Re: Oracle Security Question

From: DA Morgan <damorgan_at_x.washington.edu>
Date: Thu, 09 Dec 2004 14:24:58 -0800
Message-ID: <1102630991.838318@yasure>

amerar_at_iwc.net wrote:

> Volker Hetzer wrote:
>

>><amerar_at_iwc.net> schrieb im Newsbeitrag

>
> news:1102432338.770876.210810_at_f14g2000cwb.googlegroups.com...
>

>>>Hi All,
>>>
>>>I am hving real trouble with this one.  Basically I've been asked

>
> to
>

>>>crack down on database security.  Everyone knows all the passwords

>
> to
>

>>>all the schemas.
>>
>>So, change them and tell users their own passwords.
>>
>>
>>>The problem is this place has several Visual Basic applications

>
> where
>

>>>the password is hard coded into the code.  This does me no good,
>>>because once I change the password, I need to tell the developer

>
> what
>

>>>it is......it defeats the purpose of changing the password.
>>
>>Who asked you to crack down on security? Tell thay guy that the

>
> passwords
>

>>have to go from the apps. Users have to type them in each time they

>
> log on.
>

>>>What options are available to me?  We are running Oracle 8.1.7.3.

>
> I
>

>>>need to hide the passwords from everyone.  But I'm not sure what
>>>options I have over a network......
>>
>>Can you access an LDAP server?
>>
>>Lots of Greetings!
>>Volker

>
>
> This issue here is that the developers know the password, and go into
> production and change stuff. If I tell the developer what the password
> is, it defeats the purpose of changing the password.
>
> However, I like the idea of hiding it in the registry. That can open
> up several possibilities.
>
> Arthur

One solution to developers going into production is to exclude them using EXCLUDED NODES. Another is a log on trigger and a threat from management to replace them if they ever log onto production. The later is remarkably effective if serious.

-- 
Daniel A. Morgan
University of Washington
damorgan_at_x.washington.edu
(replace 'x' with 'u' to respond)

Received on Thu Dec 09 2004 - 16:24:58 CST