How to Stop access using “/ as sysdba”

How to Stop access using “/ as sysdba”

You can stop and secure your client database access by restricting the DBA’s connecting to as SYS user by using “/ as sysdba”.

In the file sqlnet.ora located in $ORACLE_HOME/network/admin folder, modify the following line:

SQLNET.AUTHENTICATION_SERVICES=(NTS)

Instead of above modify it as:

SQLNET.AUTHENTICATION_SERVICES=(NONE)

NONE for no authentication method, including windows native operating system authentication (to use windows native OS set this parameter to NTS. When it is set to ‘NONE’ a valid username and password can be used to access the database.

This will prevent the access of “/ as sysdba” when connected as the ‘oracle user (oracle owner account) but the DBA can easily modify the configuration parameter in SQLNET.ORA, if he has the required permission on the particular file.

As we know that connect / as sysdba would not use the password file and it uses OS authentication only. Thus setting the NONE requires valid OS authentication.

To avoid this change the ownership of the SQLNET.ORA file to ‘root’ or any other functional OS user, and provide a read permission to dba/oinstall group.

chown root:oinstall sqlnet.ora

chmod 640 sqlnet.ora

You can also use the parameter SQLNET.CLIENT_REGISTRATION to set a unique identifier for this client computer. The identifier is passed to the listener with any connection request and is included in the Audit Trail. The identifier can be any alphanumeric up to 128 character long.

SQLNET.CLIENT_REGISTRATION=1432

Use the SQLNET.ALLOWED_LOGON_VERSION parameter to define the minimum Oracle Database client version that is allowed to attempt connections to Oracle database instances under the control of the given code tree.

If the client version does not meet or exceed the version defined by this parameter, then authentication fails with an ORA-28040 error.

If both Oracle8i and Oracle9i databases are present, then set the parameter as follows:

SQLNET.ALLOWED_LOGON_VERSION=8

Advertisements
Leave a comment

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: