Beth when the whole setup uses a workgroup and people log into their local machines rather than being authenticated by a domain server ?
----- Original Message ----- To: "Multiple recipients of list ORACLE-L" <[EMAIL PROTECTED]> Sent: Monday, June 23, 2003 03:34 : : No, that's not true. It actually uses your NT security token to : validate that you are authenticated in the domain. You can't just give : a rogue PC the same domain name, boot it up, and log into the database : with external authentication. The PC would have to be a domain member, : which means you have to have the domain admin password to join the : domain, along with the users password so that you could log into the : domain as them. The same is not true if you use another prefix such as : OPS$. : : : -----Original Message----- : Sent: Friday, June 20, 2003 4:00 PM : To: Multiple recipients of list ORACLE-L : : : Beth, : : You are right in stating that OPS$ accounts are not inherently insecure. : : How is teh inclusion of domain name any more secure than using OPS$? : Granted, the hacker has to guess the domain name in addition to user : name, but so is using any other prefix other than OPS$. : : Besides if the users are not static, the domain names will be different. : How will you address that issue? For instance, you domina name is : MYCODOMAIN1 and your windows userid is mycodomain1\bseefelt, so the : Oracle userid, as you propose should be "mydomain\bseeth". If you login : to another domain, say, MYDOMAIN2, this account is no longer valid. So, : I would say, mixing domains with username may not be a good idea, unless : ofourse you have a single domain. : : Arup : : : ----- Original Message ----- : To: "Multiple recipients of list ORACLE-L" <[EMAIL PROTECTED]> : Sent: Friday, June 20, 2003 10:10 AM : : : > : > I disagree. Remote OS authentication is not inherently insecure in : > Windows like it is in Unix. If you prefix the account names with the : > domain name, a user would not only have to spoof the username, he : > would have to spoof the domain name too. At that point, you probably : > have bigger problems than access to your database. Also, in that : > situation, only the security token is going over the network, not your : : > password in clear text. The caveat is that you should be using the : > *domain name* as the prefix, not OPS$. : > : > -----Original Message----- : > Sent: Friday, June 20, 2003 6:20 AM : > To: Multiple recipients of list ORACLE-L : > : > : > Hi Arup, : > : > Remote OS authentication whether with OPS$ or not is still a risk. You : : > are intimating that SYSTEM is the only risky account involved here. : > What if any of the newly created OPS$ accounts have useful privileges. : : > I have seen a similar application to the one described recently. There : : > were forms within the application for administration and user : > management (in oracle, not the application) and the users who had : > access to these were assigned the DBA role and were of course external : : > accounts. : > : > I think what you should add to your comment is that the issue is : > overrated is that any OPS$ / external accounts should not have any : > dangerous privileges granted and certainly not DBA. If you can guess : > the name of an admin account even if its OPS$ then the issue is still : > severe. : > : > cheers : > : > Pete : > : > -- : > Pete Finnigan : > email:[EMAIL PROTECTED] : > Web site: http://www.petefinnigan.com - Oracle security audit : > specialists Book:Oracle security step-by-step Guide - see : > http://store.sans.org for details. : > : > -- : > Please see the official ORACLE-L FAQ: http://www.orafaq.net : > -- : > Author: Pete Finnigan : > INET: [EMAIL PROTECTED] : > : > Fat City Network Services -- 858-538-5051 http://www.fatcity.com : > San Diego, California -- Mailing list and web hosting services : > -------------------------------------------------------------------- - : > To REMOVE yourself from this mailing list, send an E-Mail message : > to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in : > the message BODY, include a line containing: UNSUB ORACLE-L (or the : > name of mailing list you want to be removed from). You may also send : > the HELP command for other information (like subscribing). : > -- : > Please see the official ORACLE-L FAQ: http://www.orafaq.net : > -- : > Author: Seefelt, Beth : > INET: [EMAIL PROTECTED] : > : > Fat City Network Services -- 858-538-5051 http://www.fatcity.com : > San Diego, California -- Mailing list and web hosting services : > -------------------------------------------------------------------- - : > To REMOVE yourself from this mailing list, send an E-Mail message : > to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in : > the message BODY, include a line containing: UNSUB ORACLE-L (or the : > name of mailing list you want to be removed from). You may also send : > the HELP command for other information (like subscribing). : > : -- : Please see the official ORACLE-L FAQ: http://www.orafaq.net : -- : Author: Arup Nanda : INET: [EMAIL PROTECTED] : : Fat City Network Services -- 858-538-5051 http://www.fatcity.com : San Diego, California -- Mailing list and web hosting services : -------------------------------------------------------------------- - : To REMOVE yourself from this mailing list, send an E-Mail message : to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the : message BODY, include a line containing: UNSUB ORACLE-L (or the name of : mailing list you want to be removed from). You may also send the HELP : command for other information (like subscribing). : -- : Please see the official ORACLE-L FAQ: http://www.orafaq.net : -- : Author: Seefelt, Beth : INET: [EMAIL PROTECTED] : : Fat City Network Services -- 858-538-5051 http://www.fatcity.com : San Diego, California -- Mailing list and web hosting services : -------------------------------------------------------------------- - : To REMOVE yourself from this mailing list, send an E-Mail message : to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in : the message BODY, include a line containing: UNSUB ORACLE-L : (or the name of mailing list you want to be removed from). You may : also send the HELP command for other information (like subscribing). : -- Please see the official ORACLE-L FAQ: http://www.orafaq.net -- Author: <[EMAIL PROTECTED] INET: [EMAIL PROTECTED] Fat City Network Services -- 858-538-5051 http://www.fatcity.com San Diego, California -- Mailing list and web hosting services --------------------------------------------------------------------- To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing).
