Wednesday, November 3, 2010

New Security Features in Oracle 11g

Finding User Accounts That Have Default Passwords

When you create a database in Oracle Database 11g Release 1 (11.1), most of its default accounts are locked with the passwords expired. If you have upgraded from an earlier release of Oracle Database, you may have user accounts that have default passwords. These are default accounts that are created when you create a database, such as the HR, OE, and SCOTT accounts.
For greater security, change the passwords for these accounts. Using a default password that is commonly known can make your database vulnerable to attacks by intruders. To find both locked and unlocked accounts that use default passwords, log onto SQL*Plus using the SYSDBAprivilege and then query the DBA_USERS_WITH_DEFPWD data dictionary view.
For example to find both the names of accounts that have default passwords and the status of the account:

CONNECT / AS SYSDBA 
Enter password: password  

SELECT d.username, u.account_status 

FROM DBA_USERS_WITH_DEFPWD d, DBA_USERS u 

WHERE d.username = u.username ORDER BY 2,1;  

USERNAME  ACCOUNT_STATUS 
--------- --------------------------- 
SCOTT     EXPIRED & LOCKED 
Then change the passwords for any accounts that the DBA_USERS_WITH_DEFPWD view lists. Oracle recommends that you do not assign these accounts passwords that they may have had in previous releases of Oracle Database.
Automatically Locking a User Account After a Failed Login
Oracle Database can lock a user's account after a specified number of consecutive failed log-in attempts. You can set the PASSWORD_LOCK_TIME user's profile parameter to configure the account to unlock automatically after a specified time interval or to require database administrator intervention to be unlocked. The database administrator also can lock accounts manually, so that they must be unlocked explicitly by the database administrator.
You can specify the permissible number of failed login attempts by using the CREATE PROFILE statement. You can also specify the amount of time accounts remain locked.

Password Case Sensitivity

In previous releases of Oracle Database, passwords were not case sensitive. If you import user accounts from a previous release, for example, Release 10g, into the current database release, the case-insensitive passwords in these accounts remain case insensitive until the user changes his or her password. If the account was granted SYSDBA or SYSOPER privilege, it is imported to the password file.When a password from a user account from the previous release is changed, it then becomes case sensitive.

You can find users who have case sensitive or case insensitive passwords by querying the DBA_USERS view. The PASSWORD_VERSIONS column in this view indicates the release in which the password was created. For example:
SELECT USERNAME,PASSWORD_VERSIONS FROM DBA_USERS;

USERNAME                       PASSWORD_VERSIONS
------------------------------ -----------------
JONES                          10G 11G
ADAMS                          10G 11G
CLARK                          10G 11G
PRESTON                        11G
BLAKE                          10G
The passwords for accounts jonesadams, and clark were originally created in Release 10g and then reset in Release 11g. Their passwords, assuming case sensitivity has been enabled, are now case sensitive, as is the password for preston. However, the account for blake is still using the Release 10g standard, so it is case insensitive. Ask him to reset his password so that it will be case sensitive, and therefore more secure.


Ensuring Against Password Security Threats by Using the SHA-1 Hashing Algorithm

The SHA-1 cryptographic hashing algorithm protects against password-based security threats by including support for mixed case characters, special characters, and multibyte characters in passwords. In addition, the SHA-1 hashing algorithm adds a salt to the password when it is hashed, which provides additional protection. This enables your users to create far more complex passwords, and therefore, makes it more difficult for an intruder to gain access to these passwords. Oracle recommends that you use the SHA-1 hashing algorithm.
Many password cracking tools rely on access to the Oracle Database data dictionary. The tool must first obtain the hash values of the password by using an administrator account or by gaining direct access to the hash values that are stored on media such as backup tapes or disk drives containing database files. (For this reason, it is a good idea to encrypt backup media that contains database files.) The cracking tools then use clear text password combinations to create the new hash, match the new hash with the existing hash, and thus obtain an existing password.
You optionally can configure Oracle Database to run in exclusive mode for Release 11 or later. When you enable exclusive mode, then Oracle Database uses the new SHA-1 hashing algorithm exclusively. Oracle Database 11g exclusive mode is compatible with Oracle Database 10g and later products that use OCI-based drivers, including SQL*Plus, ODBC, Oracle .NET, Oracle Forms, and various third-party Oracle Database adapters. However, be aware that exclusive mode for Release 11g is not compatible with JDBC type-4 (thin) versions earlier than Oracle Database 11g or Oracle Database Client interface (OCI)-based drivers earlier than Oracle Database 10g. After you configure exclusive mode, Oracle recommends that you remove the old password hash values from the data dictionary.
Follow these steps:
  1. Change all old passwords to include mixed case and special characters.
  2. Verify that the passwords in test scripts or batch jobs are consistent in their use of mixed case and special characters.
  3. Enable exclusive mode.
    1. Create a back up copy of the sqlnet.ora parameter file, by default located in the $ORACLE_HOME/network/admin directory on UNIX operating systems and the %ORACLE_HOME%\network\admin directory on Microsoft Windows operating systems.
    2. Ensure that the sqlnet.ora file has the following line:
      sqlnet.allowed_logon_version=11
      
    3. Save and exit the sqlnet.ora file.
    4. If necessary, restart the listener. At a command prompt, enter the following commands:
      lsnrctl STOP listener_name
      
      lsnrctl START listener_name
      
      listener_name is the name of the listener defined in the listener.ora file. You do not need to identify the listener if you are using the default listener, named LISTENER.

No comments:

Post a Comment