Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Mailing Lists -> Oracle-L -> Re: oracle authentication from windows

Re: oracle authentication from windows

From: <bulbultyagi_at_now-india.net.in>
Date: Sun, 22 Jun 2003 22:31:26 -0700
Message-ID: <F001.005B75ED.20030622211919@fatcity.com> 





Beth when the whole setup uses a workgroup and people log into their
local machines rather than being authenticated by a domain server ?






:

: No, that's not true.  It actually uses your NT security token to

: validate that you are authenticated in the domain.  You can't just

give


: a rogue PC the same domain name, boot it up, and log into the

database


: with external authentication.  The PC would have to be a domain

member,


: which means you have to have the domain admin password to join the

: domain, along with the users password so that you could log into the

: domain as them.  The same is not true if you use another prefix such

as


: OPS$.


:

:

: -----Original Message-----

: Sent: Friday, June 20, 2003 4:00 PM

: To: Multiple recipients of list ORACLE-L

:

:

: Beth,

:

: You are right in stating that OPS$ accounts are not inherently

insecure.


:

: How is teh inclusion of domain name any more secure than using OPS$?

: Granted, the hacker has to guess the domain name in addition to user

: name, but so is using any other prefix other than OPS$.

:

: Besides if the users are not static, the domain names will be

different.


: How will you address that issue? For instance, you domina name is

: MYCODOMAIN1 and your windows userid is mycodomain1\bseefelt, so the

: Oracle userid, as you propose should be "mydomain\bseeth". If you

login


: to another domain, say, MYDOMAIN2, this account is no longer valid.

So,


: I would say, mixing domains with username may not be a good idea,

unless


: ofourse you have a single domain.

:

: Arup

:

:

: ----- Original Message -----

: To: "Multiple recipients of list ORACLE-L" <[EMAIL PROTECTED]>

: Sent: Friday, June 20, 2003 10:10 AM

:

:

: >

: > I disagree.  Remote OS authentication is not inherently insecure

in


: > Windows like it is in Unix.  If you prefix the account names with

the


: > domain name, a user would not only have to spoof the username, he

: > would have to spoof the domain name too.  At that point, you

probably


: > have bigger problems than access to your database.  Also, in that

: > situation, only the security token is going over the network, not

your


:

: > password in clear text.  The caveat is that you should be using

the


: > *domain name* as the prefix, not OPS$.

: >

: > -----Original Message-----

: > Sent: Friday, June 20, 2003 6:20 AM

: > To: Multiple recipients of list ORACLE-L

: >

: >

: > Hi Arup,

: >

: > Remote OS authentication whether with OPS$ or not is still a risk.

You


:

: > are intimating that SYSTEM is the only risky account involved

here.


: > What if any of the newly created OPS$ accounts have useful

privileges.


:

: > I have seen a similar application to the one described recently.

There


:

: > were forms within the application for administration and user

: > management (in oracle, not the application) and the users who had

: > access to these were assigned the DBA role and were of course

external


:

: > accounts.

: >

: > I think what you should add to your comment is that the issue is

: > overrated is that any OPS$ / external accounts should not have any

: > dangerous privileges granted and certainly not DBA. If you can

guess


: > the name of an admin account even if its OPS$ then the issue is

still


: > severe.

: >

: > cheers

: >

: > Pete

: >

: > --

: > Pete Finnigan

: > email:[EMAIL PROTECTED]

: > Web site: http://www.petefinnigan.com - Oracle security audit

: > specialists Book:Oracle security step-by-step Guide - see

: > http://store.sans.org for details.

: >

: > --

: > Please see the official ORACLE-L FAQ: http://www.orafaq.net

: > --

: > Author: Pete Finnigan

: >   INET: [EMAIL PROTECTED]


: >

: > Fat City Network Services    -- 858-538-5051

http://www.fatcity.com


: > San Diego, California        -- Mailing list and web hosting

services


:


> --------------------------------------------------------------------


-


: > To REMOVE yourself from this mailing list, send an E-Mail message

: > to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and

in


: > the message BODY, include a line containing: UNSUB ORACLE-L (or

the


: > name of mailing list you want to be removed from).  You may also

send


: > the HELP command for other information (like subscribing).

: > --

: > Please see the official ORACLE-L FAQ: http://www.orafaq.net

: > --

: > Author: Seefelt, Beth

: >   INET: [EMAIL PROTECTED]


: >

: > Fat City Network Services    -- 858-538-5051

http://www.fatcity.com


: > San Diego, California        -- Mailing list and web hosting

services


:


> --------------------------------------------------------------------


-


: > To REMOVE yourself from this mailing list, send an E-Mail message

: > to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and

in


: > the message BODY, include a line containing: UNSUB ORACLE-L (or

the


: > name of mailing list you want to be removed from).  You may also

send


: > the HELP command for other information (like subscribing).

: >

: --

: Please see the official ORACLE-L FAQ: http://www.orafaq.net

: --

: Author: Arup Nanda

:   INET: [EMAIL PROTECTED]


:

: Fat City Network Services    -- 858-538-5051 http://www.fatcity.com

: San Diego, California        -- Mailing list and web hosting

services


: --------------------------------------------------------------------

-


: To REMOVE yourself from this mailing list, send an E-Mail message

: to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in

the


: message BODY, include a line containing: UNSUB ORACLE-L (or the name

of


: mailing list you want to be removed from).  You may also send the

HELP



: command for other information (like subscribing).

: --

: Please see the official ORACLE-L FAQ: http://www.orafaq.net

: --

: Author: Seefelt, Beth

:   INET: [EMAIL PROTECTED]


:

: Fat City Network Services    -- 858-538-5051 http://www.fatcity.com

: San Diego, California        -- Mailing list and web hosting

services


: --------------------------------------------------------------------

-


: To REMOVE yourself from this mailing list, send an E-Mail message

: to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in

: the message BODY, include a line containing: UNSUB ORACLE-L

: (or the name of mailing list you want to be removed from).  You may

: also send the HELP command for other information (like subscribing).

:



-- 
Please see the official ORACLE-L FAQ: http://www.orafaq.net
-- 
Author: <[EMAIL PROTECTED]
  INET: [EMAIL PROTECTED]

Fat City Network Services    -- 858-538-5051 http://www.fatcity.com
San Diego, California        -- Mailing list and web hosting services
---------------------------------------------------------------------
To REMOVE yourself from this mailing list, send an E-Mail message
to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in
the message BODY, include a line containing: UNSUB ORACLE-L
(or the name of mailing list you want to be removed from).  You may
also send the HELP command for other information (like subscribing).


Received on Mon Jun 23 2003 - 00:31:26 CDT












Original text of this message













  HOME |
  ASK QUESTION |
  ADD INFO |
  SEARCH |
  E-MAIL US