Oracle 11g New Features

Online Oracle Training

Oracle 11g: Secure Configuration Guide checklist
 

I will follow the following secure configuration guide checklist. You can skip steps that they do not apply to your environment or it is not a concern for your organization.

1. Install only what is required

2. Lock and expire default user accounts

3. Change default user passwords

4. Enforce password management
    a. Complex password function
    b. Use of Oracle Advanced Security such as Kerberos

5. Enable data Dictionary protection
    07_DICTIONARY_ACCESSIBILITY=FALSE
    If not set, any user with a DROP ANY TABLE will be able to maliciously drop a

    dictionary table.

6. Grant necessary privileges only

7. Revoke unnecessary privileges from PUBLIC
    PUBLIC acts as a default role granted to every user in an Oracle database.
    So, any user can exercise privileges that are granted to PUBLIC.
    Check the execute privileges on packages. The more powerful packages that may potentially

    be misused include:
    UTL_TCP
    UTL_SMTP
    UTL_HTTP
    UTL_FILE
    DBMS_RANDOM

8. Grant users role only if they need the role's privilege

9. Restrict permissions on run-time facilities: (Be more specific)
    Donot:

    call dbms_java.grant_permission('SCOTT','SYS:java.io.FilePermission','<<ALL FILES>>','read');
    Do:

    call dbms_java.grant_permission('SCOTT','SYS:java.io.FilePermission','<<c:\mydirectory>>','read');

10. Authenticate clients properly
     Set the pfile or spfile, the following configuration parameter:
     REMOTE_OS_AUTHENT=FALSE

11. Limit the number of operating system users

12. Utilize a firewall if you have to

13. Never poke a hole through a firewall
     For example, don't leave open Oracle Listener's 1521 port to make a connection to the Internet or vice versa.

14. Prevent unauthorized administration of the Oracle Listener
     Set the listener.ora, the following security configuration parameter.
     ADMIN_RESTRICTIONS_listener_name=ON

15. Check network IP addresses
     Set the protocol.ora, the followings Oracle Net parameters.
     tcp.validnode_checking=YES
     tcp.excluded_nodes=(xxx.xxx.xxx.xxx,xxx.xxx.xxx.xxx)
     tcp.invited_nodes=(xxx.xxx.xxx.xxx,xxx.xxx.xxx.xxx)

16. Encrypt Network traftic
     Using Oracle Advanced Security to encrypt or set sqlnet.ora parameters.

17. Harden the operating system
     Such as FTP, TFTP, TELNET, etc. Besure to close both the UDP and TCP ports for each  service that is being disabled. Disabling one type of port and not the other does not make the operating system more secure.

18. Apply all security patches and workarounds

Good Luck!