My experience with NT security in an environment of any significant size is that it is a hopeless situation. In addition to dealing with admins on the box with the database, it seems that there is always an application support person or two that needs to administrator privs on that box too. Then there are the people that support multiple boxes, so they get domain admin privs.
I set the privs on Oracle files so that any administrator would at least have to take ownership of the files in order to delete them. Following strict file and directory naming conventions and teaching everyone to recognize sacred file name patterns helps. We even had certain drive letters throughout the domain that were reserved for Oracle stuff so that people would know which drive letters were danger zones. With all this in place, the only problems we experienced were due to the flakey disk clustering that the admins were using. File systems (or the NT equivalent thereof) had a habit of getting unmounted, and Oracle seems to take offense at files suddenly disappearing. I wasn't all that worried about people going in and deleting files. My biggest worry was that we automate a lot of jobs and a lot of monitoring with scripts. Some of these require information, (such as passwords) be put into files; files that I can't protect on NT. I never had a big problem with admins being administrator (or root on Unix), but on NT it seems that there are always people from development, or people from some department up on 10th floor, that "need" administrator on the box too in order to support some app. So now you have developers and people you don't even know about that, if they chose to do so, can go nosing around in your stuff. -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: Stephen Lee INET: [EMAIL PROTECTED] Fat City Network Services -- 858-538-5051 http://www.fatcity.com San Diego, California -- Mailing list and web hosting services --------------------------------------------------------------------- To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing).
