurities still exist. ( geez I love English :) So far, no. Jared Jared Still <[EMAIL PROTECTED]> Sent by: [EMAIL PROTECTED] 01/30/02 07:45 PM Please respond to ORACLE-L To: Multiple recipients of list ORACLE-L <[EMAIL PROTECTED]> cc: Subject: Re: OPS$ Sounds about right to me. The security part, that is. :) Jared On Wednesday 30 January 2002 19:25, Seefelt, Beth wrote: > I know I'm probably one of the few NT weenies on the list so I hope I don't > get too much guff from the unix guys... > > Disabling remote_os_authent and using external authentication are not > mutually exclusive, and its not completely devoid of security in NT. > > Consider this configuration > > remote_os_authent=false > osauth_prefix_domain=true > > sqlnet.authentication_services=(nts) > > Now I can create externally authenticated database accounts, prefixed with > the domain name instead of OPS$. When they connect to the database Oracle > will authenticate them via Kerberos or NTLM, so their password doesn't even > have to be passed over the network. And they are authenticated by the > domain, so creating a rogue server and creating a user account with the > same name still isn't going to get you authenticated, unless you can set > the password on the rogue machine to the same password as the domain > account. > > Or am I living in a rose colored dream world? > > Beth > > > > -----Original Message----- > Sent: Wednesday, January 30, 2002 5:55 PM > To: Multiple recipients of list ORACLE-L > > > Well, yes, the can set their name to SYSTEM, SYS, SCOTT, whatever, and so > long as your authentication demands an OPS$ or basically any other non null > string of characters, who cares? OPS$SYSTEM is not going to wind up being > a DBA... now, if OPS$STILL is a DBA, and someone sets their PC to STILL, > then you've got a problem. > > The long and short of it is that the OPS security is only as good as the > box it is serving. If you're on any computer with C level security or > higher, there is nothing wrong with using OPS$ as you are using operating > system level security. So, if, for example, you are using VMS, MVS, CDC, > Cray, or anything us old folks might have used 10 years ago, OPS$ is > terrific. If your operating system is making Bill Gates richer, you have > no security to speak of. > > The question you want to ask yourself is how good is your front-end > security? > > -----Original Message----- > Sent: Wednesday, January 30, 2002 4:26 PM > To: Multiple recipients of list ORACLE-L > > Can you explain that? You have me scared now. > > -----Original Message----- > Sent: Wednesday, January 30, 2002 4:00 PM > To: Multiple recipients of list ORACLE-L > > > They can also set their username to 'SYSTEM'. > > Jared > > > > > > Rachel Carmichael <[EMAIL PROTECTED]> > Sent by: [EMAIL PROTECTED] > 01/30/02 11:25 AM > Please respond to ORACLE-L > > > To: Multiple recipients of list ORACLE-L <[EMAIL PROTECTED]> > cc: > Subject: Re: OPS$ > > > anyone can name their pc "oracle" and then connect in if you set > "remote_os_authent" > > --- "Smith, Ron L." <[EMAIL PROTECTED]> wrote: > > Does anyone have any information on security problems using the OPS$ > > account? > > > > Ron > > -- > > Please see the official ORACLE-L FAQ: http://www.orafaq.com > > -- > > Author: Smith, Ron L. > > INET: [EMAIL PROTECTED] > > > > Fat City Network Services -- (858) 538-5051 FAX: (858) 538-5051 > > San Diego, California -- Public Internet access / Mailing > > Lists > > -------------------------------------------------------------------- > > To REMOVE yourself from this mailing list, send an E-Mail message > > to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in > > the message BODY, include a line containing: UNSUB ORACLE-L > > (or the name of mailing list you want to be removed from). You may > > also send the HELP command for other information (like subscribing). > > __________________________________________________ > Do You Yahoo!? > Great stuff seeking new owners in Yahoo! Auctions! > http://auctions.yahoo.com -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: Jared Still INET: [EMAIL PROTECTED] Fat City Network Services -- (858) 538-5051 FAX: (858) 538-5051 San Diego, California -- Public Internet access / Mailing Lists -------------------------------------------------------------------- To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing). -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: INET: [EMAIL PROTECTED] Fat City Network Services -- (858) 538-5051 FAX: (858) 538-5051 San Diego, California -- Public Internet access / Mailing Lists -------------------------------------------------------------------- To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing). -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: INET: [EMAIL PROTECTED] Fat City Network Services -- (858) 538-5051 FAX: (858) 538-5051 San Diego, California -- Public Internet access / Mailing Lists -------------------------------------------------------------------- To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing).