Database Security Managing Users and Security Models

1
Database Security Managing Users andSecurity
Models
2
Managing Users

• Authorization Authentication
• Creating Users
• Check for Default Users
• Check for weak passwords
• Lock Remove Accounts

3
Operating System Authentication

• Many databases (including Microsoft SQL Server
  2000) depend on OS to authenticate users
• Reasons
• Once an intruder is inside the OS, it is easier
  to access the database
• Centralize administration of users
• Users must be authenticated at each level
• (defense in depth)

4
Creating Users

• Must be a standardized, well-documented, and
  securely managed process
• In Oracle10g, use the CREATE USER statement
• Part of the a Data Definition Language (DDL)

5
Creating an Oracle10g User

• IDENTIFIED clause
• Tells Oracle how to authenticate a user account
• BY PASSWORD option encrypts and stores an
  assigned password in the database
• EXTERNALLY option user is authenticated by the
  OS
• GLOBALLY AS option depends on authentication
  through centralized user management method
• Example CREATE USER smith identified by s9
  default tablespace users
• ALTER USER smith IDENTIFIED
  EXTERNALLY -- by OS
• ALTER USER scott ACCOUNT LOCK --
  lock a user account
• ALTER USER scott ACCOUNT UNLOCK
• ALTER USER scott PASSWORD EXPIRE
  -- Force new pwd

6
Creating Users (continued)

• DEFAULT TABLESPACE clause specifies default
  storage for the user
• TEMPORARY TABLESPACE clause
• QUOTA clause tells Oracle 10g how much storage
  space a user is allowed for a specified
  tablespace
• PROFILE clause indicates the profile used for
  limiting database resources and enforcing
  password policies

7
Creating Users (continued)
8
Creating Users (continued)
9
Creating a SQL Server User

• Create a login ID first controls access to SQL
  Server system
• Associate login ID with a database user
• Must be member of fixed server roles (SYSADMIN or
  SECURITYADMIN)
• Two types of login IDs
• Windows Integrated (trusted) login
• SQL Server login

10
Creating Windows Integrated Logins
11
Creating SQL Server Logins
12
Removing Users

• Make a backup first
• Obtain a written request (for auditing purposes)
• Or
• Lock a users account

13
Removing an Oracle User

• DROP command
• CASCADE option when user owns database objects
• Recommendations
• Backup the account for one to three months
• Listing all owned objects
• Lock the account or revoke the CREATE SESSION
  privilege

14
Modifying an Oracle User

• ALTER USER statement
• Oracle Enterprise Manager graphical tool

15
Modifying an Oracle User (continued)
16
Default Users

• Oracle default users
• SYS, owner of the data dictionary
• SYSTEM, performs almost all database tasks
• SQL Server default users
• SA, system administrator

17
Database Links

• Connection from one database to another allow
  DDL and SQL statements
• Public or Private
• Authentication Methods

Example CREATE DATABASE LINK sales.hq.acme.com
CONNECT TO scott IDENTIFIED BY tiger USING
'sales' SELECT FROM emp_at_sales.hq.acme.com
18
Database Links (continued)
19
Linked Servers

• Allow you to connect to almost any
• Object Linking and Embedding Database (OLEDB)
• Open Database Connectivity (ODBC)

20
Linked Servers (continued)
21
Best Practices

• Follow companys policies and procedures
• Always document and create logs
• Educate users
• Keep updated on database and security technology
• Review and modify procedures
• Block direct access to database tables
• Limit and restrict access to the server
• Use strong passwords
• Patches, patches, patches

22
Defining and Using Profiles

• Profile
• Describes limitation of database resources
• Defines database users behavior
• Prevents users from wasting resources
• Not offered by every database system
• Oracle does
• Microsoft SQL Server does not

23
Creating Profiles in Oracle (continued)
24
Creating Profiles in Oracle (continued)

• ALTER PROFILE modifies a limit for a profile
• ALTER USER assigns a profile to a user
• Oracle Enterprise Manager Security Tool view all
  details about users and profiles in a GUI

25
Creating Profiles in Oracle (continued)
26
Creating Profiles in SQL Server 2000

• Profiles are not available in Microsoft SQL
  Server 2000 or 2005
• Query and connection time-outs handled at
  application level within OLEDB

27
Designing and Implementing Password Policies

• Password is the key to open a user account
  strong passwords are harder to break
• User authentication depends on passwords
• Hacker violations begin with breaking a password
• Companies spend on
• Training
• Education

28
What Is a Password Policy?

• Set of guidelines
• Enhances the robustness of a password
• Reduces the likelihood of password breaking
• Deals with
• Complexity
• Change frequency
• Reuse

29
Importance of Password Policies

• First line of defense
• Most companies invest considerable resources to
  strengthen authentication by adopting
  technological measures that protect their assets
• Forces employees to abide by the guidelines set
  by the company and raises employee awareness of
  password protection
• Helps ensure that a company does not fail audits

30
Designing Password Policies

• Complexity set of guidelines for creating
  passwords
• Aging how long a password can be used
• Usage how many times a password can be used
• Storage storing a password in an encrypted manner

31
Implementing Password Policies

• Oracle using profiles
• CREATE PROFILE
• Oracle Enterprise Manager
• PASSWORD_VERIFY_FUNCTION

32
Implementing Password Policies (continued)
33
Grant and Revoke User Privileges
34

• In SQL Server (continued)
• Database privileges
• Fixed database roles
• Statement permissions
• Grant permission using the GRANT statement
• Revoke permission using the REVOKE statement
• Enterprise Manager
• Deny permission using the DENY statement

35
Grant and Revoke User Privileges (continued)
36
Security Models

• Access Matrix Model
• Represents two main entities objects and
  subjects
• Columns represent objects
• Rows represent subjects
• Objects tables, views, procedures, db objects
• Subjects users, roles, privileges, modules
• Authorization cell

37
Main vulnerabilities

• People Having too many privileges
• Default Users and Passwords
• Known vulnerabilities that are not patched
• Too many open ports by default
• Solution
• Must be trained to put yourself in the place of
  the hacker Pete Finnigan

38
Who has DBA ROLES ?
39
(No Transcript)
40
Default Passwords

• Easiest way to log into an Oracle database is to
  use a default account with a known password
  Finnigan
• http//www.petefinnigan.com/default/default_passwo
  rd_checker.htm
• This site has scripts that will identify all
  default users and lets you know if they still
  have their default passwords. You may download
  these scripts.

41
Password Cracking

• At http//www.toolcrypt.org/index.html there are
  tools that you can download to crack the
  passwords. You need to verify this against the
  DB, because you can be sure that the hacker has
  these tools.

42
Find all Privileges

• http//www.petefinnigan.com/find_all_privs.sql
• Script to find which privileges have been granted
  to a particular user. This scripts lists ROLES,
  SYSTEM privileges and object privileges granted
  to a user. If a ROLE is found -- then it is
  checked recursively.
• Output can be directed to the screen or to a
  file.

43
Benchmark your DB

• http//www.cisecurity.org/bench_oracle.html
• Set of tools that will tell you how secure your
  Oracle DB is compared to other Oracle DB and
  allows you to fix vulnerabilities.

44
Encrypted Passwords

• http//www.cqure.net
• allows you to extract encrypted passwords
  (hashes) from a Windows system and use the
  hashes, without knowing the password, in order to
  authenticate to other Windows systems with users
  having the same passwords.

45
Listener Password

• http//www.integrity.com/downloads.lsnrcheck.exe
• In Oracle, by default you dont need a password
  to activate to run lsnrctl.exe. Verify that there
  is a password to activate listener, otherwise
  create one using Oracle Net manager.
• Otherwise, somebody can hijack listener and
  avoid future connections by
• 1) Installing oracle on their local machine
• 2) Update the listener.ora file on local
  machine to include access to remote server
• 3) From OS prompt lsnrctl stop

46
Linux Vulnerabilities

• http//www.remote-exploit.org/backtrack.html
• Tools to verify Linux vulnerabilities

47
More Oracle tools

• www.databasesecurity.com/dbsec/OAK.zip
• Checks for SID, Database users, etc.

48
Security Models (continued)
49
Application Security Models

• Models
• Database role based
• Application role based
• Application function based
• Application role and function based
• Application table based

50
DB Security Models

• Plan, Policy, Procedure, Model
• Model scheme to implement Plan, Policy,
  Procedure
• MAC versus DAC (two extremes)
• Many different Models
• Bell LaPadula Model (MAC, focus on
  confidentiality)
• Harrison-Ruzzo-Ullman Access Matrix Model
• Sea View Model (Relational Imp. Of LaPadula)
• Jajodia Sandhu Model (adaptation of Sea View)
• Biba Model (focus on Integrity)
• MLS, Polyinstantiation

51
Document User Administration

• Part of the administration process
• Reasons to document
• Provide a paper trail
• Ensure administration consistency
• What to document
• Administration policies, staff and management
• Security procedures
• Procedure implementation scripts or programs
• Predefined roles description

52
http//www.oreilly.com/catalog/orasec/chapter/ch07
.html