Survey
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Oracle EBS R12 - Security Best Practices for Securing Oracle EBS R12 1 Agenda Overview Oracle TNS Listener Security Oracle Database Security Oracle Application Tier Security E-Business Suite Security Desktop Security Operating Environment Security Q&A 2 Overview In today’s environment, a properly secured computing infrastructure is critical. When securing the infrastructure, a balance must be struck between risk of exposure, cost of security and value of the information protected. Each organization determines its own correct balance. To that end, this presentation describes security measures that will be put in place for securing Oracle E-Business Suite R12. 3 Overview - Continued 4 Oracle TNS Listener Security Enable “Validate Node Checking” tcp.validnode_checking = YES tcp.invited_nodes = ( X.X.X.X, hostname, ... ) tcp.excluded_nodes = ( hostname, X.X.X.X, ... ) Specify Connection Timeout CONNECT_TIMEOUT_$ORACLE_SID = 10 Enable TNS Listener Password $lsnrctl LSNRCTL> set current_listener $ORACLE_SID LSNRCTL> change_password LSNRCTL> set password LSNRCTL> save_config $ echo "ADMIN_RESTRICTIONS_DBLSNR = ON" >> listener.ora LSNRCTL> set current_listener $ORACLE_SID LSNRCTL> set password LSNRCTL> reload Enable Admin Restrictions ADMIN_RESTRICTIONS_$ORACLE_SID=ON Enable TNS Listener Login LOG_STATUS = ON LOG_DIRECTORY_$ORACLE_SID = $TNS_ADMIN LOG_FILE_$ORACLE_SID = $ORACLE_SID 5 Oracle Database Security Disable XDB dispatchers='(PROTOCOL=TCP) (SERVICE=sidXDB)' Remove OS trusted login REMOTE_OS_AUTHENT=FALSE Implement two or more profiles for password management Password Parameters Application Profile Administrator Profile FAILED_LOGIN_ATTEMPTS Unlimited 5 PASSWORD_LIFE_TIME Unlimited 90 PASSWORD_REUSE_TIME 180 180 PASSWORD_REUSE_MAX Unlimited Unlimited PASSWORD_LOCK_TIME Unlimited 7 PASSWORD_GRACE_TIME Unlimited 14 Recommended Recommended PASSWORD_VERIFY_FUNCTION 6 Oracle Database Security - Continued Change default installation passwords Restrict Access to SQL trace files Remove OS trusted roles Limit file system access within PL/SQL Limit dictionary access Configure DB for Auditing Audit DB Connections Audit DB schema changes Default database administration schemas Schemas belonging to optional database features neither used nor patched by E-Business Suite Schemas belonging to optional database features used but not patched by E-Business Suite Schemas belonging to optional database features used and patched by E-Business Suite Schemas common to all E-Business Suite products Schemas associated with specific E-Business Suite products _TRACE_FILES_PUBLIC=FALSE REMOTE_OS_ROLES=FALSE Avoid: UTL_FILE_DIR = * O7_DICTIONARY_ACCESSIBILITY = FALSE AUDIT_TRAIL = OS AUDIT_FILE_DEST = /u01/logs/db/audit SQL> audit session; SQL> audit user; 7 Oracle Application Tier Security Remove Application Server Banner Set ServerSignature off Set ServerTokens Prod Protect Administrative Web Pages <Location "uri-to-protect"> Order deny,allow Deny from all Allow from localhost <list of TRUSTED IPs> </Location> Disable Test Pages <Location ~ "^/fcgi-bin/echo.*$"> Order deny,allow Deny from all </Location> Configure Logging 8 E-Business Suite Security - Continued Change Passwords for Seeded Application User Accounts Account Product/Purpose Change Disable ANONYMOUS FND/AOL – Anonymous for non-logged users Y Y APPSMGR Routine maintenance via concurrent requests Y Y ASGADM Mobile gateway related products Y N ASGUEST Sales Application guest user Y N AUTOINSTALL AD Y Y CONCURRENT MANAGER FND/AOL: Concurrent Manager Y Y FEEDER SYSTEM AD – Supports data from feeder system Y Y GUEST Guest application user Y N 9 E-Business Suite Security - Continued Consider Using Single Sign-On (SSO) Refer to ML Doc ID 376811.1 Create New User Accounts Safely Create Shared Responsibilities Instead of Share Accounts Configure Concurrent Manager for Safe Authentication Activate Server Security Tighten Logon and Session Profile Options Profile Option Name SIGNON_PASSWORD_LENGTH Recommendation 8 SIGNON_PASSWORD_HARD_TO_GUESS Yes SIGNON_PASSWORD_NO_REUSE 180 ICX_SESSION_TIMEOUT 30 10 Desktop Security Configure Browser Refer to ML Doc ID 389422.1 Update Browser Turn off Browser Auto Complete Set Policy for Unattended PC Sessions 11 Operating Environment Security Cleanup file ownership and access Cleanup file permissions Eliminate Telnet connections Eliminate FTP connections Verify Network configuration 12 QA 13 Copyright Information Neither TUSC or the authors guarantee this document to be errorfree. Please provide comments/questions to: [email protected] TUSC © 2006. This document cannot be reproduced without expressed written consent from an officer of TUSC www.tusc.com 14 References Best Practices for Securing Oracle E-Business Suite/Oracle Corporation Version 3.0.2 Oracle Metalink Oracle Technology Network (OTN) 15