Profiles, Password Policies, Privileges, and Roles

Objectives Define and use a profile Design and implement password policies Implement password policies in Oracle

Objectives (continued) Grant and revoke user privileges Create, assign, and revoke user roles List best practices for securing a network environment

Defining and Using Profiles Describes limitation of database resources Defines database users behavior Prevents users from wasting resources Memory CPU Not offered by every database system: Oracle does Microsoft SQL Server 2000 does not

Creating Profiles in Oracle Define two elements of security: Restriction on resources Implementation of password policies CREATE PROFILE statement To view all created profiles, query the data dictionary view DBA_PROFILES

Creating Profiles in Oracle CREATE PROFILE profile_name LIMIT SESSIONS_PER_USER number CPU_PER_SESSION hundredth_of_seconds CPU_PER_CALL hundredth_of_seconds CONNECT_TIME minutes IDLE_TIME minutes LOGICAL_READS_PER_SESSION db_blocks LOGICAL_READS_PER_CALL db_blocks COMPOSITE_LIMIT number PRIVATE_SGA bytes FAILED_LOGIN_ATTEMPTS number PASSWORD_LIFE_TIME days PASSWORD_REUSE_TIME number PASSWORD_REUSE_MAX number PASSWORD_LOCK_TIME days PASSWORD_GRACE_TIME days PASSWORD_VERIFY_FUNCTION function_name /

SESSIONS_PER_USER—Is the maximum number of allowed concurrent open sessions per user CPU_PER_SESSION—Is the maximum number in hundredths of seconds of CPU time allowed per session (for the duration of the session) CPU_PER_CALL—Is the maximum number in hundredth of seconds of CPU time allowed per call (for the duaration of statement call) CONNECT_TIME—Is the maximum amount of time a user connection is allowed; the value of this parameter is expressed in minutes. IDLE_TIME—Is the maximum amount of idle time in minutes before a user con- nection is disconnected LOGICAL_READS_PER_SESSION—Is the maximum number of database blocks allowed to be read from memory or disk for a session. PRIVATE_SGA—Is the maximum number of bytes allowed to be allocated for the user; this is available only in shared server mode. COMPOSITE_LIMIT—Is a weighted sum of all resource limits expressed in

Creating Profiles in Oracle CREATE PROFILE CH04_PROF LIMIT SESSIONS_PER_USER default CPU_PER_SESSION default CPU_PER_CALL 1000 CONNECT_TIME 120 IDLE_TIME 15 LOGICAL_READS_PER_SESSION default LOGICAL_READS_PER_CALL default COMPOSITE_LIMIT default PRIVATE_SGA default /

SQL> SELECT * 2 FROM DBA_PROFILES 3 WHERE PROFILE = 'CH04_PROF' 4 / PROFILE RESOURCE_NAME RESOURCE LIMIT --------- ------------------------- -------- ----- CH04_PROF COMPOSITE_LIMIT KERNEL DEFAULT CH04_PROF SESSIONS_PER_USER KERNEL DEFAULT CH04_PROF CPU_PER_SESSION KERNEL DEFAULT CH04_PROF CPU_PER_CALL KERNEL 1000 CH04_PROF LOGICAL_READS_PER_SESSION KERNEL DEFAULT CH04_PROF LOGICAL_READS_PER_CALL KERNEL DEFAULT CH04_PROF IDLE_TIME KERNEL 15 CH04_PROF CONNECT_TIME KERNEL 120 CH04_PROF PRIVATE_SGA KERNEL DEFAULT CH04_PROF FAILED_LOGIN_ATTEMPTS PASSWORD DEFAULT CH04_PROF PASSWORD_LIFE_TIME PASSWORD DEFAULT CH04_PROF PASSWORD_REUSE_TIME PASSWORD DEFAULT CH04_PROF PASSWORD_REUSE_MAX PASSWORD DEFAULT CH04_PROF PASSWORD_VERIFY_FUNCTION PASSWORD DEFAULT CH04_PROF PASSWORD_LOCK_TIME PASSWORD DEFAULT CH04_PROF PASSWORD_GRACE_TIME PASSWORD DEFAULT

Creating Profiles in Oracle (continued)

Creating Profiles in Oracle (continued) ALTER PROFILE: modifies a limit for a profile ALTER USER: assigns a profile to a user alter profile ch04_prof limit idle_time 30 alter user a profile ch04_prof

Designing and Implementing Password Policies Password is the key to open a user account; strong passwords are harder to break User authentication depends on passwords Hacker violations begin with breaking a password Companies spend on: Training Education

What Is a Password Policy? A Password Policy is a Set of guidelines that: Enhances the robustness of a password and Reduces the likelihood of password breaking Deals with: Complexity Change frequency Reuse

Importance of Password Policies First line of defense Most companies invest considerable resources to strengthen authentication by adopting technological measures that protect their assets Forces employees to abide by the guidelines set by the company and raises employee awareness of password protection

Designing Password Policies Complexity: set of guidelines for creating passwords Aging: how long a password can be used Usage: how many times a password can be used Storage: storing a password in an encrypted manner

Implementing Password Policies Oracle; using profiles: CREATE PROFILE PASSWORD_VERIFY_FUNCTION

CREATE PROFILE PASSWORD_POLICY LIMIT { { FAILED_LOGIN_ATTEMPTS | PASSWORD_LIFE_TIME | PASSWORD_REUSE_TIME | PASSWORD_REUSE_MAX | PASSWORD_LOCK_TIME | PASSWORD_GRACE_TIME } { expr | UNLIMITED | DEFAULT } | PASSWORD_VERIFY_FUNCTION { function | NULL | DEFAULT }

FAILED_LOGIN_ATTEMPTS—Is the number of failed login tries allowed before the account is locked PASSWORD_LIFE_TIME—Is the number of days the password is valid before it is aged out PASSWORD_REUSE_TIME—Is the number of days before a password can be reused; this parameter works with PASSWORD_REUSE_MAX parameter. PASSWORD_REUSE_MAX—Is the number of times a password can be reused PASSWORD_LOCK_TIME—Is the number of days an account is locked due to failed login attempts PASSWORD_GRACE_TIME—Is the number of days ahead of expiration the user is warned that the password expires PASSWORD_VERIFY_FUNCTION—Is an indication to Oracle to use a custom- made function to validate password complexity

SQL> CREATE PROFILE ACME_PASSWORD_PROFILE 2 LIMIT 3 FAILED_LOGIN_ATTEMPTS 1 4 PASSWORD_LIFE_TIME 15 5 PASSWORD_REUSE_TIME DEFAULT 6 PASSWORD_REUSE_MAX 1 7 / A user password cannot be reused. A password must expire every 15 days. Only one login attempt is allowed.

Granting and Revoking User Privileges Permit or deny access to data or to perform database operations In Oracle: System privileges: Granted only by a database administrator Granted by a user with administration privileges Object privileges: Granted to a user by the schema owner

Granting and Revoking User Privileges (continued) In Oracle (continued): Grant a privilege using the DCL GRANT statement Revoke a privilege using the DCL REVOKE statement: ADMIN option (system) GRANT option (object)

select name from system_privilege_map Examples of system priviledges Alter Any Table Backup Any Table Comment Any Table Create Any Table Create Table Delete Any Table Drop Any Table Flashback Any Table Insert Any Table Lock Any Table Select Any Table Update Any Table Transaction Force Any Transaction Force Transaction

Some important system privileges are: create session create table create view create procedure more

Object privileges Tables select, insert, update, delete, alter, debug, flashback, on commit refresh, query rewrite, references, etc

Granting and Revoking User Privileges (continued)

Granting and Revoking User Privileges (continued)

Creating, Assigning, and Revoking User Roles Used to organize and administer privileges It is like a user, except it cannot own object Can be assigned privileges Can be assigned to users

Creating, Assigning, and Revoking User Roles (continued) In Oracle: Create a role using CREATE ROLE statement Assign a role using GRANT statement Oracle Enterprise Manager Roles tool Revoke a role using REVOKE statement Drop a role using DROP statement

Best Practices Develop a secure environment: Never store passwords for an application in plaintext Change passwords frequently Use passwords at least eight characters long Pick a password that you can remember Use roles to control and administer privileges Report compromise or loss of a password Report any violation of company guidelines

Best Practices (continued) Develop a secure environment (continued): Never give your password to anyone Never share your password with anyone Never give your password over the phone. Never type your password in an e-mail Make sure your password is complex enough Use Windows integrated security mode In Windows 2000/3 domain use domain users and take advantage of Kerberos

Best Practices (continued) When configuring policies: Require complex passwords with special characters in the first seven bytes Require a password length of at least eight Set an account lockout threshold Do not allow passwords to automatically reset Expire end-user passwords Do not expire application-user passwords Enforce a password history

Summary Profiles define database users behavior In Oracle: DBA_PROFILE view ALTER USER SQL Server does not support profiles Password policy: Enhances password robustness Reduces likelihood of password breaking

Summary (continued) In Oracle: System privileges Object privileges

Summary (continued) GRANT and REVOKE Role is used to: Organize and administer privileges in an easy manner Role is like a user but cannot own objects Role can be assigned privileges Best practices for developing a secure environment