Download - Milton Estrada, TUSC
1
2
Best Security Practices For Oracle E-Business
11i
Milton Estrada – Senior Consultant
Application Practice
3
Milton Estrada TUSC
(800) 755-TUSC
4
Agenda
• Overview• Oracle TNS Listener Security• Oracle Database Security• Oracle Application Tier Security• E-Business Suite Security• Desktop Security• Operating Environment Security
5
Overview
In today’s environment, a properly secured computing infrastructure is critical. When securing the infrastructure, a balance must be struck between risk of exposure, cost of security and value of the information protected.
Each organization determines its own correct balance. To that end, this document describes security measures that will be put in place for securing Oracle E-Business Suite.
6
Overview
7
Oracle TNS Listener Security
• Valid Node Checking– To enable Valid Node Checking, set
the following parameters in $TNS_ADMIN/sqlnet.ora: • tcp.validnode_checking = YES• tcp.invited_nodes = ( X.X.X.X,
hostname, ... )
• Specify Connection Timeout– CONNECT_TIMEOUT_$ORACLE_SID = 10
8
Oracle TNS Listener Security
• Enable TNS Listener Password– $lsnrctl– LSNRCTL> set current_listener $ORACLE_SID– LSNRCTL> change_password– LSNRCTL> set password– LSNRCTL> save_config– $ echo "ADMIN_RESTRICTIONS_DBLSNR =
ON" >> listener.ora– LSNRCTL> set current_listener $ORACLE_SID– LSNRCTL> set password– LSNRCTL> reload
9
Oracle TNS Listener Security
• Enable Admin Restrictions– ADMIN_RESTRICTIONS_$ORACLE_SID=ON
• Enable TNS Listener Logging– LOG_STATUS = ON– LOG_DIRECTORY_$ORACLE_SID =
$TNS_ADMIN– LOG_FILE_$ORACLE_SID =
$ORACLE_SID
10
Oracle Database Security
• Disable XDB– *.dispatchers='(PROTOCOL=TCP)
(SERVICE=sidXDB)‘
• Remove OS Trusted Login– REMOTE_OS_AUTHENT=FALSE
11
Oracle Database Security
• Implement two or more profiles for password management
Password Parameters Application
Profile Administrator
Profile FAILED_LOGIN_ATTEMPTS Unlimited 5 PASSWORD_LIFE_TIME Unlimited 90 PASSWORD_REUSE_TIME 180 180 PASSWORD_REUSE_MAX Unlimited Unlimited PASSWORD_LOCK_TIME Unlimited 7 PASSWORD_GRACE_TIME Unlimited 14 PASSWORD_VERIFY_FUNCTION Recommended Recommended
12
Oracle Database Security
• Change default installation password
•Default database administration schemas•Schemas belonging to optional database features neither used nor patched by E-Business Suite•Schemas belonging to optional database features used but not patched by E-Business Suite•Schemas belonging to optional database features used and patched by E-Business Suite•Schemas common to all E-Business Suite products•Schemas associated with specific E-Business Suite products
•If 11.5.9 or 11.5.10 Apply patch 4745998 to enable ALLORACLE parameter to FNDCPASS
13
Oracle Database Security
• Restrict access to SQL trace files– _TRACE_FILES_PUBLIC=FALSE
• Remove OS trusted roles– REMOTE_OS_ROLES=FALSE
14
Oracle Database Security
• Limit file system access within PL/SQL– UTL_FILE_DIR = <dir1>,<dir2>,<dir3>...– Avoid:– UTL_FILE_DIR = *
• Limit Directory Access– O7_DICTIONARY_ACCESSIBILITY = FALSE
15
Oracle Database Security
• Configure DB for Auditing– AUDIT_TRAIL = OS– AUDIT_FILE_DEST = ‘audit_file_diectory’
• Audit DB connections– SQL> audit session;
• Audit DB Schema Changes– SQL> audit user;
16
Oracle Application Tier Security
• Remove Application Server Banner– Set ServerSignature off– Set ServerTokens Prod
17
Oracle Application Tier Security
• Restrict MOD_PLSQL Web Administration
– <Location /pls/admin_>– Order deny,allow– Deny from all– # Uncommenting next line allows selected
hosts to use the admin page– # Allow from localhost <list of TRUSTED IPs>– </Location>
18
Oracle Application Tier Security
• Configure Logging– Oracle Application Server respects
Apache’s logging parameters. When activated, the server logs data about who has accessed the system, when and the nature of the requested operation. At a minimum, log server access.
19
E-Business Suite Security
• Set Workflow Notification Mailer SEND_ACCESS_KEY to N
• Use SSL (HTTPS) Between Browser and Web Server • Use Terminal Services for Client-Server Programs
20
E-Business Suite Security
• Change Passwords for seeded Application User Accounts
Account Product/Purpose Change
Disable
ANONYMOUS FND/AOL – Anonymous for non-logged users
Y Y
APPSMGR Routine maintenance via concurrent requests
Y Y
ASGADM Mobile gateway related products
Y N
ASGUEST Sales Application guest user Y N
AUTOINSTALL AD Y Y
CONCURRENT MANAGER FND/AOL: Concurrent Manager
Y Y
FEEDER SYSTEM AD – Supports data from feeder system
Y Y
GUEST Guest application user Y N
21
E-Business Suite Security
• Tighten Logon and Session Profile Options
Profile Option Name Recommendation SIGNON_PASSWORD_LENGTH 8 SIGNON_PASSWORD_HARD_TO_GUESS Yes SIGNON_PASSWORD_NO_REUSE 180 ICX_SESSION_TIMEOUT 30
22
E-Business Suite Security
• Create New User Accounts Safely• Create Shared Responsibilities instead of Shared
Accounts• Configure Concurrent Manager for Safe
Authentication• Activate Server Security• Setup Server Security• Review GUEST User Responsibilities• Review Users with Administrative Responsibilities • Limit Access to Security Related Forms
23
E-Business Suite Security
• Set other Security Related Profile Options
Profile Option Suggest
AuditTrail:Activate Yes
Concurrent:Report Access Level User
FND:Diagnostics No
Sign-on:Notification Yes
Utilities:Diagnostics No
24
E-Business Suite Security
• Restrict Responsibilities by Web Server Trust Level
– administrative– normal– External
• Set SIGN-ON Audit Level
– APPLSYS.FND_LOGINS– APPLSYS.FND_LOGIN_RESPONSIBILITIES– APPLSYS.FND_LOGIN_RESP_FORMS
25
E-Business Suite Security
• Monitor System Activity with OAM• Retrieve Audit Records Using Reports
– Sign-on Audit Concurrent Requests– Sign-on Audit Forms– Sign-on Audit Responsibilities– Sign-on Audit Unsuccessful Logins– Sign-on Audit Users
26
Desktop Security
• Update browser• Turn off auto-complete in Internet
Explorer• Set policy for unattended PC
sessions
27
Operating Environment Security
• Cleanup file ownership and access• Cleanup file permissions• Eliminate Telnet connections• Eliminate FTP connections• Verify Network configuration
28
Questions and Answers
QA
29
Copyright Information
• Neither TUSC or the authors guarantee this document to be error-free. Please provide comments/questions to: [email protected]
• TUSC © 2006. This document cannot be reproduced without expressed written consent from an officer of TUSC
• www.tusc.com
30
References
• Best Practices for Securing Oracle E-Business Suite/Oracle Corporation Version 3.0.2
• Oracle Metalink• Oracle Technology Network (OTN)
31
More Info
• Other good references that I use are:– http://metalink.oracle.com– http://oraclepartnernetwork.oracle.com– http://otn.oracle.com– http://tahiti.oracle.com– http://technet.oracle.com– http://www.google.com– http://www.ioug.org– http://www.orafaq.org– http://www.tusc.com– http://www.odtug.com
32
TUSC Contact Information
Milton Estrada (TUSC Senior Consultant) [email protected]
George Frederick (TUSC Sales Executive) [email protected]
630-960-2909
TUSC377 E. Butterfield Road
Suite 100Lombard, IL 60148
www.tusc.com