Presentation is loading. Please wait.

Presentation is loading. Please wait.

Profiles, Password Policies, Privileges, and Roles

Published byMarshall Wilkins Modified over 8 years ago

Similar presentations

Presentation on theme: "Profiles, Password Policies, Privileges, and Roles"— Presentation transcript:

1 Profiles, Password Policies, Privileges, and Roles

2 Objectives Define and use a profile
Design and implement password policies Implement password policies in Oracle

3 Objectives (continued)
Grant and revoke user privileges Create, assign, and revoke user roles List best practices for securing a network environment

4 Defining and Using Profiles
Describes limitation of database resources Defines database users behavior Prevents users from wasting resources Memory CPU Not offered by every database system: Oracle does Microsoft SQL Server 2000 does not

5 Creating Profiles in Oracle
Define two elements of security: Restriction on resources Implementation of password policies CREATE PROFILE statement To view all created profiles, query the data dictionary view DBA_PROFILES

6 Creating Profiles in Oracle
CREATE PROFILE profile_name LIMIT SESSIONS_PER_USER number CPU_PER_SESSION hundredth_of_seconds CPU_PER_CALL hundredth_of_seconds CONNECT_TIME minutes IDLE_TIME minutes LOGICAL_READS_PER_SESSION db_blocks LOGICAL_READS_PER_CALL db_blocks COMPOSITE_LIMIT number PRIVATE_SGA bytes FAILED_LOGIN_ATTEMPTS number PASSWORD_LIFE_TIME days PASSWORD_REUSE_TIME number PASSWORD_REUSE_MAX number PASSWORD_LOCK_TIME days PASSWORD_GRACE_TIME days PASSWORD_VERIFY_FUNCTION function_name /

7 SESSIONS_PER_USER—Is the maximum number of allowed concurrent open sessions per user
CPU_PER_SESSION—Is the maximum number in hundredths of seconds of CPU time allowed per session (for the duration of the session) CPU_PER_CALL—Is the maximum number in hundredth of seconds of CPU time allowed per call (for the duaration of statement call) CONNECT_TIME—Is the maximum amount of time a user connection is allowed; the value of this parameter is expressed in minutes. IDLE_TIME—Is the maximum amount of idle time in minutes before a user con- nection is disconnected LOGICAL_READS_PER_SESSION—Is the maximum number of database blocks allowed to be read from memory or disk for a session. PRIVATE_SGA—Is the maximum number of bytes allowed to be allocated for the user; this is available only in shared server mode. COMPOSITE_LIMIT—Is a weighted sum of all resource limits expressed in

8 Creating Profiles in Oracle
CREATE PROFILE CH04_PROF LIMIT SESSIONS_PER_USER default CPU_PER_SESSION default CPU_PER_CALL CONNECT_TIME IDLE_TIME LOGICAL_READS_PER_SESSION default LOGICAL_READS_PER_CALL default COMPOSITE_LIMIT default PRIVATE_SGA default /

9 SQL> SELECT * 2 FROM DBA_PROFILES 3 WHERE PROFILE = 'CH04_PROF' 4 / PROFILE RESOURCE_NAME RESOURCE LIMIT CH04_PROF COMPOSITE_LIMIT KERNEL DEFAULT CH04_PROF SESSIONS_PER_USER KERNEL DEFAULT CH04_PROF CPU_PER_SESSION KERNEL DEFAULT CH04_PROF CPU_PER_CALL KERNEL CH04_PROF LOGICAL_READS_PER_SESSION KERNEL DEFAULT CH04_PROF LOGICAL_READS_PER_CALL KERNEL DEFAULT CH04_PROF IDLE_TIME KERNEL 15 CH04_PROF CONNECT_TIME KERNEL 120 CH04_PROF PRIVATE_SGA KERNEL DEFAULT CH04_PROF FAILED_LOGIN_ATTEMPTS PASSWORD DEFAULT CH04_PROF PASSWORD_LIFE_TIME PASSWORD DEFAULT CH04_PROF PASSWORD_REUSE_TIME PASSWORD DEFAULT CH04_PROF PASSWORD_REUSE_MAX PASSWORD DEFAULT CH04_PROF PASSWORD_VERIFY_FUNCTION PASSWORD DEFAULT CH04_PROF PASSWORD_LOCK_TIME PASSWORD DEFAULT CH04_PROF PASSWORD_GRACE_TIME PASSWORD DEFAULT

10 Creating Profiles in Oracle (continued)

11 Creating Profiles in Oracle (continued)
ALTER PROFILE: modifies a limit for a profile ALTER USER: assigns a profile to a user alter profile ch04_prof limit idle_time 30 alter user a profile ch04_prof

12 Designing and Implementing Password Policies
Password is the key to open a user account; strong passwords are harder to break User authentication depends on passwords Hacker violations begin with breaking a password Companies spend on: Training Education

13 What Is a Password Policy?
A Password Policy is a Set of guidelines that: Enhances the robustness of a password and Reduces the likelihood of password breaking Deals with: Complexity Change frequency Reuse

14 Importance of Password Policies
First line of defense Most companies invest considerable resources to strengthen authentication by adopting technological measures that protect their assets Forces employees to abide by the guidelines set by the company and raises employee awareness of password protection

15 Designing Password Policies
Complexity: set of guidelines for creating passwords Aging: how long a password can be used Usage: how many times a password can be used Storage: storing a password in an encrypted manner

16 Implementing Password Policies
Oracle; using profiles: CREATE PROFILE PASSWORD_VERIFY_FUNCTION

17 CREATE PROFILE PASSWORD_POLICY
LIMIT { { FAILED_LOGIN_ATTEMPTS | PASSWORD_LIFE_TIME | PASSWORD_REUSE_TIME | PASSWORD_REUSE_MAX | PASSWORD_LOCK_TIME | PASSWORD_GRACE_TIME } { expr | UNLIMITED | DEFAULT } | PASSWORD_VERIFY_FUNCTION { function | NULL | DEFAULT }

18 FAILED_LOGIN_ATTEMPTS—Is the number of failed login tries allowed before
the account is locked PASSWORD_LIFE_TIME—Is the number of days the password is valid before it is aged out PASSWORD_REUSE_TIME—Is the number of days before a password can be reused; this parameter works with PASSWORD_REUSE_MAX parameter. PASSWORD_REUSE_MAX—Is the number of times a password can be reused PASSWORD_LOCK_TIME—Is the number of days an account is locked due to failed login attempts PASSWORD_GRACE_TIME—Is the number of days ahead of expiration the user is warned that the password expires PASSWORD_VERIFY_FUNCTION—Is an indication to Oracle to use a custom- made function to validate password complexity

19 SQL> CREATE PROFILE ACME_PASSWORD_PROFILE
2 LIMIT 3 FAILED_LOGIN_ATTEMPTS 1 4 PASSWORD_LIFE_TIME 15 5 PASSWORD_REUSE_TIME DEFAULT 6 PASSWORD_REUSE_MAX 1 7 / A user password cannot be reused. A password must expire every 15 days. Only one login attempt is allowed.

20 Granting and Revoking User Privileges
Permit or deny access to data or to perform database operations In Oracle: System privileges: Granted only by a database administrator Granted by a user with administration privileges Object privileges: Granted to a user by the schema owner

21 Granting and Revoking User Privileges (continued)
In Oracle (continued): Grant a privilege using the DCL GRANT statement Revoke a privilege using the DCL REVOKE statement: ADMIN option (system) GRANT option (object)

22 select name from system_privilege_map
Examples of system priviledges Alter Any Table Backup Any Table Comment Any Table Create Any Table Create Table Delete Any Table Drop Any Table Flashback Any Table Insert Any Table Lock Any Table Select Any Table Update Any Table Transaction Force Any Transaction Force Transaction

23 Some important system privileges are:
create session create table create view create procedure more

24 Object privileges Tables select, insert, update, delete, alter, debug, flashback, on commit refresh, query rewrite, references, etc

25 Granting and Revoking User Privileges (continued)

26 Granting and Revoking User Privileges (continued)

27 Creating, Assigning, and Revoking User Roles
Used to organize and administer privileges It is like a user, except it cannot own object Can be assigned privileges Can be assigned to users

28 Creating, Assigning, and Revoking User Roles (continued)
In Oracle: Create a role using CREATE ROLE statement Assign a role using GRANT statement Oracle Enterprise Manager Roles tool Revoke a role using REVOKE statement Drop a role using DROP statement

29 Best Practices Develop a secure environment:
Never store passwords for an application in plaintext Change passwords frequently Use passwords at least eight characters long Pick a password that you can remember Use roles to control and administer privileges Report compromise or loss of a password Report any violation of company guidelines

30 Best Practices (continued)
Develop a secure environment (continued): Never give your password to anyone Never share your password with anyone Never give your password over the phone. Never type your password in an Make sure your password is complex enough Use Windows integrated security mode In Windows 2000/3 domain use domain users and take advantage of Kerberos

31 Best Practices (continued)
When configuring policies: Require complex passwords with special characters in the first seven bytes Require a password length of at least eight Set an account lockout threshold Do not allow passwords to automatically reset Expire end-user passwords Do not expire application-user passwords Enforce a password history

32 Summary Profiles define database users behavior In Oracle:
DBA_PROFILE view ALTER USER SQL Server does not support profiles Password policy: Enhances password robustness Reduces likelihood of password breaking

33 Summary (continued) In Oracle: System privileges Object privileges

34 Summary (continued) GRANT and REVOKE Role is used to:
Organize and administer privileges in an easy manner Role is like a user but cannot own objects Role can be assigned privileges Best practices for developing a secure environment

Download ppt "Profiles, Password Policies, Privileges, and Roles"

Similar presentations

Oracle 10g Database Administrator: Implementation and Administration

Oracle 10g Database Administrator: Implementation and Administration
Understand Database Security Concepts

Understand Database Security Concepts
Fundamentals, Design, and Implementation, 9/e Chapter 11 Managing Databases with SQL Server 2000.

Fundamentals, Design, and Implementation, 9/e Chapter 11 Managing Databases with SQL Server 2000.
System Administration Accounts privileges, users and roles

System Administration Accounts privileges, users and roles
11 SUPPORTING LOCAL USERS AND GROUPS Chapter 3. Chapter 3: Supporting Local Users and Groups2 SUPPORTING LOCAL USERS AND GROUPS  Explain the difference.

11 SUPPORTING LOCAL USERS AND GROUPS Chapter 3. Chapter 3: Supporting Local Users and Groups2 SUPPORTING LOCAL USERS AND GROUPS  Explain the difference.
Backup The flip side of recovery. Types of Failures Transaction failure –Transaction must be aborted System failure –Hardware or software problem resulting.

Backup The flip side of recovery. Types of Failures Transaction failure –Transaction must be aborted System failure –Hardware or software problem resulting.
About physical design After you have provided your scripts Understand the problems Present a template that can be used to report on the physical design.

About physical design After you have provided your scripts Understand the problems Present a template that can be used to report on the physical design.
Securing the Oracle Database

Securing the Oracle Database
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 4 Profiles, Password Policies, Privileges, and Roles.

Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 4 Profiles, Password Policies, Privileges, and Roles.
Administering User Security

Administering User Security
Chapter 10 Overview  Implement Microsoft Windows Authentication Mode and Mixed Mode  Assign login accounts to database user accounts and roles  Assign.

Chapter 10 Overview  Implement Microsoft Windows Authentication Mode and Mixed Mode  Assign login accounts to database user accounts and roles  Assign.
Database Security Managing Users and Security Models.

Database Security Managing Users and Security Models.
1 Chapter Overview Creating User and Computer Objects Maintaining User Accounts Creating User Profiles.

1 Chapter Overview Creating User and Computer Objects Maintaining User Accounts Creating User Profiles.
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 3 Administration of Users.

Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 3 Administration of Users.
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 3 Administration of Users.

Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 3 Administration of Users.
11 Copyright © 2004, Oracle. All rights reserved. Oracle Database Security.

11 Copyright © 2004, Oracle. All rights reserved. Oracle Database Security.
By Lecturer / Aisha Dawood 1.  Administering Users  Create and manage database user accounts.  Create and manage roles.  Grant and revoke privileges.

By Lecturer / Aisha Dawood 1.  Administering Users  Create and manage database user accounts.  Create and manage roles.  Grant and revoke privileges.
Guide to Operating System Security Chapter 4 Account-based Security.

Guide to Operating System Security Chapter 4 Account-based Security.
Managing User Accounts, Passwords and Logon Chapter 5 powered by dj.

Managing User Accounts, Passwords and Logon Chapter 5 powered by dj.
Hands-On Microsoft Windows Server 20081 Security Enhancements in Windows Server 2008 Windows Server 2008 was created to emphasize security –Reduced attack.

Hands-On Microsoft Windows Server Security Enhancements in Windows Server 2008 Windows Server 2008 was created to emphasize security –Reduced attack.

Similar presentations

Ads by Google