I know I'm probably one of the few NT weenies on the list so I hope I don't get too
much guff from the unix guys...
Disabling remote_os_authent and using external authentication are not mutually
exclusive, and its not completely devoid of security in NT.
Consider this configuration
remote_os_authent=false
osauth_prefix_domain=true
sqlnet.authentication_services=(nts)
Now I can create externally authenticated database accounts, prefixed with the domain
name instead of OPS$. When they connect to the database Oracle will authenticate them
via Kerberos or NTLM, so their password doesn't even have to be passed over the
network. And they are authenticated by the domain, so creating a rogue server and
creating a user account with the same name still isn't going to get you authenticated,
unless you can set the password on the rogue machine to the same password as the
domain account.
Or am I living in a rose colored dream world?
Beth
-----Original Message-----
Sent: Wednesday, January 30, 2002 5:55 PM
To: Multiple recipients of list ORACLE-L
Well, yes, the can set their name to SYSTEM, SYS, SCOTT, whatever, and so
long as your authentication demands an OPS$ or basically any other non null
string of characters, who cares? OPS$SYSTEM is not going to wind up being a
DBA... now, if OPS$STILL is a DBA, and someone sets their PC to STILL, then
you've got a problem.
The long and short of it is that the OPS security is only as good as the box
it is serving. If you're on any computer with C level security or higher,
there is nothing wrong with using OPS$ as you are using operating system
level security. So, if, for example, you are using VMS, MVS, CDC, Cray, or
anything us old folks might have used 10 years ago, OPS$ is terrific. If
your operating system is making Bill Gates richer, you have no security to
speak of.
The question you want to ask yourself is how good is your front-end
security?
-----Original Message-----
Sent: Wednesday, January 30, 2002 4:26 PM
To: Multiple recipients of list ORACLE-L
Can you explain that? You have me scared now.
-----Original Message-----
Sent: Wednesday, January 30, 2002 4:00 PM
To: Multiple recipients of list ORACLE-L
They can also set their username to 'SYSTEM'.
Jared
Rachel Carmichael <[EMAIL PROTECTED]>
Sent by: [EMAIL PROTECTED]
01/30/02 11:25 AM
Please respond to ORACLE-L
To: Multiple recipients of list ORACLE-L <[EMAIL PROTECTED]>
cc:
Subject: Re: OPS$
anyone can name their pc "oracle" and then connect in if you set
"remote_os_authent"
--- "Smith, Ron L." <[EMAIL PROTECTED]> wrote:
> Does anyone have any information on security problems using the OPS$
> account?
>
> Ron
> --
> Please see the official ORACLE-L FAQ: http://www.orafaq.com
> --
> Author: Smith, Ron L.
> INET: [EMAIL PROTECTED]
>
> Fat City Network Services -- (858) 538-5051 FAX: (858) 538-5051
> San Diego, California -- Public Internet access / Mailing
> Lists
> --------------------------------------------------------------------
> To REMOVE yourself from this mailing list, send an E-Mail message
> to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in
> the message BODY, include a line containing: UNSUB ORACLE-L
> (or the name of mailing list you want to be removed from). You may
> also send the HELP command for other information (like subscribing).
__________________________________________________
Do You Yahoo!?
Great stuff seeking new owners in Yahoo! Auctions!
http://auctions.yahoo.com
--
Please see the official ORACLE-L FAQ: http://www.orafaq.com
--
Author: Rachel Carmichael
INET: [EMAIL PROTECTED]
Fat City Network Services -- (858) 538-5051 FAX: (858) 538-5051
San Diego, California -- Public Internet access / Mailing Lists
--------------------------------------------------------------------
To REMOVE yourself from this mailing list, send an E-Mail message
to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in
the message BODY, include a line containing: UNSUB ORACLE-L
(or the name of mailing list you want to be removed from). You may
also send the HELP command for other information (like subscribing).
--
Please see the official ORACLE-L FAQ: http://www.orafaq.com
--
Author:
INET: [EMAIL PROTECTED]
Fat City Network Services -- (858) 538-5051 FAX: (858) 538-5051
San Diego, California -- Public Internet access / Mailing Lists
--------------------------------------------------------------------
To REMOVE yourself from this mailing list, send an E-Mail message
to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in
the message BODY, include a line containing: UNSUB ORACLE-L
(or the name of mailing list you want to be removed from). You may
also send the HELP command for other information (like subscribing).
--
Please see the official ORACLE-L FAQ: http://www.orafaq.com
--
Author: Smith, Ron L.
INET: [EMAIL PROTECTED]
Fat City Network Services -- (858) 538-5051 FAX: (858) 538-5051
San Diego, California -- Public Internet access / Mailing Lists
--------------------------------------------------------------------
To REMOVE yourself from this mailing list, send an E-Mail message
to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in
the message BODY, include a line containing: UNSUB ORACLE-L
(or the name of mailing list you want to be removed from). You may
also send the HELP command for other information (like subscribing).
--
Please see the official ORACLE-L FAQ: http://www.orafaq.com
--
Author: Bellows, Bambi
INET: [EMAIL PROTECTED]
Fat City Network Services -- (858) 538-5051 FAX: (858) 538-5051
San Diego, California -- Public Internet access / Mailing Lists
--------------------------------------------------------------------
To REMOVE yourself from this mailing list, send an E-Mail message
to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in
the message BODY, include a line containing: UNSUB ORACLE-L
(or the name of mailing list you want to be removed from). You may
also send the HELP command for other information (like subscribing).
--
Please see the official ORACLE-L FAQ: http://www.orafaq.com
--
Author: Seefelt, Beth
INET: [EMAIL PROTECTED]
Fat City Network Services -- (858) 538-5051 FAX: (858) 538-5051
San Diego, California -- Public Internet access / Mailing Lists
--------------------------------------------------------------------
To REMOVE yourself from this mailing list, send an E-Mail message
to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in
the message BODY, include a line containing: UNSUB ORACLE-L
(or the name of mailing list you want to be removed from). You may
also send the HELP command for other information (like subscribing).
