Presentation is loading. Please wait.

Presentation is loading. Please wait.

Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 4 Profiles, Password Policies, Privileges, and Roles.

Published byRandolph Booker Modified over 8 years ago

Similar presentations

Presentation on theme: "Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 4 Profiles, Password Policies, Privileges, and Roles."— Presentation transcript:

1 Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 4 Profiles, Password Policies, Privileges, and Roles

2 Database Security & Auditing: Protecting Data Integrity & Accessibility2 Objectives Define and use a profile Design and implement password policies Implement password policies in Oracle and SQL Server

3 Database Security & Auditing: Protecting Data Integrity & Accessibility3 Objectives (continued) Grant and revoke user privileges Create, assign, and revoke user roles List best practices for securing a network environment

4 Database Security & Auditing: Protecting Data Integrity & Accessibility4 Defining and Using Profiles Profile: –Describes limitation of database resources –Defines database users behavior –Prevents users from wasting resources Not offered by every database system: –Oracle does –Microsoft SQL Server 2000 does not

5 Database Security & Auditing: Protecting Data Integrity & Accessibility5 Creating Profiles in Oracle Define two elements of security: –Restriction on resources –Implementation of password policies CREATE PROFILE statement To view all created profiles, query the data dictionary view DBA_PROFILES Resource Manager tool: creates different CPU usage policies

6 Database Security & Auditing: Protecting Data Integrity & Accessibility6 Creating Profiles in Oracle (continued)

7 Database Security & Auditing: Protecting Data Integrity & Accessibility7 Creating Profiles in Oracle (continued) ALTER PROFILE: modifies a limit for a profile ALTER USER: assigns a profile to a user Oracle Enterprise Manager Security Tool: view all details about users and profiles in a GUI

8 Database Security & Auditing: Protecting Data Integrity & Accessibility8 Creating Profiles in Oracle (continued)

9 Database Security & Auditing: Protecting Data Integrity & Accessibility9 Creating Profiles in SQL Server 2000 Profiles are not available in Microsoft SQL Server 2000 or 2005 Query and connection time-outs: handled at application level within OLEDB

10 Database Security & Auditing: Protecting Data Integrity & Accessibility10 Designing and Implementing Password Policies Password is the key to open a user account; strong passwords are harder to break User authentication depends on passwords Hacker violations begin with breaking a password Companies spend on: –Training –Education

11 Database Security & Auditing: Protecting Data Integrity & Accessibility11 What Is a Password Policy? Set of guidelines: –Enhances the robustness of a password –Reduces the likelihood of password breaking Deals with: –Complexity –Change frequency –Reuse

12 Database Security & Auditing: Protecting Data Integrity & Accessibility12 Importance of Password Policies First line of defense Most companies invest considerable resources to strengthen authentication by adopting technological measures that protect their assets Forces employees to abide by the guidelines set by the company and raises employee awareness of password protection Helps ensure that a company does not fail audits

13 Database Security & Auditing: Protecting Data Integrity & Accessibility13 Designing Password Policies Complexity: set of guidelines for creating passwords Aging: how long a password can be used Usage: how many times a password can be used Storage: storing a password in an encrypted manner

14 Database Security & Auditing: Protecting Data Integrity & Accessibility14 Implementing Password Policies Oracle; using profiles: –CREATE PROFILE –Oracle Enterprise Manager –PASSWORD_VERIFY_FUNCTION

15 Database Security & Auditing: Protecting Data Integrity & Accessibility15 Implementing Password Policies (continued)

16 Database Security & Auditing: Protecting Data Integrity & Accessibility16 Implementing Password Policies (continued) Microsoft SQL Server 2000: –Integrated server system –Windows authentication mode NTLM: –Challenge/response methodology –Challenge is eight bytes of random data –Response is a 24-byte DES-encrypted hash

17 Database Security & Auditing: Protecting Data Integrity & Accessibility17 Implementing Password Policies (continued)

18 Database Security & Auditing: Protecting Data Integrity & Accessibility18 Implementing Password Policies (continued) Kerberos: –A key known by client and server encrypts handshake data –Requires a Key Distribution Center (KDC) –Tickets –Time must be synchronized networkwide

19 Database Security & Auditing: Protecting Data Integrity & Accessibility19 Implementing Password Policies (continued)

20 Database Security & Auditing: Protecting Data Integrity & Accessibility20 Implementing Password Policies (continued)

21 Database Security & Auditing: Protecting Data Integrity & Accessibility21 Granting and Revoking User Privileges Permit or deny access to data or to perform database operations In Oracle: –System privileges: Granted only by a database administrator Granted by a user with administration privileges –Object privileges: Granted to a user by the schema owner Granted by a user with GRANT privileges

22 Database Security & Auditing: Protecting Data Integrity & Accessibility22 Granting and Revoking User Privileges (continued) In Oracle (continued): –Grant a privilege using the DCL GRANT statement –Revoke a privilege using the DCL REVOKE statement: ADMIN option GRANT option –Oracle Enterprise Manager Security

23 Database Security & Auditing: Protecting Data Integrity & Accessibility23 Granting and Revoking User Privileges (continued)

24 Database Security & Auditing: Protecting Data Integrity & Accessibility24 Granting and Revoking User Privileges (continued)

25 Database Security & Auditing: Protecting Data Integrity & Accessibility25 Granting and Revoking User Privileges (continued)

26 Database Security & Auditing: Protecting Data Integrity & Accessibility26 Granting and Revoking User Privileges (continued) In SQL Server (4 levels); system/server privileges: –Sysadmin –Serveradmin –Setupadmin –Securityadmin –Processadmin –Dbcreator –Diskadmin –Bulkadmin

27 Database Security & Auditing: Protecting Data Integrity & Accessibility27 Granting and Revoking User Privileges (continued) In SQL Server (continued): –Database privileges: Fixed database roles Statement permissions –Grant permission using the GRANT statement –Revoke permission using the REVOKE statement –Enterprise Manager –Deny permission using the DENY statement

28 Database Security & Auditing: Protecting Data Integrity & Accessibility28 Granting and Revoking User Privileges (continued)

29 Database Security & Auditing: Protecting Data Integrity & Accessibility29 Granting and Revoking User Privileges (continued)

30 Database Security & Auditing: Protecting Data Integrity & Accessibility30 Granting and Revoking User Privileges (continued)

31 Database Security & Auditing: Protecting Data Integrity & Accessibility31 Granting and Revoking User Privileges (continued) In SQL Server: –Table and database objects privileges: GRANT, REVOKE, and DENY EXECUTE permission Enterprise Manager (3 methods) –Column privileges: GRANT, REVOKE, and DENY Enterprise Manager (2 methods)

32 Database Security & Auditing: Protecting Data Integrity & Accessibility32 Creating, Assigning, and Revoking User Roles Role: –Used to organize and administer privileges –It is like a user, except it cannot own object –Can be assigned privileges –Can be assigned to users

33 Database Security & Auditing: Protecting Data Integrity & Accessibility33 Creating, Assigning, and Revoking User Roles (continued) In Oracle: –Create a role using CREATE ROLE statement –Assign a role using GRANT statement –Oracle Enterprise Manager Roles tool –Revoke a role using REVOKE statement –Drop a role using DROP statement

34 Database Security & Auditing: Protecting Data Integrity & Accessibility34 Creating, Assigning, and Revoking User Roles (continued) In SQL Server; user-defined roles: –Standard and application –Create roles using SP_ADDROLE system- stored procedure –Add members to a role using SP_ADDROLEMEMBER stored procedure –Drop members from a role using SP_DROPROLEMEMBER stored procedure

35 Database Security & Auditing: Protecting Data Integrity & Accessibility35 Creating, Assigning, and Revoking User Roles (continued) In SQL Server (continued): –User-defined roles (continued): Drop roles using SP_DROPROLE stored procedure Use Enterprise Manager –Fixed server roles: Cannot be modified or created Add member to a role using SP_ADDSRVROLEMEMBER stored procedure

36 Database Security & Auditing: Protecting Data Integrity & Accessibility36 Creating, Assigning, and Revoking User Roles (continued)

37 Database Security & Auditing: Protecting Data Integrity & Accessibility37 Creating, Assigning, and Revoking User Roles (continued) In SQL Server (continued): –Fixed server roles (continued): Drop members from a role using SP_DROPSRVROLEMEMBER stored procedure Use Enterprise Manager –Fixed database roles: Cannot be modified Give access to database administrative tasks Add members to a role using SP_ADDROLEMEMBER stored procedure

38 Database Security & Auditing: Protecting Data Integrity & Accessibility38 Creating, Assigning, and Revoking User Roles (continued)

39 Database Security & Auditing: Protecting Data Integrity & Accessibility39 Creating, Assigning, and Revoking User Roles (continued) In SQL Server (continued): –Fixed database roles (continued): Drop members from a role using SP_DROPROLEMEMBER stored procedure Use Enterprise Manager –Public database role: Cannot be dropped Users automatically belong to this role Users cannot be dropped

40 Database Security & Auditing: Protecting Data Integrity & Accessibility40 Best Practices Develop a secure environment: –Never store passwords for an application in plaintext –Change passwords frequently –Use passwords at least eight characters long –Pick a password that you can remember –Use roles to control and administer privileges –Report compromise or loss of a password –Report any violation of company guidelines

41 Database Security & Auditing: Protecting Data Integrity & Accessibility41 Best Practices (continued) Develop a secure environment (continued): –Never give your password to anyone –Never share your password with anyone –Never give your password over the phone. –Never type your password in an e-mail –Make sure your password is complex enough –Use Windows integrated security mode –In Windows 2000/3 domain use domain users and take advantage of Kerberos

42 Database Security & Auditing: Protecting Data Integrity & Accessibility42 Best Practices (continued) When configuring policies: –Require complex passwords with special characters in the first seven bytes –Require a password length of at least eight –Set an account lockout threshold –Do not allow passwords to automatically reset –Expire end-user passwords –Do not expire application-user passwords –Enforce a password history

43 Database Security & Auditing: Protecting Data Integrity & Accessibility43 Summary Profiles define database users behavior In Oracle: –DBA_PROFILE view –ALTER USER SQL Server does not support profiles Password policy: –Enhances password robustness –Reduces likelihood of password breaking

44 Database Security & Auditing: Protecting Data Integrity & Accessibility44 Summary (continued) In SQL Server: –NTLM –Kerberos In Oracle: –System privileges –Object privileges In SQL Server: –System or server, database, table and column privileges

45 Database Security & Auditing: Protecting Data Integrity & Accessibility45 Summary (continued) GRANT and REVOKE Role is used to: –Organize and administer privileges in an easy manner –Role is like a user but cannot own objects –Role can be assigned privileges –GRANT and REVOKE Best practices for developing a secure environment

Download ppt "Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 4 Profiles, Password Policies, Privileges, and Roles."

Similar presentations

Logins, Roles and Credentials Lesson 14. Skills Matrix.

Logins, Roles and Credentials Lesson 14. Skills Matrix.
Module 4: Implementing User, Group, and Computer Accounts

Module 4: Implementing User, Group, and Computer Accounts
Chapter 9 Auditing Database Activities

Chapter 9 Auditing Database Activities
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 5 Database Application Security Models.

Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 5 Database Application Security Models.
Chapter 6: Configuring Security. Group Policy and LGPO Setting Options Software Installation not available with LGPOs Remote Installation Services Scripts.

Chapter 6: Configuring Security. Group Policy and LGPO Setting Options Software Installation not available with LGPOs Remote Installation Services Scripts.
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 2 Operating System Security Fundamentals.

Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 2 Operating System Security Fundamentals.
Chapter 5 Database Application Security Models

Chapter 5 Database Application Security Models
Administering User Security

Administering User Security
Chapter 10 Overview  Implement Microsoft Windows Authentication Mode and Mixed Mode  Assign login accounts to database user accounts and roles  Assign.

Chapter 10 Overview  Implement Microsoft Windows Authentication Mode and Mixed Mode  Assign login accounts to database user accounts and roles  Assign.
Mike Fal - www.mikefal.net SQL SERVER SECURITY GRANTING, CONTROLLING, AND AUDITING DATABASE ACCESS March 17, 2011.

Mike Fal - SQL SERVER SECURITY GRANTING, CONTROLLING, AND AUDITING DATABASE ACCESS March 17, 2011.
Database Security Managing Users and Security Models.

Database Security Managing Users and Security Models.
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 3 Administration of Users.

Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 3 Administration of Users.
Module 2: Managing User and Computer Accounts

Module 2: Managing User and Computer Accounts
70-294: MCSE Guide to Microsoft Windows Server 2003 Active Directory Chapter 9: Active Directory Authentication and Security.

70-294: MCSE Guide to Microsoft Windows Server 2003 Active Directory Chapter 9: Active Directory Authentication and Security.
September 18, 2002 Introduction to Windows 2000 Server Components Ryan Larson David Greer.

September 18, 2002 Introduction to Windows 2000 Server Components Ryan Larson David Greer.
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 3 Administration of Users.

Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 3 Administration of Users.
By Lecturer / Aisha Dawood 1.  Administering Users  Create and manage database user accounts.  Create and manage roles.  Grant and revoke privileges.

By Lecturer / Aisha Dawood 1.  Administering Users  Create and manage database user accounts.  Create and manage roles.  Grant and revoke privileges.
Managing User Accounts, Passwords and Logon Chapter 5 powered by dj.

Managing User Accounts, Passwords and Logon Chapter 5 powered by dj.
Hands-On Microsoft Windows Server 20081 Security Enhancements in Windows Server 2008 Windows Server 2008 was created to emphasize security –Reduced attack.

Hands-On Microsoft Windows Server Security Enhancements in Windows Server 2008 Windows Server 2008 was created to emphasize security –Reduced attack.
Today’s Objectives Chapters 10 and 11 Security in SQL Server –Manage server logins and database users. –Manage server-level, database-level, and application.

Today’s Objectives Chapters 10 and 11 Security in SQL Server –Manage server logins and database users. –Manage server-level, database-level, and application.

Similar presentations

Ads by Google