SQL Servers installation and access (Cyber Security)

 Using your textbook, the Internet, and any other suitable references, answer the following questions in your own words. Save your answers in a single file (minimum length of a full page of content).  Remember to include any sources that you use.

1. Why would you perform a silent installation?
2. Under what circumstances would a system administrator lose access to an instance of SQL Server? Give an example.
3. Oracle offers a free download of all editions of the Oracle Database.  How does the company derive benefits from this approach?

Installation

Once a user has obtained the desired copy of Oracle, verified that the hardware and software requirements have been met, and decided on the best purpose and design (by choosing desired edition and extra-cost options) that fit the needs of the environment, installation can begin. If prerequisites have not been met, Oracle will require updates before the installation process. The Oracle University Installer The Oracle University Installer (OUI) is a Java-based application that provides a graphical user interface to help ease the installation of some of the most complex Oracle deployments. The OUI guides an administrator through installing Oracle using a step-by-step wizard. Using the OUI enables an administrator to record selections made within a typical Oracle installation. These recordings are placed in a file called the response file. A response file holds the specifications of a typical Oracle installation for the purpose of creating silent installations. A silent installation is an installation of an application that completes without prompting a user for setting specifications. Silent installations use the settings recorded within response files and enable administrators to add Oracle to user machines without interruption or user interference. The OUI’s silent files and response files help administrators install Oracle on a large number of machines quickly and consistently. Before performing a silent installation, administrators should familiarize themselves with the settings in the response file template for that specific Oracle product. For Windows installations, the OUI can be run from the system’s administrative account, using the system’s administrative privileges. With UNIX-based systems, an administrator must create a privilege from where to run the OUI. Step-by-Step Installation for Windows This section will include the steps for installing the Oracle Database Server on a Windows 64- bit machine. The instructional steps provided in this section are intended to provide steps for installing the Enterprise Edition 64-bit edition server using the Oracle University Installer. For this installation, the DVDs or a downloaded version of the DVD for Oracle Database are needed. In this section, the installation will derive from the downloaded version of Oracle Database 11g. From the directory where the downloaded files were unzipped, double-click the directory setup.exe file to start the OUI (Figure 5-1).

1.There are two different types of installations for the Oracle Database, basic and advanced. The basic installation creates a default database quickly and with minimal user involvement. The advanced option is for custom installations that require very specific software and database configurations. For instance, the advanced installation allows administrators to choose components of the database individually, whereas the basic installation automatically chooses the typical components, yet provides a list of non-default components from which an administrator can choose. These instructions will display a basic installation. Therefore, on the OUI welcome screen, choose the Basic Installation (Figure 5-2). The windows that appear following this selection will depend on the type of installation chosen. The advanced installation is recommended because it limits the number of unnecessary features that are installed on a system, creating an easier environment to control and secure. The advanced installation is not shown here because the possibilities are too numerous to present, but it is highly recommended that specific features are chosen and installed individually. To see a list of available components within the custom or advanced installation of the database, choose advanced installation and then choose Custom from the Installation Type window. The OUI welcome screen also prompts the user to provide a global name and system password for the intended database. To ensure a secure installation, be sure to create a strong database password, as Oracle will allow weak passwords for this account. For the purpose of this installation tutorial, input the database name as SecureData and the password as SecurePass. Once the installation type has been chosen and the database has been given a name and a password, click Next.

1. The following screen is for obtaining and receiving security and configuration updates and alerts, as well as for creating a Metalink account. Administrators are given the option to provide an e-mail address from which to be informed of security and configuration issues or to use their Metalink for these alerts (Figure 5-3). See the security section for more information regarding security and Metalink. Once this information has been input, click Next.

2. Oracle will now conduct a system check to ensure all prerequisites and indicate any errors found, warnings to be noted, and verification checks that were completed (Figure 5-4). If errors are found, they must be fixed before the installation can continue. Once the prerequisites have all been satisfied, click Next.

3. The Configuration Manager (Figure 5-5) provides an option where the administrator can have the current machine’s configuration associated with their Metalink account. Click Next to move forward with the installation.

4. The next window displays the installation summary (Figure 5-6), a complete summary of components that will be installed on the machine. Click Install to begin the installation.

5. Once the installation begins, the progress window will appear, displaying the progress of the installation (Figure 5-7).

6. Once the installation completes, the Configuration Assistant Window appears (Figure 5-8) and begins the creation of the database. When complete, a Configuration Assistant confirmation window will appear (Figure 5-9), providing the location of the log files, the Global Database Name, the System Identifier (SID), the server Parameter Filename, the Database Control URL, and the location of the encryption key for the Management Repository. By default, Oracle encrypts the Enterprise Management Data Repository and it is set to secure. Click Password Management to review the accounts that contain passwords.

7. Ensure that all unused system administrative accounts are locked (Figure 5-10). Click the cell of an account to lock it. A checkmark will be present in the column titled Lock Account? for all accounts that are currently locked. Also be sure to set strong usernames and passwords for those accounts that are left unlocked for use. It is not secure to leave default passwords for unlocked accounts unchanged. The accounts that are unlocked by default are Sys, System, DBSNMP, and SYSMAN. Once the appropriate accounts are locked or assigned strong usernames and passwords, click OK to return to the Configuration Assistant confirmation page and click OK on this page to confirm the end of the installation. The accounts that are shown here are not locked during a manual installation of Oracle. If a manual installation of Oracle is being conducted, it is extremely important to the security of the environment that these accounts are locked and chosen to expire in correspondence with the version of Oracle that is being installed.

8. At this point, installation has completed. An installation summary and reminder page will appear (Figure 5-11). Review the information and click Exit, and then click Yes if prompted to confirm.

Additional Security Considerations for an Oracle Database

Maintaining a great hold on the data solution market since the early 1980s, Oracle Corporation is a well-respected and trusted organization, which accounts greatly for its success. Although less expensive and equally as efficient alternative solutions exist, Oracle holds a majority of the data management market and can be found in most of the world’s largest organizations. These characteristics are the reason the Oracle database is one of the greatest commodities for potential intruders. It is vital that considerations for securing an Oracle database are addressed early in the planning stage and continue throughout the life of the system. This section addresses the basic security concerns from planning to the installation and early administration of an Oracle database.

Security Checklist

As mentioned earlier, security must be addressed in all stages of database deployment. Security planning should include administrators, network architecture engineers, and designers, as well as a best-practice strategy to keep the Oracle database secure. A multilayered approach should be considered early in the deployment stages. This section will review early Oracle security considerations at different points of deployment.

● Harden the operating system—Research the platform on which the database resides and identify any ports that are left open as a default setting. Close those ports that are unnecessary or not being used (e.g., FTP, Telnet).

●Close ports for unused applications and services—Ensure that unused applications and services of the system are not providing a channel intruders can invade. Search the system for unused applications and services and ensure that any ports that provide transit or allow communication are closed or disabled.

●Use firewalls—Firewalls can be used for both isolation and security for the database. It is a best practice to use firewalls whenever possible to provide an extra layer of security for the database.

●Apply the newest security patches—Security patches are critical to maintaining a reliable database. As security holes are found within operating systems, manufacturers create software called patches to protect these holes. Without the most up-to-date security patches, the platform is vulnerable to intrusion.

●Restrict run time—Run time is the system that supports the execution of a computer program. Java is an example of a run-time machine that supports the execution of Oracle. Intruders can manipulate Java (as well as other run-time machines) by redirecting the execution of a piece of malware that may be residing on the computer. Therefore, it is important that permissions are explicitly set as to who and from what location run-time systems can execute.

●Restrict using IP address—Just as access can be restricted using environmental object names, it also can be restricted using environmental object addresses. Minimize unwanted intruders by explicitly identifying the IP addresses or range of IP addresses that have permission through the firewall and to access the machines.

●Include only required software—Although this chapter has reviewed a typical installation, it is recommended that the custom installation mode is chosen within an environment. Keeping unnecessary features at a minimum will result in a less-complex environment that offers the administrator more security control.

●Choose database security—Newer installed versions of Oracle by default include security configuration options such as auditing and password policy settings. There is an option to disable this feature, yet doing so will limit the security options available to the administrator. Therefore, unless Security Vault is installed, do not disable security features during install.

●Apply Oracle patches—As mentioned, patches are extremely important to maintain a reliable platform. This is just as important to applications, so apply the newest patches to ensure that all identified security holes within Oracle have been fixed.

●Use encryption to transfer—Encryption is vital to the success of secure data transfer and storage in today’s society. To apply strong security to your Oracle database, encrypt all client-to-server and client-to-client communications.

●Use encryption to store—Protecting the storage of your data is equally as important as protecting it in transit. Hard disks should apply encryption techniques to add an extra layer of security to the database.

●Enforce stringent access control—As with any discussion of security, it is important to remind readers of the importance of the principle of least privilege. In database terms, this equates to restriction of access at the row level. Row-level restriction can be cumbersome, but it will ensure that access is explicitly controlled.

●Restrict users with operating system access—A user with access to the operating system, or the main system directories, essentially has access to the database as well. Limiting the number of users with permission to access or modify critical operating system directories–or the paths associated with them–can greatly minimize external threats.

Take Advantage of Oracle’s Security

Suite Oracle provides a number of applications to support the confidentiality, integrity, and availability of the database. Although these applications can be costly as add-ons when budgetary restrictions may limit an organization, Oracle highly suggests that careful risk-measurement studies are conducted before dismissing them altogether. Oracle’s suite of security applications, such as Oracle Security, Label Security, Database Vault, Identity Management, Transparent Encryption, and Secure Backup offer a comprehensive multilayered approach to securing the environment and maintaining privacy of the data within it. These tools address each of the security items listed in this chapter by using best-practice strategies while protecting the database from both internal and external unauthorized access. Encryption, security-based data classifications, internal realms, and real-time access controls are a few of the strategies included within these applications.

Password Policies and User Accounts

During the automatic installation and configuration of Oracle Database, Oracle installs a number of preset user accounts. Measures are taken by Oracle automatically to secure these accounts. For example, unless the database is manually created, most of the default user accounts are locked and assigned passwords are set to expire. Although these measures are taken, it is necessary that administrators take steps to further secure these accounts to ensure privacy throughout the database. A password is the first defense in maintaining a secure account. The default password for all unlocked accounts needs to be changed either during or immediately after an install. If the database is created using the interactive or progress modes, the passwords can be changed during the installation. On the other hand, if the database is created using the silent mode, the passwords are changed after the installation has completed or are specified within the specific template chosen for the database creation. Although Oracle will allow for all administrative accounts (Sys, System, DBSNMP, and SYSMAN) to use the same password, different passwords should be specified for each. This will minimize the chance of all passwords being breached at the same time.

Whether for a user or an administrator, passwords should follow strong security standards. Oracle allows“_”,“&”, and“#”symbols to be used within usernames and passwords. Strong passwords use these symbols in conjunction with a mixture of letters and numbers, both lowercase and uppercase, creating a password of considerable length (8–15 characters). Creating strong passwords for default user accounts during the installation of Oracle is only one step to ensuring secure account protection. Ensuring users in the environment follow appropriate password standards is another. This involves the creation and strict enforcement of policies within the Oracle server. Several options provided in the server environment enable administrators to develop secure policies. Here is a list of password characteristics available within the server that can be combined to develop a password policy for the environment:

●Complexity—A policy can be created that identifies the required length and character type combination (e.g., number, letter, upper, lower, symbols) of a password. It also determines whether a user can use common or dictionary words.

●Failed attempts—A password that has been attempted too many times without avail can be an indication of an intruder. Therefore, it is best to lock an account that has had too many failed password attempts. The number of failed password attempts and the way these are handled in the environment can be identified as part of the password policy.

●Expired passwords—This component of a password policy specifies the length of time a user can use a password before being forced to change it. This is to minimize the damage and risk that can be done if a password is breached.

●Reused passwords—The number of password changes that a user must wait to reuse a password is specified here. Passwords are critical to the security of our accounts. Following best-practice guidelines such as those listed in this section, along with the creation and enforcement of policies within the Oracle server will ensure success in any environment.

Basta, Alfred. Database Security (p. 158). Cengage Textbook. Kindle Edition.