Hi Beth, See in Aarons book page 196, second paragraph for changing domain names on win 95,98 untrusted clients. Perhaps i wasn't clear what i was saying is that it is possible to connect to the database from a PC that is not authenticated on the domain using an untrusted client.
Have a look at James Abendshands tnscmd.pl script at http://www.jammed.c om/~jwa/hacks/security/tnscmd and also Patrik Karlsson's site for his oracle tools http://www.cqure.net to get some ideas. cheers Pete In article <[EMAIL PROTECTED]>, Seefelt, Beth <[EMAIL PROTECTED]> writes > >Hi Pete, > >I don't think that's true about booting a PC with the same domain name >that's not really part of the domain. Have you ever tried it? I'd be >really interested if it works. > >I don't understand the part about booting into Linux and changing the >username as its sent. Isn't the only username passed / ? Or are you >talking about poking things at the packet level to make sqlnet think the >user is domain authenticated. > >Cheers, > >Beth > >-----Original Message----- >Sent: Friday, June 20, 2003 6:49 PM >To: Multiple recipients of list ORACLE-L > > >Hi Beth > >OK, I get your point but Arup was talking about automatic connections by >setting remote_os_authent to true where you can either set the prefix to >OPS$ or use identified externally. For these connections the user should >not be prefixed by the domain name in the database. On the other hand >using windows NT authentication and prefixing with the domain name can >be spoofed by using a client that is not trusted such as windows 95 or >98 and setting the context to any domain you wish and adding the correct >user. The other option is to insert a linux bootable CD and alter the >username as it is sent. > >I agree with you that use of the domain method is better, BUT the point >i was trying to make is still valid. That is to ensure that any external >account observes the least privilege principle. > >cheers > >Pete > > > >In article <[EMAIL PROTECTED]>, Seefelt, Beth ><[EMAIL PROTECTED]> writes >> >>I disagree. Remote OS authentication is not inherently insecure in >>Windows like it is in Unix. If you prefix the account names with the >>domain name, a user would not only have to spoof the username, he would > >>have to spoof the domain name too. At that point, you probably have >>bigger problems than access to your database. Also, in that situation, > >>only the security token is going over the network, not your password in > >>clear text. The caveat is that you should be using the *domain name* >>as the prefix, not OPS$. >> >>-----Original Message----- >>Sent: Friday, June 20, 2003 6:20 AM >>To: Multiple recipients of list ORACLE-L >> >> >>Hi Arup, >> >>Remote OS authentication whether with OPS$ or not is still a risk. You >>are intimating that SYSTEM is the only risky account involved here. >>What if any of the newly created OPS$ accounts have useful privileges. >>I have seen a similar application to the one described recently. There >>were forms within the application for administration and user >>management (in oracle, not the application) and the users who had >>access to these were assigned the DBA role and were of course external >>accounts. >> >>I think what you should add to your comment is that the issue is >>overrated is that any OPS$ / external accounts should not have any >>dangerous privileges granted and certainly not DBA. If you can guess >>the name of an admin account even if its OPS$ then the issue is still >>severe. >> >>cheers >> >>Pete >> >>-- >>Pete Finnigan >>email:[EMAIL PROTECTED] >>Web site: http://www.petefinnigan.com - Oracle security audit >>specialists >>Book:Oracle security step-by-step Guide - see http://store.sans.org for >>details. >> >>-- >>Please see the official ORACLE-L FAQ: http://www.orafaq.net >>-- >>Author: Pete Finnigan >> INET: [EMAIL PROTECTED] >> >>Fat City Network Services -- 858-538-5051 http://www.fatcity.com >>San Diego, California -- Mailing list and web hosting services >>--------------------------------------------------------------------- >>To REMOVE yourself from this mailing list, send an E-Mail message >>to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the > >>message BODY, include a line containing: UNSUB ORACLE-L (or the name of > >>mailing list you want to be removed from). You may also send the HELP >>command for other information (like subscribing). >>-- >>Please see the official ORACLE-L FAQ: http://www.orafaq.net > >-- >Pete Finnigan >email:[EMAIL PROTECTED] >Web site: http://www.petefinnigan.com - Oracle security audit >specialists Book:Oracle security step-by-step Guide - see >http://store.sans.org for details. > >-- >Please see the official ORACLE-L FAQ: http://www.orafaq.net >-- >Author: Pete Finnigan > INET: [EMAIL PROTECTED] > >Fat City Network Services -- 858-538-5051 http://www.fatcity.com >San Diego, California -- Mailing list and web hosting services >--------------------------------------------------------------------- >To REMOVE yourself from this mailing list, send an E-Mail message >to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the >message BODY, include a line containing: UNSUB ORACLE-L (or the name of >mailing list you want to be removed from). You may also send the HELP >command for other information (like subscribing). >-- >Please see the official ORACLE-L FAQ: http://www.orafaq.net -- Pete Finnigan email:[EMAIL PROTECTED] Web site: http://www.petefinnigan.com - Oracle security audit specialists Book:Oracle security step-by-step Guide - see http://store.sans.org for details. -- Please see the official ORACLE-L FAQ: http://www.orafaq.net -- Author: Pete Finnigan INET: [EMAIL PROTECTED] Fat City Network Services -- 858-538-5051 http://www.fatcity.com San Diego, California -- Mailing list and web hosting services --------------------------------------------------------------------- To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing).
