Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 3 Administration...
-
Upload
omar-shill -
Category
Documents
-
view
227 -
download
2
Transcript of Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 3 Administration...
![Page 1: Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 3 Administration of Users.](https://reader035.fdocuments.in/reader035/viewer/2022062313/56649c725503460f9492467a/html5/thumbnails/1.jpg)
Database Security and Database Security and Auditing: Protecting Data Auditing: Protecting Data Integrity and AccessibilityIntegrity and Accessibility
Chapter 3Administration of Users
![Page 2: Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 3 Administration of Users.](https://reader035.fdocuments.in/reader035/viewer/2022062313/56649c725503460f9492467a/html5/thumbnails/2.jpg)
Database Security & Auditing: Protecting Data Integrity & Accessibility 2
ObjectivesObjectives
• Explain the importance of administration documentation
• Outline the concept of operating system authentication
• Create users and logins using both Oracle10g and SQL Server
• Remove a user from Oracle10g and SQL servers
![Page 3: Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 3 Administration of Users.](https://reader035.fdocuments.in/reader035/viewer/2022062313/56649c725503460f9492467a/html5/thumbnails/3.jpg)
Database Security & Auditing: Protecting Data Integrity & Accessibility 3
Objectives (continued) Objectives (continued)
• Modify an existing user using both Oracle10g and SQL servers
• List all default users on Oracle10g and SQL servers
• Explain the concept of a remote user• List the risks of database links
![Page 4: Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 3 Administration of Users.](https://reader035.fdocuments.in/reader035/viewer/2022062313/56649c725503460f9492467a/html5/thumbnails/4.jpg)
Database Security & Auditing: Protecting Data Integrity & Accessibility 4
Objectives (continued)Objectives (continued)
• List the security risks of linked servers• List the security risks of remote servers• Describe best practices for user administration
![Page 5: Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 3 Administration of Users.](https://reader035.fdocuments.in/reader035/viewer/2022062313/56649c725503460f9492467a/html5/thumbnails/5.jpg)
Database Security & Auditing: Protecting Data Integrity & Accessibility 5
Documentation of User AdministrationDocumentation of User Administration
• Part of the administration process• Reasons to document:
– Provide a paper trail
– Ensure administration consistency
• What to document:– Administration policies, staff and management
– Security procedures
– Procedure implementation scripts or programs
– Predefined roles description
![Page 6: Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 3 Administration of Users.](https://reader035.fdocuments.in/reader035/viewer/2022062313/56649c725503460f9492467a/html5/thumbnails/6.jpg)
Database Security & Auditing: Protecting Data Integrity & Accessibility 6
Documentation of User Administration Documentation of User Administration (continued)(continued)
![Page 7: Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 3 Administration of Users.](https://reader035.fdocuments.in/reader035/viewer/2022062313/56649c725503460f9492467a/html5/thumbnails/7.jpg)
Database Security & Auditing: Protecting Data Integrity & Accessibility 7
Documentation of User Administration Documentation of User Administration (continued)(continued)
![Page 8: Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 3 Administration of Users.](https://reader035.fdocuments.in/reader035/viewer/2022062313/56649c725503460f9492467a/html5/thumbnails/8.jpg)
Database Security & Auditing: Protecting Data Integrity & Accessibility 8
Operating System AuthenticationOperating System Authentication
• Many databases (including Microsoft SQL Server 2000) depend on OS to authenticate users
• Reasons:– Once an intruder is inside the OS, it is easier to
access the database
– Centralize administration of users
• Users must be authenticated at each level
![Page 9: Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 3 Administration of Users.](https://reader035.fdocuments.in/reader035/viewer/2022062313/56649c725503460f9492467a/html5/thumbnails/9.jpg)
Database Security & Auditing: Protecting Data Integrity & Accessibility 9
Operating System Authentication Operating System Authentication (continued)(continued)
![Page 10: Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 3 Administration of Users.](https://reader035.fdocuments.in/reader035/viewer/2022062313/56649c725503460f9492467a/html5/thumbnails/10.jpg)
Database Security & Auditing: Protecting Data Integrity & Accessibility 10
Creating UsersCreating Users
• Must be a standardized, well-documented, and securely managed process
• In Oracle10g, use the CREATE USER statement:– Part of the a Data Definition Language (DDL)
– Account can own different objects
![Page 11: Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 3 Administration of Users.](https://reader035.fdocuments.in/reader035/viewer/2022062313/56649c725503460f9492467a/html5/thumbnails/11.jpg)
Database Security & Auditing: Protecting Data Integrity & Accessibility 11
Creating an Oracle10Creating an Oracle10gg User User
• IDENTIFIED clause– Tells Oracle how to authenticate a user account
– BY PASSWORD option: encrypts and stores an assigned password in the database
– EXTERNALLY option: user is authenticated by the OS
– GLOBALLY AS option: depends on authentication through centralized user management method
![Page 12: Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 3 Administration of Users.](https://reader035.fdocuments.in/reader035/viewer/2022062313/56649c725503460f9492467a/html5/thumbnails/12.jpg)
Database Security & Auditing: Protecting Data Integrity & Accessibility 12
Creating an Oracle10Creating an Oracle10gg User User (continued)(continued)
![Page 13: Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 3 Administration of Users.](https://reader035.fdocuments.in/reader035/viewer/2022062313/56649c725503460f9492467a/html5/thumbnails/13.jpg)
Database Security & Auditing: Protecting Data Integrity & Accessibility 13
Creating an Oracle10Creating an Oracle10gg User User (continued)(continued)
• DEFAULT TABLESPACE clause: specifies default storage for the user
• TEMPORARY TABLESPACE clause• QUOTA clause: tells Oracle 10g how much
storage space a user is allowed for a specified tablespace
• PROFILE clause: indicates the profile used for limiting database resources and enforcing password policies
![Page 14: Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 3 Administration of Users.](https://reader035.fdocuments.in/reader035/viewer/2022062313/56649c725503460f9492467a/html5/thumbnails/14.jpg)
Database Security & Auditing: Protecting Data Integrity & Accessibility 14
Creating an Oracle10Creating an Oracle10gg User User (continued)(continued)
![Page 15: Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 3 Administration of Users.](https://reader035.fdocuments.in/reader035/viewer/2022062313/56649c725503460f9492467a/html5/thumbnails/15.jpg)
Database Security & Auditing: Protecting Data Integrity & Accessibility 15
Creating an Oracle10Creating an Oracle10gg User User (continued)(continued)
• PASSWORD EXPIRE clause: tells Oracle to expire the user password and prompts the user to enter a new password
• ACCOUNT clause: enable or disable account• ALTER USER: modifies a user account• Oracle Enterprise Manager: GUI administration
tool
![Page 16: Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 3 Administration of Users.](https://reader035.fdocuments.in/reader035/viewer/2022062313/56649c725503460f9492467a/html5/thumbnails/16.jpg)
Database Security & Auditing: Protecting Data Integrity & Accessibility 16
Creating an Oracle10Creating an Oracle10gg User User (continued)(continued)
![Page 17: Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 3 Administration of Users.](https://reader035.fdocuments.in/reader035/viewer/2022062313/56649c725503460f9492467a/html5/thumbnails/17.jpg)
Database Security & Auditing: Protecting Data Integrity & Accessibility 17
Creating an Oracle10Creating an Oracle10gg User User (continued)(continued)
![Page 18: Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 3 Administration of Users.](https://reader035.fdocuments.in/reader035/viewer/2022062313/56649c725503460f9492467a/html5/thumbnails/18.jpg)
Database Security & Auditing: Protecting Data Integrity & Accessibility 18
Creating an Oracle10Creating an Oracle10gg User Using User Using External (Operating System) External (Operating System)
AuthenticationAuthentication
• Depends on an external party to authenticate the user
• Steps:– Verify account belongs to ORA_DBA group
– Set the Windows registry string OSAUTH_PREFIX_DOMAIN to FALSE
– View setting of the OS_AUTHENT_PREFIX initialization parameter
– Change OS_AUTHENT_PREFIX to NULL
![Page 19: Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 3 Administration of Users.](https://reader035.fdocuments.in/reader035/viewer/2022062313/56649c725503460f9492467a/html5/thumbnails/19.jpg)
Database Security & Auditing: Protecting Data Integrity & Accessibility 19
Creating an Oracle10Creating an Oracle10gg User Using User Using External (Operating System) External (Operating System) Authentication (continued)Authentication (continued)
![Page 20: Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 3 Administration of Users.](https://reader035.fdocuments.in/reader035/viewer/2022062313/56649c725503460f9492467a/html5/thumbnails/20.jpg)
Database Security & Auditing: Protecting Data Integrity & Accessibility 20
Creating an Oracle10Creating an Oracle10gg User Using User Using External (Operating System) External (Operating System) Authentication (continued)Authentication (continued)
![Page 21: Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 3 Administration of Users.](https://reader035.fdocuments.in/reader035/viewer/2022062313/56649c725503460f9492467a/html5/thumbnails/21.jpg)
Database Security & Auditing: Protecting Data Integrity & Accessibility 21
Creating an Oracle10Creating an Oracle10gg User Using User Using External (Operating System) External (Operating System) Authentication (continued)Authentication (continued)
• Steps (continued):– Create an Oracle user
– Provide new user with CREATE SESSION privilege
• Advantage: allows administrators to use one generic user to run maintenance scripts without a password
![Page 22: Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 3 Administration of Users.](https://reader035.fdocuments.in/reader035/viewer/2022062313/56649c725503460f9492467a/html5/thumbnails/22.jpg)
Database Security & Auditing: Protecting Data Integrity & Accessibility 22
Creating an Oracle User Using Global Creating an Oracle User Using Global AuthenticationAuthentication
• Enterprise-level authentication solution• Use the CREATE USER statement• DBA_USERS view: contains information about
all accounts
![Page 23: Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 3 Administration of Users.](https://reader035.fdocuments.in/reader035/viewer/2022062313/56649c725503460f9492467a/html5/thumbnails/23.jpg)
Database Security & Auditing: Protecting Data Integrity & Accessibility 23
Creating an Oracle User Using Global Creating an Oracle User Using Global Authentication (continued)Authentication (continued)
![Page 24: Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 3 Administration of Users.](https://reader035.fdocuments.in/reader035/viewer/2022062313/56649c725503460f9492467a/html5/thumbnails/24.jpg)
Database Security & Auditing: Protecting Data Integrity & Accessibility 24
Creating an Oracle User Using Global Creating an Oracle User Using Global Authentication (continued)Authentication (continued)
![Page 25: Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 3 Administration of Users.](https://reader035.fdocuments.in/reader035/viewer/2022062313/56649c725503460f9492467a/html5/thumbnails/25.jpg)
Database Security & Auditing: Protecting Data Integrity & Accessibility 25
Creating a SQL Server UserCreating a SQL Server User
• Create a login ID first; controls access to SQL Server system
• Associate login ID with a database user• Must be member of fixed server roles
(SYSADMIN or SECURITYADMIN)• Two types of login IDs:
– Windows Integrated (trusted) login
– SQL Server login
![Page 26: Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 3 Administration of Users.](https://reader035.fdocuments.in/reader035/viewer/2022062313/56649c725503460f9492467a/html5/thumbnails/26.jpg)
Database Security & Auditing: Protecting Data Integrity & Accessibility 26
Creating Windows Integrated LoginsCreating Windows Integrated Logins
• Command line:– SP_GRANTLOGIN system stored procedure
– Can be associated local, domain, group usernames
• Enterprise Manager:– Use the Security container
– Logins -> New Login
![Page 27: Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 3 Administration of Users.](https://reader035.fdocuments.in/reader035/viewer/2022062313/56649c725503460f9492467a/html5/thumbnails/27.jpg)
Database Security & Auditing: Protecting Data Integrity & Accessibility 27
Creating Windows Integrated Logins Creating Windows Integrated Logins (continued)(continued)
![Page 28: Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 3 Administration of Users.](https://reader035.fdocuments.in/reader035/viewer/2022062313/56649c725503460f9492467a/html5/thumbnails/28.jpg)
Database Security & Auditing: Protecting Data Integrity & Accessibility 28
Creating Windows Integrated Logins Creating Windows Integrated Logins (continued)(continued)
![Page 29: Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 3 Administration of Users.](https://reader035.fdocuments.in/reader035/viewer/2022062313/56649c725503460f9492467a/html5/thumbnails/29.jpg)
Database Security & Auditing: Protecting Data Integrity & Accessibility 29
Creating Windows Integrated Logins Creating Windows Integrated Logins (continued)(continued)
![Page 30: Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 3 Administration of Users.](https://reader035.fdocuments.in/reader035/viewer/2022062313/56649c725503460f9492467a/html5/thumbnails/30.jpg)
Database Security & Auditing: Protecting Data Integrity & Accessibility 30
Creating SQL Server LoginsCreating SQL Server Logins
• Command line:– SP_ADDLOGIN system stored procedure
– Password is encrypted by default
– Specify a default database
• Enterprise Manager:– Security container
– Logins -> New Login
– SQL Server Authentication option
![Page 31: Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 3 Administration of Users.](https://reader035.fdocuments.in/reader035/viewer/2022062313/56649c725503460f9492467a/html5/thumbnails/31.jpg)
Database Security & Auditing: Protecting Data Integrity & Accessibility 31
Creating SQL Server Logins Creating SQL Server Logins (continued)(continued)
![Page 32: Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 3 Administration of Users.](https://reader035.fdocuments.in/reader035/viewer/2022062313/56649c725503460f9492467a/html5/thumbnails/32.jpg)
Database Security & Auditing: Protecting Data Integrity & Accessibility 32
Removing UsersRemoving Users
• Simple process• Make a backup first• Obtain a written request (for auditing purposes)
![Page 33: Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 3 Administration of Users.](https://reader035.fdocuments.in/reader035/viewer/2022062313/56649c725503460f9492467a/html5/thumbnails/33.jpg)
Database Security & Auditing: Protecting Data Integrity & Accessibility 33
Removing an Oracle UserRemoving an Oracle User
• DROP command• CASCADE option: when user owns database
objects• Recommendations:
– Backup the account for one to three months
– Listing all owned objects
– Lock the account or revoke the CREATE SESSION privilege
![Page 34: Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 3 Administration of Users.](https://reader035.fdocuments.in/reader035/viewer/2022062313/56649c725503460f9492467a/html5/thumbnails/34.jpg)
Database Security & Auditing: Protecting Data Integrity & Accessibility 34
SQL Server: Removing Windows SQL Server: Removing Windows Integrated LoginsIntegrated Logins
• Command line: SP_DENYLOGIN system stored procedure
• Enterprise Manager:– Highlight the desired login
– Choose Delete from the Action menu
![Page 35: Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 3 Administration of Users.](https://reader035.fdocuments.in/reader035/viewer/2022062313/56649c725503460f9492467a/html5/thumbnails/35.jpg)
Database Security & Auditing: Protecting Data Integrity & Accessibility 35
Modifying UsersModifying Users
• Modifications involve:– Changing passwords
– Locking an account
– Increasing a storage quota
• ALTER USER DDL statement
![Page 36: Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 3 Administration of Users.](https://reader035.fdocuments.in/reader035/viewer/2022062313/56649c725503460f9492467a/html5/thumbnails/36.jpg)
Database Security & Auditing: Protecting Data Integrity & Accessibility 36
Modifying an Oracle UserModifying an Oracle User
• ALTER USER statement• Oracle Enterprise Manager: graphical tool
![Page 37: Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 3 Administration of Users.](https://reader035.fdocuments.in/reader035/viewer/2022062313/56649c725503460f9492467a/html5/thumbnails/37.jpg)
Database Security & Auditing: Protecting Data Integrity & Accessibility 37
Modifying an Oracle User (continued)Modifying an Oracle User (continued)
![Page 38: Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 3 Administration of Users.](https://reader035.fdocuments.in/reader035/viewer/2022062313/56649c725503460f9492467a/html5/thumbnails/38.jpg)
Database Security & Auditing: Protecting Data Integrity & Accessibility 38
SQL Server: Modifying Windows SQL Server: Modifying Windows Integrated Login AttributesIntegrated Login Attributes
• Command line:– SP_DEFAULTDB system stored procedure
– SP_DEFAULTLANGUAGE stored procedure
• Enterprise Manager:– Expand the security container
– Select desired login
– Properties (on the Action Menu)
![Page 39: Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 3 Administration of Users.](https://reader035.fdocuments.in/reader035/viewer/2022062313/56649c725503460f9492467a/html5/thumbnails/39.jpg)
Database Security & Auditing: Protecting Data Integrity & Accessibility 39
Default UsersDefault Users
• Oracle default users:– SYS, owner of the data dictionary
– SYSTEM, performs almost all database tasks
– ORAPWD, creates a password file
• SQL Server default users:– SA, system administrator
– BUILT_IN\Administrators
![Page 40: Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 3 Administration of Users.](https://reader035.fdocuments.in/reader035/viewer/2022062313/56649c725503460f9492467a/html5/thumbnails/40.jpg)
Database Security & Auditing: Protecting Data Integrity & Accessibility 40
Remote UsersRemote Users
![Page 41: Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 3 Administration of Users.](https://reader035.fdocuments.in/reader035/viewer/2022062313/56649c725503460f9492467a/html5/thumbnails/41.jpg)
Database Security & Auditing: Protecting Data Integrity & Accessibility 41
Database LinksDatabase Links
• Connection from one database to another: allow DDL and SQL statements
• Types: PUBLIC and PRIVATE• Authentication Methods:
– CURRENT USER
– FIXED USER
– CONNECT USER
![Page 42: Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 3 Administration of Users.](https://reader035.fdocuments.in/reader035/viewer/2022062313/56649c725503460f9492467a/html5/thumbnails/42.jpg)
Database Security & Auditing: Protecting Data Integrity & Accessibility 42
Database Links (continued)Database Links (continued)
![Page 43: Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 3 Administration of Users.](https://reader035.fdocuments.in/reader035/viewer/2022062313/56649c725503460f9492467a/html5/thumbnails/43.jpg)
Database Security & Auditing: Protecting Data Integrity & Accessibility 43
Linked ServersLinked Servers
• Allow you to connect to almost any:– Object Linking and Embedding Database
(OLEDB)
– Open Database Connectivity (ODBC)
• OPENQUERY function• Map logins in your SQL Server instance to
users in the linked database• Remote servers: allow communication using
RPC
![Page 44: Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 3 Administration of Users.](https://reader035.fdocuments.in/reader035/viewer/2022062313/56649c725503460f9492467a/html5/thumbnails/44.jpg)
Database Security & Auditing: Protecting Data Integrity & Accessibility 44
Linked Servers (continued)Linked Servers (continued)
![Page 45: Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 3 Administration of Users.](https://reader035.fdocuments.in/reader035/viewer/2022062313/56649c725503460f9492467a/html5/thumbnails/45.jpg)
Database Security & Auditing: Protecting Data Integrity & Accessibility 45
Practices for Administrators and Practices for Administrators and ManagersManagers
• Manage:– Accounts
– Data files
– Memory
• Administrative tasks:– Backup
– Recovery
– Performance tuning
![Page 46: Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 3 Administration of Users.](https://reader035.fdocuments.in/reader035/viewer/2022062313/56649c725503460f9492467a/html5/thumbnails/46.jpg)
Database Security & Auditing: Protecting Data Integrity & Accessibility 46
Best PracticesBest Practices
• Follow company’s policies and procedures• Always document and create logs• Educate users• Keep abreast of database and security
technology• Review and modify procedures
![Page 47: Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 3 Administration of Users.](https://reader035.fdocuments.in/reader035/viewer/2022062313/56649c725503460f9492467a/html5/thumbnails/47.jpg)
Database Security & Auditing: Protecting Data Integrity & Accessibility 47
Best Practices (continued)Best Practices (continued)
• For SQL server:– Mimic Oracle’s recommended installation for
UNIX
– Use local Windows or domain Windows accounts
• Block direct access to database tables• Limit and restrict access to the server• Use strong passwords• Patches, patches, patches
![Page 48: Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 3 Administration of Users.](https://reader035.fdocuments.in/reader035/viewer/2022062313/56649c725503460f9492467a/html5/thumbnails/48.jpg)
Database Security & Auditing: Protecting Data Integrity & Accessibility 48
SummarySummary
• Document tasks and procedures for auditing purposes
• Creating users:– CREATE USER statement in Oracle
– Login ID in SQL Server
• Removing users:– SQL DROP statement
– SP_DENYLOGIN Windows system stored procedure
![Page 49: Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 3 Administration of Users.](https://reader035.fdocuments.in/reader035/viewer/2022062313/56649c725503460f9492467a/html5/thumbnails/49.jpg)
Database Security & Auditing: Protecting Data Integrity & Accessibility 49
Summary (continued)Summary (continued)
• Modifying user attributes: ALTER USER DDL statement
• Local database and users• Remote users• Database links• Linked servers