Database Security DB0520• Authentication and password security• Authentication options – strong,

weak• Review security environment - Sys

Admin privileges• Choosing Strong Passwords• Account Lockout policy• Password Profiles – create, enforce

Authentication options• Process to confirm correctness of identity• DB2 CLIENT authentication– DB2 parameters• TRUST_ALLCLNTS – DRDAONLY (except z/OS, OS/390,

VM, VSE)• TRUST_CLNTAUTH – where to check passwords –

SERVER/CLIENT

• External authentication• DB2 SERVER authentication– SERVER_ENCRYPT or KERBEROS or both– DATA_ENCRYPT– GSSPLUGIN

Authentication options• MS SQL Server– Windows authentication– Mixed authentication• Client connections capable of NTLM are authenticated

with SQL server• Username and password stored in SQL server

• Oracle– OCI client and Oracle server – using TNS– Oracle password protocol (O3LOGON)– V$Session – username, osuser, machine, module

Review Security environment

• Review authentication model• Review group association• Review role association• Review privilege association• Perform a “dry run”• Inspect sys admin privileges

Choosing Strong Passwords

• Use a password with mixed-case letters.• Use alphabet and numbers in your passwords• Use punctuation marks within your passwords.• Use passwords with at least six characters, and a

minimum of eight is even better.• If possible, choose a password that can be typed

quickly and that cannot be easily guessed if someone looks over your shoulder

Don’t do the following:• Don’t Use the same password (even if it is strong) all over the place• Don’t Use the username as the password or any permutation of the login

name (e.g., username spelled backward)• Don’t Use words that can be looked up in a dictionary because they will

appear in password cracker files.• Don’t Use information that is easily obtained, such as your mother’s

maiden name, your children’s names, or your pet’s name.• Don’t Use dates (such as your hiring date, birth dates, phone number,

anniversary etc.)• Don’t Use Repeating substrings in a password e.g. 111, 222 etc. this

reduces the number of permutations and weakens the strength gained by length of passwords – now the hacker needs to guess lesser unique characters

Account Lockout

• Account Lockout after failed attempts– May cause Denial of Service Attack

• Denying a connection from the source IP to target IP

• Use DB firewall

Password profiles (Oracle)

• PASSWORD_LIFE_TIME – expiration days• PASSWORD_REUSE_TIME - #days before reuse• PASSWORD_REUSE_MAX - #password

changes before reuse• PASSWORD_GRACE_TIME – #days login

allowed with warning• PASSWORD_VERIFICATION_SCRIPT

DB user/password maintenance