database security db0520 authentication and password security authentication options – strong,...
Post on 30-Dec-2015
218 Views
Preview:
TRANSCRIPT
Database Security DB0520• Authentication and password security• Authentication options – strong,
weak• Review security environment - Sys
Admin privileges• Choosing Strong Passwords• Account Lockout policy• Password Profiles – create, enforce
Authentication options• Process to confirm correctness of identity• DB2 CLIENT authentication– DB2 parameters• TRUST_ALLCLNTS – DRDAONLY (except z/OS, OS/390,
VM, VSE)• TRUST_CLNTAUTH – where to check passwords –
SERVER/CLIENT
• External authentication• DB2 SERVER authentication– SERVER_ENCRYPT or KERBEROS or both– DATA_ENCRYPT– GSSPLUGIN
Authentication options• MS SQL Server– Windows authentication– Mixed authentication• Client connections capable of NTLM are authenticated
with SQL server• Username and password stored in SQL server
• Oracle– OCI client and Oracle server – using TNS– Oracle password protocol (O3LOGON)– V$Session – username, osuser, machine, module
Review Security environment
• Review authentication model• Review group association• Review role association• Review privilege association• Perform a “dry run”• Inspect sys admin privileges
Choosing Strong Passwords
• Use a password with mixed-case letters.• Use alphabet and numbers in your passwords• Use punctuation marks within your passwords.• Use passwords with at least six characters, and a
minimum of eight is even better.• If possible, choose a password that can be typed
quickly and that cannot be easily guessed if someone looks over your shoulder
Don’t do the following:• Don’t Use the same password (even if it is strong) all over the place• Don’t Use the username as the password or any permutation of the login
name (e.g., username spelled backward)• Don’t Use words that can be looked up in a dictionary because they will
appear in password cracker files.• Don’t Use information that is easily obtained, such as your mother’s
maiden name, your children’s names, or your pet’s name.• Don’t Use dates (such as your hiring date, birth dates, phone number,
anniversary etc.)• Don’t Use Repeating substrings in a password e.g. 111, 222 etc. this
reduces the number of permutations and weakens the strength gained by length of passwords – now the hacker needs to guess lesser unique characters
Account Lockout
• Account Lockout after failed attempts– May cause Denial of Service Attack
• Denying a connection from the source IP to target IP
• Use DB firewall
Password profiles (Oracle)
• PASSWORD_LIFE_TIME – expiration days• PASSWORD_REUSE_TIME - #days before reuse• PASSWORD_REUSE_MAX - #password
changes before reuse• PASSWORD_GRACE_TIME – #days login
allowed with warning• PASSWORD_VERIFICATION_SCRIPT
DB user/password maintenance
top related