Re: oracle authentication from windows

Hi Beth,

See in Aarons book page 196, second paragraph for changing domain names on win 95,98 untrusted clients. Perhaps i wasn't clear what i was saying is that it is possible to connect to the database from a PC that is not authenticated on the domain using an untrusted client.

Have a look at James Abendshands tnscmd.pl script at http://www.jammed.c om/~jwa/hacks/security/tnscmd and also Patrik Karlsson's site for his oracle tools http://www.cqure.net to get some ideas.

cheers

Pete

In article <[EMAIL PROTECTED]>, Seefelt, Beth <[EMAIL PROTECTED]> writes
>
>Hi Pete,
>
>I don't think that's true about booting a PC with the same domain name
>that's not really part of the domain. Have you ever tried it? I'd be
>really interested if it works.
>
>I don't understand the part about booting into Linux and changing the
>username as its sent. Isn't the only username passed / ? Or are you
>talking about poking things at the packet level to make sqlnet think the
>user is domain authenticated.
>
>Cheers,
>
>Beth
>
>-----Original Message-----
>Sent: Friday, June 20, 2003 6:49 PM
>To: Multiple recipients of list ORACLE-L
>
>
>Hi Beth
>
>OK, I get your point but Arup was talking about automatic connections by
>setting remote_os_authent to true where you can either set the prefix to
>OPS$ or use identified externally. For these connections the user should
>not be prefixed by the domain name in the database. On the other hand
>using windows NT authentication and prefixing with the domain name can
>be spoofed by using a client that is not trusted such as windows 95 or
>98 and setting the context to any domain you wish and adding the correct
>user. The other option is to insert a linux bootable CD and alter the
>username as it is sent.
>
>I agree with you that use of the domain method is better, BUT the point
>i was trying to make is still valid. That is to ensure that any external
>account observes the least privilege principle.
>
>cheers
>
>Pete
>
>
>
>In article <[EMAIL PROTECTED]>, Seefelt, Beth
><[EMAIL PROTECTED]> writes
>>
>>I disagree. Remote OS authentication is not inherently insecure in
>>Windows like it is in Unix. If you prefix the account names with the
>>domain name, a user would not only have to spoof the username, he would
>
>>have to spoof the domain name too. At that point, you probably have
>>bigger problems than access to your database. Also, in that situation,
>
>>only the security token is going over the network, not your password in
>
>>clear text. The caveat is that you should be using the *domain name*
>>as the prefix, not OPS$.
>>
>>-----Original Message-----
>>Sent: Friday, June 20, 2003 6:20 AM
>>To: Multiple recipients of list ORACLE-L
>>
>>
>>Hi Arup,
>>
>>Remote OS authentication whether with OPS$ or not is still a risk. You
>>are intimating that SYSTEM is the only risky account involved here.
>>What if any of the newly created OPS$ accounts have useful privileges.
>>I have seen a similar application to the one described recently. There
>>were forms within the application for administration and user
>>management (in oracle, not the application) and the users who had
>>access to these were assigned the DBA role and were of course external
>>accounts.
>>
>>I think what you should add to your comment is that the issue is
>>overrated is that any OPS$ / external accounts should not have any
>>dangerous privileges granted and certainly not DBA. If you can guess
>>the name of an admin account even if its OPS$ then the issue is still
>>severe.
>>
>>cheers
>>
>>Pete
>>
>>--
>>Pete Finnigan
>>email:[EMAIL PROTECTED]
>>Web site: http://www.petefinnigan.com - Oracle security audit
>>specialists
>>Book:Oracle security step-by-step Guide - see http://store.sans.org for
>>details.
>>
>>--
>>Please see the official ORACLE-L FAQ: http://www.orafaq.net
>>--
>>Author: Pete Finnigan
>> INET: [EMAIL PROTECTED]
>>
>>Fat City Network Services -- 858-538-5051 http://www.fatcity.com
>>San Diego, California -- Mailing list and web hosting services
>>---------------------------------------------------------------------
>>To REMOVE yourself from this mailing list, send an E-Mail message
>>to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the
>
>>message BODY, include a line containing: UNSUB ORACLE-L (or the name of
>
>>mailing list you want to be removed from). You may also send the HELP
>>command for other information (like subscribing).
>>--
>>Please see the official ORACLE-L FAQ: http://www.orafaq.net
>
>--
>Pete Finnigan
>email:[EMAIL PROTECTED]
>Web site: http://www.petefinnigan.com - Oracle security audit
>specialists Book:Oracle security step-by-step Guide - see
>http://store.sans.org for details.
>
>--
>Please see the official ORACLE-L FAQ: http://www.orafaq.net
>--
>Author: Pete Finnigan
> INET: [EMAIL PROTECTED]
>
>Fat City Network Services -- 858-538-5051 http://www.fatcity.com
>San Diego, California -- Mailing list and web hosting services
>---------------------------------------------------------------------
>To REMOVE yourself from this mailing list, send an E-Mail message
>to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the
>message BODY, include a line containing: UNSUB ORACLE-L (or the name of
>mailing list you want to be removed from). You may also send the HELP
>command for other information (like subscribing).
>--
>Please see the official ORACLE-L FAQ: http://www.orafaq.net

-- 
Pete Finnigan
email:[EMAIL PROTECTED]
Web site: http://www.petefinnigan.com - Oracle security audit specialists
Book:Oracle security step-by-step Guide - see http://store.sans.org for details.

-- 
Please see the official ORACLE-L FAQ: http://www.orafaq.net
-- 
Author: Pete Finnigan
  INET: [EMAIL PROTECTED]

Fat City Network Services    -- 858-538-5051 http://www.fatcity.com
San Diego, California        -- Mailing list and web hosting services
---------------------------------------------------------------------
To REMOVE yourself from this mailing list, send an E-Mail message
to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in
the message BODY, include a line containing: UNSUB ORACLE-L
(or the name of mailing list you want to be removed from).  You may
also send the HELP command for other information (like subscribing).