Scribd Logo
Cargar

¡Te damos la bienvenida a Scribd!

  • Presentation

    Cargado por

    genfin
    37 vistas15 páginas
    Presentation

    Derechos de autor

    © Attribution Non-Commercial (BY-NC)

    Formatos disponibles

    PPT, PDF, TXT o lea en línea desde Scribd

    ¿Le pareció útil este documento?

    ¿Este contenido es inapropiado?

    Denunciar este documento
    Presentation

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Descargue como PPT, PDF, TXT o lea en línea desde Scribd
    Marcar por contenido inapropiado
    37 vistas15 páginas

    Presentation

    Cargado por

    genfin
    Presentation

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Descargue como PPT, PDF, TXT o lea en línea desde Scribd
    Marcar por contenido inapropiado
    de 15

    Oracle EBS R12 - Security

    Best Practices for Securing Oracle EBS R12

    Agenda

    Overview Oracle TNS Listener Security

    Oracle Database Security


    Oracle Application Tier Security E-Business Suite Security

    Desktop Security
    Operating Environment Security Q&A

    Overview
    In todays environment, a properly secured computing infrastructure is critical. When securing the infrastructure, a balance must be struck between risk of exposure, cost of security and value of the information protected. Each organization determines its own correct balance. To that end, this presentation describes security measures that will be put in place for securing Oracle E-Business Suite R12.

    Overview - Continued

    Oracle TNS Listener Security

    Enable Validate Node Checking


    tcp.validnode_checking = YES tcp.invited_nodes = ( X.X.X.X, hostname, ... ) tcp.excluded_nodes = ( hostname, X.X.X.X, ... )

    Specify Connection Timeout

    CONNECT_TIMEOUT_$ORACLE_SID = 10 $lsnrctl LSNRCTL> set current_listener $ORACLE_SID LSNRCTL> change_password LSNRCTL> set password LSNRCTL> save_config $ echo "ADMIN_RESTRICTIONS_DBLSNR = ON" >> listener.ora LSNRCTL> set current_listener $ORACLE_SID LSNRCTL> set password LSNRCTL> reload ADMIN_RESTRICTIONS_$ORACLE_SID=ON LOG_STATUS = ON LOG_DIRECTORY_$ORACLE_SID = $TNS_ADMIN LOG_FILE_$ORACLE_SID = $ORACLE_SID 5

    Enable TNS Listener Password

    Enable Admin Restrictions Enable TNS Listener Login

    Oracle Database Security


    Disable XDB
    dispatchers='(PROTOCOL=TCP) (SERVICE=sidXDB)'

    Remove OS trusted login


    REMOTE_OS_AUTHENT=FALSE

    Implement two or more profiles for password management


    Password Parameters
    FAILED_LOGIN_ATTEMPTS

    Application Profile
    Unlimited

    Administrator Profile
    5

    PASSWORD_LIFE_TIME
    PASSWORD_REUSE_TIME PASSWORD_REUSE_MAX PASSWORD_LOCK_TIME PASSWORD_GRACE_TIME PASSWORD_VERIFY_FUNCTION

    Unlimited
    180 Unlimited Unlimited Unlimited Recommended

    90
    180 Unlimited 7 14 Recommended

    Oracle Database Security - Continued

    Change default installation passwords

    Default database administration schemas Schemas belonging to optional database features neither used nor patched by E-Business Suite Schemas belonging to optional database features used but not patched by E-Business Suite Schemas belonging to optional database features used and patched by E-Business Suite Schemas common to all E-Business Suite products Schemas associated with specific E-Business Suite products _TRACE_FILES_PUBLIC=FALSE REMOTE_OS_ROLES=FALSE Avoid: UTL_FILE_DIR = *

    Restrict Access to SQL trace files Remove OS trusted roles

    Limit file system access within PL/SQL


    Limit dictionary access
    O7_DICTIONARY_ACCESSIBILITY = FALSE AUDIT_TRAIL = OS AUDIT_FILE_DEST = /u01/logs/db/audit SQL> audit session; SQL> audit user;

    Configure DB for Auditing Audit DB Connections

    Audit DB schema changes

    Oracle Application Tier Security

    Remove Application Server Banner


    Set ServerSignature off Set ServerTokens Prod

    Protect Administrative Web Pages


    <Location "uri-to-protect"> Order deny,allow Deny from all Allow from localhost <list of TRUSTED IPs> </Location>

    Disable Test Pages


    <Location ~ "^/fcgi-bin/echo.*$"> Order deny,allow Deny from all </Location>

    Configure Logging

    E-Business Suite Security - Continued

    Change Passwords for Seeded Application User Accounts

    Account ANONYMOUS APPSMGR ASGADM ASGUEST AUTOINSTALL CONCURRENT MANAGER FEEDER SYSTEM GUEST

    Product/Purpose FND/AOL Anonymous for non-logged users Routine maintenance via concurrent requests Mobile gateway related products Sales Application guest user AD FND/AOL: Concurrent Manager AD Supports data from feeder system Guest application user

    Change Y Y Y Y Y Y Y Y

    Disable Y Y N N Y Y Y N

    E-Business Suite Security - Continued


    Consider Using Single Sign-On (SSO)


    Refer to ML Doc ID 376811.1

    Create New User Accounts Safely

    Create Shared Responsibilities Instead of Share Accounts


    Configure Concurrent Manager for Safe Authentication Activate Server Security Tighten Logon and Session Profile Options
    Profile Option Name SIGNON_PASSWORD_LENGTH SIGNON_PASSWORD_HARD_TO_GUESS SIGNON_PASSWORD_NO_REUSE ICX_SESSION_TIMEOUT Recommendation 8 Yes 180 30

    10

    Desktop Security

    Configure Browser

    Refer to ML Doc ID 389422.1

    Update Browser
    Turn off Browser Auto Complete Set Policy for Unattended PC Sessions

    11

    Operating Environment Security


    Cleanup file ownership and access Cleanup file permissions

    Eliminate Telnet connections


    Eliminate FTP connections Verify Network configuration

    12

    QA

    13

    Copyright Information

    Neither TUSC or the authors guarantee this document to be errorfree. Please provide comments/questions to: estradam@tusc.com

    TUSC 2006. This document cannot be reproduced without expressed written consent from an officer of TUSC
    www.tusc.com

    14

    References

    Best Practices for Securing Oracle E-Business Suite/Oracle Corporation Version 3.0.2 Oracle Metalink Oracle Technology Network (OTN)

    15

    También podría gustarte