Question

Lab 3: Securing the Database Environment

You have been hired as the DBA for Haphazard, Inc. You are asked to fulfill the following needs of the Database environment. You can choose any database, such as Oracle, MySql, Sqlserver, etc.

1. Users, roles, and privileges need to be added to the database. Identify the statements that would be used for creating the following users, roles, and privileges that match the following requirements:

a. Create a user account NLitzinger identified by the password Dubrucr90. Solution: CREATE USER NLitzinger IDENTIFIED By ‘DuBrucr90’

b. Grant NLitzinger the SELECT and UPDATE permissions on the table called clients.

c. Create a user account HMimnaugh identified by the password EvCsvds01.

d. Grant HMimnaugh the SELECT and DELETE permissions on the table called clients.

e. Create a user account TylerM identified by the password Fwdtwet12.

f. Grant TylerM the SELECT and INSERT permissions on the table called clients.

g. Create a role named Most_Privileged without a password.

h. Grant the Most_Privileged role the Update and Delete permissions on the clients table.

i. Add all users to the Most_Privileged role.

2. Identify the most privileged users. (Which user has the most permissions?) Discuss the way in which the preceding steps could have been made more efficient.

3. A password policy needs to be enforced at Haphazard, Inc. Identify the statements required to create a server-enforced password policy with the following requirements: a. Complexity is a necessity. b. The password should be a minimum of seven characters. c. Allow the user to reuse the password after a minimum of 10 password changes. d. Lock accounts that have had more than 3 failed attempts. e. Expire the password every 60 days.

4. What security suggestions would you provide to Haphazard in terms of Authentication and Authorization? Explain what policies would you develop as well. You have been asked to fulfill the following needs as a DBA for Haphazard, Inc within their Oracle Database environment. Identify the most privileged users. (Which user has the most permissions?) Discuss the way in which the preceding steps could have been made more efficient.

Answer 1

1.a) CREATE USER NLitzinger IDENTIFIED By 'Dubrucr90';

1.b) Grant SELECT, UPDATE on clients to NLitzinger;

1.c) CREATE USER HMimnaugh IDENTIFIED By 'EvCsvds01';

1.d) Grant SELECT, DELETE on clients to HMimnaugh;

1.e) CREATE USER TylerM IDENTIFIED By 'Fwdtwet12';

1.f) Grant SELECT, INSERT on clients to TylerM;

1.g) Create role Most_Privileged;

1.h) Grant UPDATE, DELETE on clients to Most_Privileged;

1.i)  Grant Most_Privileged to public;

2.For finding most privileged user you need to see the privileges of each user.DBAs and other power users can find the privileges granted to other users with the DBA_ versions of these same views.Those views only show the privileges granted directly to the user. Finding all the privileges, including those granted indirectly through roles, requires more complicated recursive SQL statements:

select * from dba_role_privs connect by prior granted_role = grantee start with grantee = '&USER' order by 1,2,3;

select * from dba_sys_privs where grantee = '&USER' or grantee in (select granted_role from dba_role_privs connect by prior granted_role = grantee start with grantee = '&USER') order by 1,2,3;

select * from dba_tab_privs where grantee = '&USER' or grantee in (select granted_role from dba_role_privs connect by prior granted_role = grantee start with grantee = '&USER') order by 1,2,3,4;

The most commonly used views for checking privileges are

dba_role_privs

dba_sys_privs

dba_tab_privs

To make it more efficient u create roles having privileges and assign user to roles rather than individual users.

3. a)Password Complexity

• The password does not contain the account name of the user.

• The password is at least eight characters long.

• The password contains characters from three of the following four categories:

  • English uppercase letters (A through Z)

  • English lowercase letters (a through z)

  • Base 10 digits (0 through 9)

  • Non-alphanumeric characters such as: exclamation point (!), dollar sign ($), number sign (#), or percent (%).

Source: Microsoft.support.com

b)Minimum Seven Character's

So as to prevent attacker from easily interpret/identify password using all permutations and combinations , password must be atleast seven character long which ensure that it stay immune against brute-force approach atleast up-to some extent.

c)REUSE PASSWORD AFTER Minimum of 10 PASSWORD CHANGES

You can ensure that users do not reuse their previous passwords for a specified amount of time or for a specified number of password changes.

d)Lock Account With Three Failed Attempt

Account lockout threshold This specifies the number of failed attempts at login a user is allowed before the account is locked out (for example, three). After the threshold has been reached, the account will be locked out.

e)PASSWORD EXPIRATION

Password expiration concept is dying it has became an old and problematic concept,where password of user dies after certain days(Example -60) and user needs to enter new password otherwise user would be locked out of the account,however remembering password which are being updated or modified every 60 days becomes an problematic issue for the Users.

If you find this answer helpful, please Up-vote!!