Profiles, Password Policies, Privileges, and Roles.

Profiles, Password Policies, Profiles, Password Policies, Privileges, and RolesPrivileges, and Roles

2

ObjectivesObjectives

• Define and use a profile• Design and implement password policies• Implement password policies in Oracle

3

Objectives (continued) Objectives (continued)

• Grant and revoke user privileges• Create, assign, and revoke user roles• List best practices for securing a network

environment

4

Defining and Using ProfilesDefining and Using Profiles

• Profile:– Describes limitation of database resources

– Defines database users behavior

– Prevents users from wasting resources• Memory• CPU

• Not offered by every database system:– Oracle does

– Microsoft SQL Server 2000 does not

5

Creating Profiles in OracleCreating Profiles in Oracle

• Define two elements of security:– Restriction on resources

– Implementation of password policies

• CREATE PROFILE statement• To view all created profiles, query the data

dictionary view DBA_PROFILES

6


• CREATE PROFILE profile_name• LIMIT• SESSIONS_PER_USER number• CPU_PER_SESSION hundredth_of_seconds• CPU_PER_CALL hundredth_of_seconds• CONNECT_TIME minutes• IDLE_TIME minutes• LOGICAL_READS_PER_SESSION db_blocks• LOGICAL_READS_PER_CALL db_blocks• COMPOSITE_LIMIT number • PRIVATE_SGA bytes • FAILED_LOGIN_ATTEMPTS number• PASSWORD_LIFE_TIME days• PASSWORD_REUSE_TIME number• PASSWORD_REUSE_MAX number • PASSWORD_LOCK_TIME days• PASSWORD_GRACE_TIME days• PASSWORD_VERIFY_FUNCTION function_name• /

• SESSIONS_PER_USER—Is the maximum number of allowed concurrent open sessions per user

• CPU_PER_SESSION—Is the maximum number in hundredths of seconds of CPU• time allowed per session (for the duration of the session)

• CPU_PER_CALL—Is the maximum number in hundredth of seconds of CPU time• allowed per call (for the duaration of statement call)

• CONNECT_TIME—Is the maximum amount of time a user connection is allowed;• the value of this parameter is expressed in minutes.

• IDLE_TIME—Is the maximum amount of idle time in minutes before a user con-• nection is disconnected

• LOGICAL_READS_PER_SESSION—Is the maximum number of database blocks• allowed to be read from memory or disk for a session.

• PRIVATE_SGA—Is the maximum number of bytes allowed to be allocated for the• user; this is available only in shared server mode.

• COMPOSITE_LIMIT—Is a weighted sum of all resource limits expressed in

7

8


• CREATE PROFILE CH04_PROF• LIMIT • SESSIONS_PER_USER default• CPU_PER_SESSION default• CPU_PER_CALL 1000• CONNECT_TIME 120• IDLE_TIME 15• LOGICAL_READS_PER_SESSION default• LOGICAL_READS_PER_CALL default• COMPOSITE_LIMIT default• PRIVATE_SGA default• /

• SQL> SELECT * • 2 FROM DBA_PROFILES• 3 WHERE PROFILE = 'CH04_PROF'• 4 /• PROFILE RESOURCE_NAME RESOURCE LIMIT• --------- ------------------------- -------- -----• CH04_PROF COMPOSITE_LIMIT KERNEL DEFAULT• CH04_PROF SESSIONS_PER_USER KERNEL DEFAULT• CH04_PROF CPU_PER_SESSION KERNEL DEFAULT• CH04_PROF CPU_PER_CALL KERNEL 1000• CH04_PROF LOGICAL_READS_PER_SESSION KERNEL DEFAULT• CH04_PROF LOGICAL_READS_PER_CALL KERNEL DEFAULT• CH04_PROF IDLE_TIME KERNEL 15• CH04_PROF CONNECT_TIME KERNEL 120• CH04_PROF PRIVATE_SGA KERNEL DEFAULT• CH04_PROF FAILED_LOGIN_ATTEMPTS PASSWORD DEFAULT• CH04_PROF PASSWORD_LIFE_TIME PASSWORD DEFAULT• CH04_PROF PASSWORD_REUSE_TIME PASSWORD DEFAULT• CH04_PROF PASSWORD_REUSE_MAX PASSWORD DEFAULT• CH04_PROF PASSWORD_VERIFY_FUNCTION PASSWORD DEFAULT• CH04_PROF PASSWORD_LOCK_TIME PASSWORD DEFAULT• CH04_PROF PASSWORD_GRACE_TIME PASSWORD DEFAULT

9

10

Creating Profiles in Oracle (continued)Creating Profiles in Oracle (continued)

11

Creating Profiles in Oracle (continued)Creating Profiles in Oracle (continued)

• ALTER PROFILE: modifies a limit for a profile• ALTER USER: assigns a profile to a user

• alter profile ch04_prof limit idle_time 30• alter user a profile ch04_prof

12

Designing and Implementing Designing and Implementing Password PoliciesPassword Policies

• Password is the key to open a user account; strong passwords are harder to break

• User authentication depends on passwords• Hacker violations begin with breaking a

password• Companies spend on:

– Training

– Education

13

What Is a Password Policy?What Is a Password Policy?

• A Password Policy is a Set of guidelines that:– Enhances the robustness of a password and

– Reduces the likelihood of password breaking

• Deals with:– Complexity

– Change frequency

– Reuse

14

Importance of Password PoliciesImportance of Password Policies

• First line of defense• Most companies invest considerable resources

to strengthen authentication by adopting technological measures that protect their assets

• Forces employees to abide by the guidelines set by the company and raises employee awareness of password protection

15

Designing Password PoliciesDesigning Password Policies

• Complexity: set of guidelines for creating passwords

• Aging: how long a password can be used• Usage: how many times a password can be

used• Storage: storing a password in an encrypted

manner

16

Implementing Password PoliciesImplementing Password Policies

• Oracle; using profiles:– CREATE PROFILE

– PASSWORD_VERIFY_FUNCTION

• CREATE PROFILE PASSWORD_POLICY• LIMIT• { { FAILED_LOGIN_ATTEMPTS• | PASSWORD_LIFE_TIME• | PASSWORD_REUSE_TIME• | PASSWORD_REUSE_MAX• | PASSWORD_LOCK_TIME• | PASSWORD_GRACE_TIME• }• { expr | UNLIMITED | DEFAULT }• | PASSWORD_VERIFY_FUNCTION• { function | NULL | DEFAULT }• }

17

• FAILED_LOGIN_ATTEMPTS—Is the number of failed login tries allowed before• the account is locked

• PASSWORD_LIFE_TIME—Is the number of days the password is valid before it is• aged out

• PASSWORD_REUSE_TIME—Is the number of days before a password can be reused;• this parameter works with PASSWORD_REUSE_MAX parameter.

• PASSWORD_REUSE_MAX—Is the number of times a password can be reused

• PASSWORD_LOCK_TIME—Is the number of days an account is locked due to failed• login attempts

• PASSWORD_GRACE_TIME—Is the number of days ahead of expiration the user is• warned that the password expires

• PASSWORD_VERIFY_FUNCTION—Is an indication to Oracle to use a custom-• made function to validate password complexity

18

• SQL> CREATE PROFILE ACME_PASSWORD_PROFILE• 2 LIMIT• 3 FAILED_LOGIN_ATTEMPTS 1• 4 PASSWORD_LIFE_TIME 15• 5 PASSWORD_REUSE_TIME DEFAULT• 6 PASSWORD_REUSE_MAX 1• 7 /

• A user password cannot be reused.• A password must expire every 15 days.• Only one login attempt is allowed.

19

20

Granting and Revoking User PrivilegesGranting and Revoking User Privileges

• Permit or deny access to data or to perform database operations

• In Oracle:– System privileges:

• Granted only by a database administrator• Granted by a user with administration privileges

– Object privileges:• Granted to a user by the schema owner

21

Granting and Revoking User Privileges Granting and Revoking User Privileges (continued)(continued)

• In Oracle (continued):– Grant a privilege using the DCL GRANT

statement

– Revoke a privilege using the DCL REVOKE statement:

• ADMIN option (system)• GRANT option (object)

select name from system_privilege_map

Examples of system priviledges

•Alter Any Table

•Backup Any Table

•Comment Any Table

•Create Any Table

•Create Table

•Delete Any Table

•Drop Any Table

•Flashback Any Table

•Insert Any Table

•Lock Any Table

•Select Any Table

•Update Any Table

•Transaction

•Force Any Transaction

•Force Transaction

22

Some important system privileges are:•create session•create table•create view•create procedure•more

23

Object privileges•Tablesselect, insert, update, delete, alter, debug, flashback, on commit refresh, query rewrite, references, etc

24

25


26


27

Creating, Assigning, and Revoking Creating, Assigning, and Revoking User RolesUser Roles

• Role:– Used to organize and administer privileges

– It is like a user, except it cannot own object

– Can be assigned privileges

– Can be assigned to users

28

Creating, Assigning, and Revoking Creating, Assigning, and Revoking User Roles (continued)User Roles (continued)

• In Oracle:– Create a role using CREATE ROLE statement

– Assign a role using GRANT statement

– Oracle Enterprise Manager Roles tool

– Revoke a role using REVOKE statement

– Drop a role using DROP statement

29

Best PracticesBest Practices

• Develop a secure environment:– Never store passwords for an application in

plaintext

– Change passwords frequently

– Use passwords at least eight characters long

– Pick a password that you can remember

– Use roles to control and administer privileges

– Report compromise or loss of a password

– Report any violation of company guidelines

30

Best Practices (continued)Best Practices (continued)

• Develop a secure environment (continued):– Never give your password to anyone

– Never share your password with anyone

– Never give your password over the phone.

– Never type your password in an e-mail

– Make sure your password is complex enough

– Use Windows integrated security mode

– In Windows 2000/3 domain use domain users and take advantage of Kerberos

31

Best Practices (continued)Best Practices (continued)

• When configuring policies:– Require complex passwords with special

characters in the first seven bytes

– Require a password length of at least eight

– Set an account lockout threshold

– Do not allow passwords to automatically reset

– Expire end-user passwords

– Do not expire application-user passwords

– Enforce a password history

32

SummarySummary

• Profiles define database users behavior• In Oracle:

– DBA_PROFILE view

– ALTER USER

• SQL Server does not support profiles• Password policy:

– Enhances password robustness

– Reduces likelihood of password breaking

33

Summary (continued)Summary (continued)

• In Oracle:– System privileges

– Object privileges

34

Summary (continued)Summary (continued)

• GRANT and REVOKE• Role is used to:

– Organize and administer privileges in an easy manner

– Role is like a user but cannot own objects

– Role can be assigned privileges

– GRANT and REVOKE

• Best practices for developing a secure environment

Profiles, Password Policies, Privileges, and Roles.

Documents

Transcript of Profiles, Password Policies, Privileges, and Roles.