1

Oracle EBS R12 - SecurityOracle EBS R12 - Security

Best Practices for Securing Oracle EBS R12

2

AgendaAgenda

Overview Oracle TNS Listener Security Oracle Database Security Oracle Application Tier Security E-Business Suite Security Desktop Security Operating Environment Security Q&A

3

OverviewOverview

In today’s environment, a properly secured computing infrastructure is critical. When securing the infrastructure, a balance must be struck between risk of exposure, cost of security and value of the information protected.

Each organization determines its own correct balance. To that end, this presentation describes security measures that will be put in place for securing Oracle E-Business Suite R12.

4

Overview - ContinuedOverview - Continued

5

Oracle TNS Listener SecurityOracle TNS Listener Security

Enable “Validate Node Checking” tcp.validnode_checking = YEStcp.invited_nodes = ( X.X.X.X, hostname, ... )tcp.excluded_nodes = ( hostname, X.X.X.X, ... )

Specify Connection TimeoutCONNECT_TIMEOUT_$ORACLE_SID = 10

Enable TNS Listener Password$lsnrctlLSNRCTL> set current_listener $ORACLE_SIDLSNRCTL> change_passwordLSNRCTL> set passwordLSNRCTL> save_config$ echo "ADMIN_RESTRICTIONS_DBLSNR = ON" >> listener.oraLSNRCTL> set current_listener $ORACLE_SIDLSNRCTL> set passwordLSNRCTL> reload

Enable Admin RestrictionsADMIN_RESTRICTIONS_$ORACLE_SID=ON

Enable TNS Listener LoginLOG_STATUS = ONLOG_DIRECTORY_$ORACLE_SID = $TNS_ADMINLOG_FILE_$ORACLE_SID = $ORACLE_SID

6

Oracle Database SecurityOracle Database Security

Disable XDBdispatchers='(PROTOCOL=TCP) (SERVICE=sidXDB)'

Remove OS trusted loginREMOTE_OS_AUTHENT=FALSE

Implement two or more profiles for password management

Password Parameters

Application Profile

Administrator Profile

FAILED_LOGIN_ATTEMPTS Unlimited 5

PASSWORD_LIFE_TIME Unlimited 90

PASSWORD_REUSE_TIME 180 180

PASSWORD_REUSE_MAX Unlimited Unlimited

PASSWORD_LOCK_TIME Unlimited 7

PASSWORD_GRACE_TIME Unlimited 14

PASSWORD_VERIFY_FUNCTION

Recommended Recommended

7

Oracle Database Security - Oracle Database Security - ContinuedContinued Change default installation passwords

Default database administration schemasSchemas belonging to optional database features neither used nor patched by E-Business SuiteSchemas belonging to optional database features used but not patched by E-Business SuiteSchemas belonging to optional database features used and patched by E-Business SuiteSchemas common to all E-Business Suite productsSchemas associated with specific E-Business Suite products

Restrict Access to SQL trace files_TRACE_FILES_PUBLIC=FALSE

Remove OS trusted rolesREMOTE_OS_ROLES=FALSE

Limit file system access within PL/SQLAvoid: UTL_FILE_DIR = *

Limit dictionary accessO7_DICTIONARY_ACCESSIBILITY = FALSE

Configure DB for AuditingAUDIT_TRAIL = OSAUDIT_FILE_DEST = /u01/logs/db/audit

Audit DB ConnectionsSQL> audit session;

Audit DB schema changesSQL> audit user;

8

Oracle Application Tier SecurityOracle Application Tier Security

Remove Application Server BannerSet ServerSignature offSet ServerTokens Prod

Protect Administrative Web Pages<Location "uri-to-protect">Order deny,allowDeny from allAllow from localhost <list of TRUSTED IPs></Location>

Disable Test Pages <Location ~ "^/fcgi-bin/echo.*$"> Order deny,allow Deny from all </Location>

Configure Logging

9

E-Business Suite Security - E-Business Suite Security - ContinuedContinued Change Passwords for Seeded Application User Accounts

Account Product/Purpose Change Disable

ANONYMOUS FND/AOL – Anonymous for non-logged users

Y Y

APPSMGR Routine maintenance via concurrent requests

Y Y

ASGADM Mobile gateway related products Y N

ASGUEST Sales Application guest user Y N

AUTOINSTALL AD Y Y

CONCURRENT MANAGER FND/AOL: Concurrent Manager Y Y

FEEDER SYSTEM AD – Supports data from feeder system Y Y

GUEST Guest application user Y N

10

E-Business Suite Security - E-Business Suite Security - ContinuedContinued Consider Using Single Sign-On (SSO)

Refer to ML Doc ID 376811.1

Create New User Accounts Safely Create Shared Responsibilities Instead of Share Accounts Configure Concurrent Manager for Safe Authentication Activate Server Security Tighten Logon and Session Profile Options

30ICX_SESSION_TIMEOUT

180SIGNON_PASSWORD_NO_REUSE

YesSIGNON_PASSWORD_HARD_TO_GUESS

8SIGNON_PASSWORD_LENGTH

RecommendationProfile Option Name

11

Desktop SecurityDesktop Security

Configure BrowserRefer to ML Doc ID 389422.1

Update Browser Turn off Browser Auto Complete Set Policy for Unattended PC Sessions

12

Operating Environment Operating Environment SecuritySecurity Cleanup file ownership and access Cleanup file permissions Eliminate Telnet connections Eliminate FTP connections Verify Network configuration

13

QA

14

Copyright InformationCopyright Information

Neither TUSC or the authors guarantee this document to be error-free. Please provide comments/questions to: estradam@tusc.com

TUSC © 2006. This document cannot be reproduced without expressed written consent from an officer of TUSC

www.tusc.com

15

ReferencesReferences

Best Practices for Securing Oracle E-Business Suite/Oracle Corporation Version 3.0.2

Oracle Metalink Oracle Technology Network (OTN)