{"id":191,"date":"2008-08-01T09:57:39","date_gmt":"2008-08-01T14:57:39","guid":{"rendered":"http:\/\/www.dannorris.com\/?p=191"},"modified":"2019-04-01T13:58:13","modified_gmt":"2019-04-01T13:58:13","slug":"security-can-be-basic","status":"publish","type":"post","link":"https:\/\/www.dannorris.com\/blog\/2008\/08\/01\/security-can-be-basic\/","title":{"rendered":"Security can be basic"},"content":{"rendered":"<p>\t\t\t\tSometimes I think that people think of security, especially database security, as a domain for the highly-skilled consultant. However, sometimes it is the most basic little things that need attention and it doesn&#8217;t require a high-priced, highly skilled consultant to figure it out.<\/p>\n<p>Case in point: I recently arrived at a new customer site to help them with some database issues. They have a development environment, test environment, production database, and a clone of production they use for reporting. To get started, they sent me the TNS entries for each of these four databases. I didn&#8217;t have any usernames or passwords, so I was still in a holding pattern. Since I was using <a href=\"http:\/\/www.oracle.com\/technology\/software\/tech\/oci\/instantclient\/index.html\">instantclient<\/a>, I didn&#8217;t have tnsping, but I still wanted to verify that the TNS entries were created properly and that I had connectivity. So, I thought I&#8217;d just use scott\/tiger to test and expected the ORA-01017 (invalid username\/password) error.<\/p>\n<p>I tried development, ORA-01017 which confirmed that the TNS entry was correct, but there was no <a href=\"http:\/\/wiki.oracle.com\/page\/scott%2Ftiger?t=anon\">scott\/tiger account<\/a> (or at least the password wasn&#8217;t tiger). Tried the test database, same result. The reporting database, same result. (You can see the punchline coming, right?) I tried the production database and, wouldn&#8217;t you know it, I got connected using the scott\/tiger account! I was so shocked I think I let out a little yelp of disbelief.<\/p>\n<p>So, for all the DBAs tuned in: here&#8217;s a quick and easy way to make things better (maybe still insufficient, but at least safER than now). Lock all the accounts that are not in use or that you can&#8217;t confirm are in use. If you need a hint: alter user scott account lock;. If you still don&#8217;t get it, then prepare your resume :). If you can&#8217;t confirm that the account is needed, lock it. When someone complains, unlock it (yes, it&#8217;s that easy). If they go to your boss to complain, explain that you did what you did in the name of database and data security (which is true) and you&#8217;ll generally avoid punishment.<\/p>\n<p>If you aren&#8217;t sure whether the account is one of Oracle&#8217;s built-in, default accounts, consult <a href=\"http:\/\/www.petefinnigan.com\/default\/default_password_list.htm\">Pete Finnigan&#8217;s lists<\/a>. For more information, check out <a href=\"http:\/\/www.oracle.com\/technology\/pub\/articles\/project_lockdown\/index.html\">Project Lockdown<\/a>, <a href=\"http:\/\/download.oracle.com\/docs\/cd\/B28359_01\/network.111\/b28531\/toc.htm\">Oracle 11g Database Security Guide<\/a>, and <a href=\"http:\/\/www.petefinnigan.com\/orasec.htm\">Pete Finnigan&#8217;s list of whitepapers and presentations<\/a>. You can&#8217;t mention Oracle Security without a link to <a href=\"http:\/\/blogs.oracle.com\/maryanndavidson\/\">Mary Ann Davidson&#8217;s blog<\/a> which is both informative and often entertaining.<\/p>\n<p>Feel free to submit your horror story in comments. This same scenario happens all the time, but this time just seemed too silly to keep it a secret. No, I won&#8217;t tell you who the customer was :).\t\t<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Sometimes I think that people think of security, especially database security, as a domain for the highly-skilled consultant. However, sometimes it is the most basic little things that need attention and it doesn&#8217;t require a high-priced, highly skilled consultant to figure it out. Case in point: I recently arrived at a new customer site to &hellip; <a href=\"https:\/\/www.dannorris.com\/blog\/2008\/08\/01\/security-can-be-basic\/\" class=\"more-link\">Continue reading<span class=\"screen-reader-text\"> &#8220;Security can be basic&#8221;<\/span><\/a><\/p>\n","protected":false},"author":3,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[30,15,35,22],"tags":[152,195],"class_list":["post-191","post","type-post","status-publish","format-standard","hentry","category-database","category-oracle","category-oracle-db-11g","category-technical","tag-oracle-database","tag-security"],"_links":{"self":[{"href":"https:\/\/www.dannorris.com\/blog\/wp-json\/wp\/v2\/posts\/191","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.dannorris.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.dannorris.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.dannorris.com\/blog\/wp-json\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/www.dannorris.com\/blog\/wp-json\/wp\/v2\/comments?post=191"}],"version-history":[{"count":1,"href":"https:\/\/www.dannorris.com\/blog\/wp-json\/wp\/v2\/posts\/191\/revisions"}],"predecessor-version":[{"id":534,"href":"https:\/\/www.dannorris.com\/blog\/wp-json\/wp\/v2\/posts\/191\/revisions\/534"}],"wp:attachment":[{"href":"https:\/\/www.dannorris.com\/blog\/wp-json\/wp\/v2\/media?parent=191"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.dannorris.com\/blog\/wp-json\/wp\/v2\/categories?post=191"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.dannorris.com\/blog\/wp-json\/wp\/v2\/tags?post=191"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}