Oracle EBS R12 - Security

Best Practices for Securing

Oracle EBS R12

1
Agenda
 Overview
 Oracle TNS Listener Security
 Oracle Database Security
 Oracle Application Tier Security
 E-Business Suite Security
 Desktop Security
 Operating Environment Security
 Q&A

2
Overview
In today’s environment, a properly secured
computing infrastructure is critical. When securing
the infrastructure, a balance must be struck
between risk of exposure, cost of security and
value of the information protected.

Each organization determines its own correct

balance. To that end, this presentation describes
security measures that will be put in place for
securing Oracle E-Business Suite R12.

3
Overview - Continued

4
Oracle TNS Listener Security
 Enable “Validate Node Checking”
tcp.validnode_checking = YES
tcp.invited_nodes = ( X.X.X.X, hostname, ... )
tcp.excluded_nodes = ( hostname, X.X.X.X, ... )

 Specify Connection Timeout

CONNECT_TIMEOUT_$ORACLE_SID = 10

 Enable TNS Listener Password

$lsnrctl
LSNRCTL> set current_listener $ORACLE_SID
LSNRCTL> change_password
LSNRCTL> set password
LSNRCTL> save_config
$ echo "ADMIN_RESTRICTIONS_DBLSNR = ON" >> listener.ora
LSNRCTL> set current_listener $ORACLE_SID
LSNRCTL> set password
LSNRCTL> reload

 Enable Admin Restrictions

ADMIN_RESTRICTIONS_$ORACLE_SID=ON

 Enable TNS Listener Login

LOG_STATUS = ON
LOG_DIRECTORY_$ORACLE_SID = $TNS_ADMIN
LOG_FILE_$ORACLE_SID = $ORACLE_SID

5
Oracle Database Security
 Disable XDB
dispatchers='(PROTOCOL=TCP) (SERVICE=sidXDB)'

 Remove OS trusted login

REMOTE_OS_AUTHENT=FALSE

 Implement two or more profiles for password management

Password Application Administrator

Parameters Profile Profile
FAILED_LOGIN_ATTEMPTS Unlimited 5
PASSWORD_LIFE_TIME Unlimited 90
PASSWORD_REUSE_TIME 180 180
PASSWORD_REUSE_MAX Unlimited Unlimited
PASSWORD_LOCK_TIME Unlimited 7
PASSWORD_GRACE_TIME Unlimited 14
PASSWORD_VERIFY_FUNCTION Recommended Recommended

6
Oracle Database Security - Continued
 Change default installation passwords
Default database administration schemas
Schemas belonging to optional database features neither used nor patched by E-Business Suite
Schemas belonging to optional database features used but not patched by E-Business Suite
Schemas belonging to optional database features used and patched by E-Business Suite
Schemas common to all E-Business Suite products
Schemas associated with specific E-Business Suite products
 Restrict Access to SQL trace files
_TRACE_FILES_PUBLIC=FALSE
 Remove OS trusted roles
REMOTE_OS_ROLES=FALSE
 Limit file system access within PL/SQL
Avoid: UTL_FILE_DIR = *
 Limit dictionary access
O7_DICTIONARY_ACCESSIBILITY = FALSE
 Configure DB for Auditing
AUDIT_TRAIL = OS
AUDIT_FILE_DEST = /u01/logs/db/audit
 Audit DB Connections
SQL> audit session;
 Audit DB schema changes
SQL> audit user;

7
Oracle Application Tier Security
 Remove Application Server Banner
Set ServerSignature of
Set ServerTokens Prod

 Protect Administrative Web Pages

<Location "uri-to-protect">
Order deny,allow
Deny from all
Allow from localhost <list of TRUSTED IPs>
</Location>

 Disable Test Pages

 <Location ~ "^/fcgi-bin/echo.*$">
 Order deny,allow
 Deny from all
 </Location>

 Configure Logging

8
E-Business Suite Security - Continued
 Change Passwords for Seeded Application User Accounts

Account Product/Purpose Change Disable

ANONYMOUS FND/AOL – Anonymous for non-logged Y Y
users
APPSMGR Routine maintenance via concurrent Y Y
requests
ASGADM Mobile gateway related products Y N
ASGUEST Sales Application guest user Y N
AUTOINSTALL AD Y Y
CONCURRENT MANAGER FND/AOL: Concurrent Manager Y Y
FEEDER SYSTEM AD – Supports data from feeder system Y Y
GUEST Guest application user Y N

9
E-Business Suite Security - Continued
 Consider Using Single Sign-On (SSO)
Refer to ML Doc ID 376811.1

 Create New User Accounts Safely

 Create Shared Responsibilities Instead of Share Accounts
 Configure Concurrent Manager for Safe Authentication
 Activate Server Security
 Tighten Logon and Session Profile Options

Profile Option Name Recommendation

SIGNON_PASSWORD_LENGTH 8

SIGNON_PASSWORD_HARD_TO_GUESS Yes
SIGNON_PASSWORD_NO_REUSE 180
ICX_SESSION_TIMEOUT 30

10
Desktop Security
 Configure Browser
Refer to ML Doc ID 389422.1
 Update Browser
 Turn of Browser Auto Complete
 Set Policy for Unattended PC Sessions

11
Operating Environment Security
 Cleanup file ownership and access
 Cleanup file permissions
 Eliminate Telnet connections
 Eliminate FTP connections
 Verify Network configuration

12
QA

13
Copyright Information
 Neither TUSC or the authors guarantee this document to be error-
free. Please provide comments/questions to: estradam@tusc.com
 TUSC © 2006. This document cannot be reproduced without
expressed written consent from an officer of TUSC
 www.tusc.com

14
References
 Best Practices for Securing Oracle E-Business Suite/Oracle
Corporation Version 3.0.2
 Oracle Metalink
 Oracle Technology Network (OTN)

15