To add further, what I have read is, on Windows NT, being able to edit the
registry, could allow one to change the ORA_PWFILE value, and point to
their own password file. Hence, access to the registry should be resticted.
Raj
Jared.Still@r
adisys.com To: Multiple recipients of list ORACLE-L
<[EMAIL PROTECTED]>
Sent by: cc:
root@fatcity. Subject: Re: OPS$
com
January 31,
2002 12:20 PM
Please
respond to
ORACLE-L
I just remembered why remote_os_authent was so insecure
in v7 sqlnet v2: you could become SYSTEM just by setting
USER_ID=SYSTEM in Oracle.ini, but the SYSTEM user
did *not* need to be identified externally.
That's what was so insecure. I've just been trying to see if
any similar insecurities still exist. ( geez I love English :)
So far, no.
Jared
Jared Still <[EMAIL PROTECTED]>
Sent by: [EMAIL PROTECTED]
01/30/02 07:45 PM
Please respond to ORACLE-L
To: Multiple recipients of list ORACLE-L <[EMAIL PROTECTED]>
cc:
Subject: Re: OPS$
Sounds about right to me.
The security part, that is. :)
Jared
On Wednesday 30 January 2002 19:25, Seefelt, Beth wrote:
> I know I'm probably one of the few NT weenies on the list so I hope I
don't
> get too much guff from the unix guys...
>
> Disabling remote_os_authent and using external authentication are not
> mutually exclusive, and its not completely devoid of security in NT.
>
> Consider this configuration
>
> remote_os_authent=false
> osauth_prefix_domain=true
>
> sqlnet.authentication_services=(nts)
>
> Now I can create externally authenticated database accounts, prefixed
with
> the domain name instead of OPS$. When they connect to the database
Oracle
> will authenticate them via Kerberos or NTLM, so their password doesn't
even
> have to be passed over the network. And they are authenticated by the
> domain, so creating a rogue server and creating a user account with the
> same name still isn't going to get you authenticated, unless you can set
> the password on the rogue machine to the same password as the domain
> account.
>
> Or am I living in a rose colored dream world?
>
> Beth
>
>
>
> -----Original Message-----
> Sent: Wednesday, January 30, 2002 5:55 PM
> To: Multiple recipients of list ORACLE-L
>
>
> Well, yes, the can set their name to SYSTEM, SYS, SCOTT, whatever, and
so
> long as your authentication demands an OPS$ or basically any other non
null
> string of characters, who cares? OPS$SYSTEM is not going to wind up
being
> a DBA... now, if OPS$STILL is a DBA, and someone sets their PC to STILL,
> then you've got a problem.
>
> The long and short of it is that the OPS security is only as good as the
> box it is serving. If you're on any computer with C level security or
> higher, there is nothing wrong with using OPS$ as you are using
operating
> system level security. So, if, for example, you are using VMS, MVS,
CDC,
> Cray, or anything us old folks might have used 10 years ago, OPS$ is
> terrific. If your operating system is making Bill Gates richer, you
have
> no security to speak of.
>
> The question you want to ask yourself is how good is your front-end
> security?
>
> -----Original Message-----
> Sent: Wednesday, January 30, 2002 4:26 PM
> To: Multiple recipients of list ORACLE-L
>
> Can you explain that? You have me scared now.
>
> -----Original Message-----
> Sent: Wednesday, January 30, 2002 4:00 PM
> To: Multiple recipients of list ORACLE-L
>
>
> They can also set their username to 'SYSTEM'.
>
> Jared
>
>
>
>
>
> Rachel Carmichael <[EMAIL PROTECTED]>
> Sent by: [EMAIL PROTECTED]
> 01/30/02 11:25 AM
> Please respond to ORACLE-L
>
>
> To: Multiple recipients of list ORACLE-L
<[EMAIL PROTECTED]>
> cc:
> Subject: Re: OPS$
>
>
> anyone can name their pc "oracle" and then connect in if you set
> "remote_os_authent"
>
> --- "Smith, Ron L." <[EMAIL PROTECTED]> wrote:
> > Does anyone have any information on security problems using the OPS$
> > account?
> >
> > Ron
> > --
> > Please see the official ORACLE-L FAQ: http://www.orafaq.com
> > --
> > Author: Smith, Ron L.
> > INET: [EMAIL PROTECTED]
> >
> > Fat City Network Services -- (858) 538-5051 FAX: (858) 538-5051
> > San Diego, California -- Public Internet access / Mailing
> > Lists
> > --------------------------------------------------------------------
> > To REMOVE yourself from this mailing list, send an E-Mail message
> > to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in
> > the message BODY, include a line containing: UNSUB ORACLE-L
> > (or the name of mailing list you want to be removed from). You may
> > also send the HELP command for other information (like subscribing).
>
> __________________________________________________
> Do You Yahoo!?
> Great stuff seeking new owners in Yahoo! Auctions!
> http://auctions.yahoo.com
--
Please see the official ORACLE-L FAQ: http://www.orafaq.com
--
Author: Jared Still
INET: [EMAIL PROTECTED]
Fat City Network Services -- (858) 538-5051 FAX: (858) 538-5051
San Diego, California -- Public Internet access / Mailing Lists
--------------------------------------------------------------------
To REMOVE yourself from this mailing list, send an E-Mail message
to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in
the message BODY, include a line containing: UNSUB ORACLE-L
(or the name of mailing list you want to be removed from). You may
also send the HELP command for other information (like subscribing).
--
Please see the official ORACLE-L FAQ: http://www.orafaq.com
--
Author:
INET: [EMAIL PROTECTED]
Fat City Network Services -- (858) 538-5051 FAX: (858) 538-5051
San Diego, California -- Public Internet access / Mailing Lists
--------------------------------------------------------------------
To REMOVE yourself from this mailing list, send an E-Mail message
to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in
the message BODY, include a line containing: UNSUB ORACLE-L
(or the name of mailing list you want to be removed from). You may
also send the HELP command for other information (like subscribing).
--
Please see the official ORACLE-L FAQ: http://www.orafaq.com
--
Author:
INET: [EMAIL PROTECTED]
Fat City Network Services -- (858) 538-5051 FAX: (858) 538-5051
San Diego, California -- Public Internet access / Mailing Lists
--------------------------------------------------------------------
To REMOVE yourself from this mailing list, send an E-Mail message
to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in
the message BODY, include a line containing: UNSUB ORACLE-L
(or the name of mailing list you want to be removed from). You may
also send the HELP command for other information (like subscribing).
