database security db0520 authentication and password security authentication options – strong,...
TRANSCRIPT
![Page 1: Database Security DB0520 Authentication and password security Authentication options – strong, weak Review security environment - Sys Admin privileges](https://reader036.vdocument.in/reader036/viewer/2022082611/56649e855503460f94b87c3d/html5/thumbnails/1.jpg)
Database Security DB0520• Authentication and password security• Authentication options – strong,
weak• Review security environment - Sys
Admin privileges• Choosing Strong Passwords• Account Lockout policy• Password Profiles – create, enforce
![Page 2: Database Security DB0520 Authentication and password security Authentication options – strong, weak Review security environment - Sys Admin privileges](https://reader036.vdocument.in/reader036/viewer/2022082611/56649e855503460f94b87c3d/html5/thumbnails/2.jpg)
Authentication options• Process to confirm correctness of identity• DB2 CLIENT authentication– DB2 parameters• TRUST_ALLCLNTS – DRDAONLY (except z/OS, OS/390,
VM, VSE)• TRUST_CLNTAUTH – where to check passwords –
SERVER/CLIENT
• External authentication• DB2 SERVER authentication– SERVER_ENCRYPT or KERBEROS or both– DATA_ENCRYPT– GSSPLUGIN
![Page 3: Database Security DB0520 Authentication and password security Authentication options – strong, weak Review security environment - Sys Admin privileges](https://reader036.vdocument.in/reader036/viewer/2022082611/56649e855503460f94b87c3d/html5/thumbnails/3.jpg)
Authentication options• MS SQL Server– Windows authentication– Mixed authentication• Client connections capable of NTLM are authenticated
with SQL server• Username and password stored in SQL server
• Oracle– OCI client and Oracle server – using TNS– Oracle password protocol (O3LOGON)– V$Session – username, osuser, machine, module
![Page 4: Database Security DB0520 Authentication and password security Authentication options – strong, weak Review security environment - Sys Admin privileges](https://reader036.vdocument.in/reader036/viewer/2022082611/56649e855503460f94b87c3d/html5/thumbnails/4.jpg)
Review Security environment
• Review authentication model• Review group association• Review role association• Review privilege association• Perform a “dry run”• Inspect sys admin privileges
![Page 5: Database Security DB0520 Authentication and password security Authentication options – strong, weak Review security environment - Sys Admin privileges](https://reader036.vdocument.in/reader036/viewer/2022082611/56649e855503460f94b87c3d/html5/thumbnails/5.jpg)
Choosing Strong Passwords
• Use a password with mixed-case letters.• Use alphabet and numbers in your passwords• Use punctuation marks within your passwords.• Use passwords with at least six characters, and a
minimum of eight is even better.• If possible, choose a password that can be typed
quickly and that cannot be easily guessed if someone looks over your shoulder
![Page 6: Database Security DB0520 Authentication and password security Authentication options – strong, weak Review security environment - Sys Admin privileges](https://reader036.vdocument.in/reader036/viewer/2022082611/56649e855503460f94b87c3d/html5/thumbnails/6.jpg)
Don’t do the following:• Don’t Use the same password (even if it is strong) all over the place• Don’t Use the username as the password or any permutation of the login
name (e.g., username spelled backward)• Don’t Use words that can be looked up in a dictionary because they will
appear in password cracker files.• Don’t Use information that is easily obtained, such as your mother’s
maiden name, your children’s names, or your pet’s name.• Don’t Use dates (such as your hiring date, birth dates, phone number,
anniversary etc.)• Don’t Use Repeating substrings in a password e.g. 111, 222 etc. this
reduces the number of permutations and weakens the strength gained by length of passwords – now the hacker needs to guess lesser unique characters
![Page 7: Database Security DB0520 Authentication and password security Authentication options – strong, weak Review security environment - Sys Admin privileges](https://reader036.vdocument.in/reader036/viewer/2022082611/56649e855503460f94b87c3d/html5/thumbnails/7.jpg)
Account Lockout
• Account Lockout after failed attempts– May cause Denial of Service Attack
• Denying a connection from the source IP to target IP
• Use DB firewall
![Page 8: Database Security DB0520 Authentication and password security Authentication options – strong, weak Review security environment - Sys Admin privileges](https://reader036.vdocument.in/reader036/viewer/2022082611/56649e855503460f94b87c3d/html5/thumbnails/8.jpg)
Password profiles (Oracle)
• PASSWORD_LIFE_TIME – expiration days• PASSWORD_REUSE_TIME - #days before reuse• PASSWORD_REUSE_MAX - #password
changes before reuse• PASSWORD_GRACE_TIME – #days login
allowed with warning• PASSWORD_VERIFICATION_SCRIPT
![Page 9: Database Security DB0520 Authentication and password security Authentication options – strong, weak Review security environment - Sys Admin privileges](https://reader036.vdocument.in/reader036/viewer/2022082611/56649e855503460f94b87c3d/html5/thumbnails/9.jpg)
DB user/password maintenance