Milton Estrada, TUSC


Published on

  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Milton Estrada, TUSC

  1. 2. <ul><li>Best Security Practices </li></ul><ul><li>For Oracle E-Business 11i </li></ul><ul><li>Milton Estrada – Senior Consultant </li></ul><ul><li>Application Practice </li></ul>
  2. 3. Milton Estrada TUSC (800) 755-TUSC
  3. 4. Agenda <ul><li>Overview </li></ul><ul><li>Oracle TNS Listener Security </li></ul><ul><li>Oracle Database Security </li></ul><ul><li>Oracle Application Tier Security </li></ul><ul><li>E-Business Suite Security </li></ul><ul><li>Desktop Security </li></ul><ul><li>Operating Environment Security </li></ul>
  4. 5. Overview <ul><li>In today’s environment, a properly secured computing infrastructure is critical. When securing the infrastructure, a balance must be struck between risk of exposure, cost of security and value of the information protected. </li></ul><ul><li>Each organization determines its own correct balance. To that end, this document describes security measures that will be put in place for securing Oracle E-Business Suite. </li></ul>
  5. 6. Overview
  6. 7. Oracle TNS Listener Security <ul><li>Valid Node Checking </li></ul><ul><ul><li>To enable Valid Node Checking, set the following parameters in $TNS_ADMIN/sqlnet.ora: </li></ul></ul><ul><ul><ul><li>tcp.validnode_checking = YES </li></ul></ul></ul><ul><ul><ul><li>tcp.invited_nodes = ( X.X.X.X, hostname, ... ) </li></ul></ul></ul><ul><li>Specify Connection Timeout </li></ul><ul><ul><li>CONNECT_TIMEOUT_$ORACLE_SID = 10 </li></ul></ul>
  7. 8. Oracle TNS Listener Security <ul><li>Enable TNS Listener Password </li></ul><ul><ul><li>$lsnrctl </li></ul></ul><ul><ul><li>LSNRCTL> set current_listener $ORACLE_SID </li></ul></ul><ul><ul><li>LSNRCTL> change_password </li></ul></ul><ul><ul><li>LSNRCTL> set password </li></ul></ul><ul><ul><li>LSNRCTL> save_config </li></ul></ul><ul><ul><li>$ echo &quot;ADMIN_RESTRICTIONS_DBLSNR = ON&quot; >> listener.ora </li></ul></ul><ul><ul><li>LSNRCTL> set current_listener $ORACLE_SID </li></ul></ul><ul><ul><li>LSNRCTL> set password </li></ul></ul><ul><ul><li>LSNRCTL> reload </li></ul></ul>
  8. 9. Oracle TNS Listener Security <ul><li>Enable Admin Restrictions </li></ul><ul><ul><li>ADMIN_RESTRICTIONS_$ORACLE_SID=ON </li></ul></ul><ul><li>Enable TNS Listener Logging </li></ul><ul><ul><li>LOG_STATUS = ON </li></ul></ul><ul><ul><li>LOG_DIRECTORY_$ORACLE_SID = $TNS_ADMIN </li></ul></ul><ul><ul><li>LOG_FILE_$ORACLE_SID = $ORACLE_SID </li></ul></ul>
  9. 10. Oracle Database Security <ul><li>Disable XDB </li></ul><ul><ul><li>*.dispatchers='(PROTOCOL=TCP) (SERVICE=sidXDB)‘ </li></ul></ul><ul><li>Remove OS Trusted Login </li></ul><ul><ul><li>REMOTE_OS_AUTHENT=FALSE </li></ul></ul>
  10. 11. Oracle Database Security <ul><li>Implement two or more profiles for password management </li></ul>
  11. 12. Oracle Database Security <ul><li>Change default installation password </li></ul><ul><li>Default database administration schemas </li></ul><ul><li>Schemas belonging to optional database features neither used nor patched by E-Business Suite </li></ul><ul><li>Schemas belonging to optional database features used but not patched by E-Business Suite </li></ul><ul><li>Schemas belonging to optional database features used and patched by E-Business Suite </li></ul><ul><li>Schemas common to all E-Business Suite products </li></ul><ul><li>Schemas associated with specific E-Business Suite products </li></ul><ul><ul><li>If 11.5.9 or 11.5.10 Apply patch 4745998 to enable ALLORACLE parameter to FNDCPASS </li></ul></ul>
  12. 13. Oracle Database Security <ul><li>Restrict access to SQL trace files </li></ul><ul><ul><li>_TRACE_FILES_PUBLIC=FALSE </li></ul></ul><ul><li>Remove OS trusted roles </li></ul><ul><ul><li>REMOTE_OS_ROLES=FALSE </li></ul></ul>
  13. 14. Oracle Database Security <ul><li>Limit file system access within PL/SQL </li></ul><ul><ul><li>UTL_FILE_DIR = <dir1>,<dir2>,<dir3>... </li></ul></ul><ul><ul><li>Avoid: </li></ul></ul><ul><ul><li>UTL_FILE_DIR = * </li></ul></ul><ul><li>Limit Directory Access </li></ul><ul><ul><li>O7_DICTIONARY_ACCESSIBILITY = FALSE </li></ul></ul>
  14. 15. Oracle Database Security <ul><li>Configure DB for Auditing </li></ul><ul><ul><li>AUDIT_TRAIL = OS </li></ul></ul><ul><ul><li>AUDIT_FILE_DEST = ‘audit_file_diectory’ </li></ul></ul><ul><li>Audit DB connections </li></ul><ul><ul><li>SQL> audit session; </li></ul></ul><ul><li>Audit DB Schema Changes </li></ul><ul><ul><li>SQL> audit user; </li></ul></ul>
  15. 16. Oracle Application Tier Security <ul><li>Remove Application Server Banner </li></ul><ul><ul><li>Set ServerSignature off </li></ul></ul><ul><ul><li>Set ServerTokens Prod </li></ul></ul>
  16. 17. Oracle Application Tier Security <ul><li>Restrict MOD_PLSQL Web Administration </li></ul><ul><ul><li><Location /pls/admin_> </li></ul></ul><ul><ul><li>Order deny,allow </li></ul></ul><ul><ul><li>Deny from all </li></ul></ul><ul><ul><li># Uncommenting next line allows selected hosts to use the admin page </li></ul></ul><ul><ul><li># Allow from localhost <list of TRUSTED IPs> </li></ul></ul><ul><ul><li></Location> </li></ul></ul>
  17. 18. Oracle Application Tier Security <ul><li>Configure Logging </li></ul><ul><ul><li>Oracle Application Server respects Apache’s logging parameters. When activated, the server logs data about who has accessed the system, when and the nature of the requested operation. At a minimum, log server access. </li></ul></ul>
  18. 19. E-Business Suite Security <ul><li>Set Workflow Notification Mailer SEND_ACCESS_KEY to N </li></ul><ul><li>Use SSL (HTTPS) Between Browser and Web Server </li></ul><ul><li>Use Terminal Services for Client-Server Programs </li></ul>
  19. 20. E-Business Suite Security <ul><li>Change Passwords for seeded Application User Accounts </li></ul>N Y Guest application user GUEST Y Y AD – Supports data from feeder system FEEDER SYSTEM Y Y FND/AOL: Concurrent Manager CONCURRENT MANAGER Y Y AD AUTOINSTALL N Y Sales Application guest user ASGUEST N Y Mobile gateway related products ASGADM Y Y Routine maintenance via concurrent requests APPSMGR Y Y FND/AOL – Anonymous for non-logged users ANONYMOUS Disable Change Product/Purpose Account
  20. 21. E-Business Suite Security <ul><li>Tighten Logon and Session Profile Options </li></ul>
  21. 22. E-Business Suite Security <ul><li>Create New User Accounts Safely </li></ul><ul><li>Create Shared Responsibilities instead of Shared Accounts </li></ul><ul><li>Configure Concurrent Manager for Safe Authentication </li></ul><ul><li>Activate Server Security </li></ul><ul><li>Setup Server Security </li></ul><ul><li>Review GUEST User Responsibilities </li></ul><ul><li>Review Users with Administrative Responsibilities </li></ul><ul><li>Limit Access to Security Related Forms </li></ul>
  22. 23. E-Business Suite Security <ul><li>Set other Security Related Profile Options </li></ul>No Utilities:Diagnostics Yes Sign-on:Notification No FND:Diagnostics User Concurrent:Report Access Level Yes AuditTrail:Activate Suggest Profile Option
  23. 24. E-Business Suite Security <ul><li>Restrict Responsibilities by Web Server Trust Level </li></ul><ul><ul><li>administrative </li></ul></ul><ul><ul><li>normal </li></ul></ul><ul><ul><li>External </li></ul></ul><ul><li>Set SIGN-ON Audit Level </li></ul><ul><ul><li>APPLSYS.FND_LOGINS </li></ul></ul><ul><ul><li>APPLSYS.FND_LOGIN_RESPONSIBILITIES </li></ul></ul><ul><ul><li>APPLSYS.FND_LOGIN_RESP_FORMS </li></ul></ul>
  24. 25. E-Business Suite Security <ul><li>Monitor System Activity with OAM </li></ul><ul><li>Retrieve Audit Records Using Reports </li></ul><ul><ul><li>Sign-on Audit Concurrent Requests </li></ul></ul><ul><ul><li>Sign-on Audit Forms </li></ul></ul><ul><ul><li>Sign-on Audit Responsibilities </li></ul></ul><ul><ul><li>Sign-on Audit Unsuccessful Logins </li></ul></ul><ul><ul><li>Sign-on Audit Users </li></ul></ul>
  25. 26. Desktop Security <ul><li>Update browser </li></ul><ul><li>Turn off auto-complete in Internet Explorer </li></ul><ul><li>Set policy for unattended PC sessions </li></ul>
  26. 27. Operating Environment Security <ul><li>Cleanup file ownership and access </li></ul><ul><li>Cleanup file permissions </li></ul><ul><li>Eliminate Telnet connections </li></ul><ul><li>Eliminate FTP connections </li></ul><ul><li>Verify Network configuration </li></ul>
  27. 28. Questions and Answers QA
  28. 29. Copyright Information <ul><li>Neither TUSC or the authors guarantee this document to be error-free. Please provide comments/questions to: [email_address] </li></ul><ul><li>TUSC © 2006. This document cannot be reproduced without expressed written consent from an officer of TUSC </li></ul><ul><li> </li></ul>
  29. 30. References <ul><li>Best Practices for Securing Oracle E-Business Suite/Oracle Corporation Version 3.0.2 </li></ul><ul><li>Oracle Metalink </li></ul><ul><li>Oracle Technology Network (OTN) </li></ul>
  30. 31. More Info <ul><li>Other good references that I use are: </li></ul><ul><ul><li> </li></ul></ul><ul><ul><li> </li></ul></ul><ul><ul><li> </li></ul></ul><ul><ul><li> </li></ul></ul><ul><ul><li> </li></ul></ul><ul><ul><li> </li></ul></ul><ul><ul><li> </li></ul></ul><ul><ul><li> </li></ul></ul><ul><ul><li> </li></ul></ul><ul><ul><li> </li></ul></ul>
  31. 32. TUSC Contact Information Milton Estrada (TUSC Senior Consultant) George Frederick (TUSC Sales Executive) 630-960-2909 TUSC 377 E. Butterfield Road Suite 100 Lombard, IL 60148