Advanced Security -TDE - Encrypted Tablespace Question
In discussions regarding the move of existing objects from a non-encrypted tablespace to a TDE tablespace, all relevant text, e.g. [TDE Best Practices|http://www.oracle.com/technology/deploy/security/database-security/pdf/twp_transparent-data-encryption_bestpractices.pdf], states that the objects should be exported from the non-encrypted tablespace and then imported into the encrypted tablespace. After which the old tablespace should be dropped, wiped, etc.
I'm just wondering if there is a reason that we couldn't use an ALTER TABLE..MOVE operation instead. If not, specifically, why not?
Thanks,
-Joe
Oracle Docs at followng link says..
http://download-uk.oracle.com/docs/cd/E11882_01/network.112/e10746/asotrans.htm
" You cannot encrypt an existing tablespace. However, you can import data into an encrypted tablespace using the Oracle Data Pump utility. You can also use SQL commands like CREATE TABLE...AS SELECT...or ALTER TABLE...MOVE... to move data into an encrypted tablespace. The CREATE TABLE...AS SELECT... command enables you to create a table from an existing table. The ALTER TABLE...MOVE... command enables you to move a table into the encrypted tablespace.
So you can do Alter table move too.
Similar Messages
-
When turning on Advanced Security Network Encryption tnsping fails
Hi people,
I'm installing Advanced Security Network Encryption in my server (RHEL 3), I've configured my sqlnet.ora as follows:
SQLNET.CRYPTO_CHECKSUM_SERVER = REQUIRED
SQLNET.CRYPTO_CHECKSUM_TYPES_SERVER = MD5
SQLNET.ENCRYPTION_TYPES_SERVER= (RC4_256)
SQLNET.ENCRYPTION_SERVER = REQUIRED
SQLNET.CRYPTO_SEED = "abcdefg"
After that, tnsping do not work anymore, I'm getting TNS-03505 - "Failed to resolve name".
If I remove Adv. Security configuration tnsping become normal.
Do anybody knows what can it be?
Thanks in Advance
André TeixeiraAre you running tnsping from the server to itself? Or from the client? Has Advanced Security been configured on the client?
Justin
Distributed Database Consulting, Inc.
http://www.ddbcinc.com/askDDBC -
Is it possible to perform network data encryption between Oracle 11g databases without the advance security option?
We are not licensed for the Oracle Advanced Security Option and I have been tasked to use Oracle Network Data Encryption in order to encryption network traffic between Oracle instances that reside on remote servers. From what I have read and my prior understanding this is not possible without ASO. Can someone confirm or disprove my research, thanks.Hi, Srini Chavali-Oracle
As for http://www.oracle.com/technetwork/database/options/advanced-security/advanced-security-ds-12c-1898873.pdf?ssSourceSiteId… ASO is mentioned as TDE and Redacting Sensitive Data to Display. Network encryption is excluded.
As for Network Encryption - Oracle FAQ (of course this is not Oracle official) "Since June 2013, Net Encryption is now licensed with Oracle Enterprise Edition and doesn't require Oracle Advanced Security Option." Could you clarify this? Thanks. -
I hope I'm asking this question right. Do any of you know if Advanced Security supports IOS module 12.4 13 on a 2811?
Hi,
For your first question about exception list: If Windows Firewall is blocking a program and you want to allow that program to communicate through the firewall, you can usually do that by selecting the program in the list of allowed programs (also called
the exceptions list) in Windows Firewall.
For the second question, that means Firewall allow your Skype to communicate through Firewall.
You can add items manually, or just choose following settings after installing or configuring first open network app:
Eg.
Kate Li
TechNet Community Support -
Comparing performance between TDE encryption and no encryption
Hi all,
How can i check, how much database resource (%CPU, Time elapsed) increased when using TDE encryption.
Thank you!
Dan.
Edited by: Dan on Jul 10, 2011 10:13 PMThe performance implications of using TDE are going to depend on a number of factors including
- The version of Oracle
- The hardware available (in particular whether hardware acceleration is available for encryption)
- Whether you are using tablespace encryption or column-level encryption
- If you are using column-level encryption how many columns you are encrypting
- What sort of workload your system is doing.
- Where your system bottlenecks today without encryption
Without knowing those things, it's hard to narrow down the answer to somewhere between 0 and 50% which is, obviously, far too large a range to be meaningful.
On the one hand, the worst case is probably represented by this test case where you're using column-level encryption of one column of a two column table in 10.2 and doing single-row inserts and deletes. Those operations are already heavily CPU bound and, since you're using column-level encryption, the data has to be encrypted and decrypted every time it goes into or out of the SGA. If you were using tablespace-level encryption, the data would only need to be encrypted and decrypted when it is read from or written to the disk which would be far faster in for this test case. Later versions of Oracle also tend to be more efficient.
On the other hand, if you're using 11.2 with the most recent patches and you've got hardware acceleration, Oracle is happy to trumpet the [urlhttp://www.oracle.com/technetwork/database/options/advanced-security/index-099011.html]near-zero performance impact of TDE.
Most people live somewhere between these two extremes but it's hard to guess where your particular application falls. I would guess that most people would see something like a 10-15% increase in CPU consumption but that's just a wild guess based on a relatively small sample of systems.
Justin -
About TDE encryption feature of oracle
Hi All,
I am facing problems while checking this feature of Encryption,
I created in database1, table1 with user1, coulum1 in the table1 was with encrypt keyword as follows.
create table table1(ID number(3), PHONE number(11) encrypt);
Inserted some rows and selected those rows, it shows them successfully, Ideally it should show the actual data for user1.
gave the select permission to user2 from user1 for table1 as follows:
grant select on table1 to user2;
Now logged in with user2 to same database1.
now when I query the database for table1 as follows:
select * from database1.table1;
It shows all the rows successfully, Ideally it should NOT show the actual data for user2.
Can someone please tell me the solution or explain me the procedure to test it properly.
Thanks in advance,
Nikhil Joshi.TDE encrypts data when it is on disk "at rest". If a user has SELECT access to the data in question, TDE will transparently (hence the T) decrypt the data. TDE will never present any user with encrypted data-- either the user does not have privileges to select the data in the first place or they do and TDE will decrypt it.
If you want to limit what data a particular user can access, you'd either want to do that conventionally by, for example, creating a view on the table that does not have the phone number and only granting access on that view to user2. Or, assuming you're using 11.2, you could create a VPD policy that limits what columns a particular user can see. A VPD policy would generally make sense if you wanted to allow user2 to see the phone number for some rows but not others.
Justin -
Take a Schema Dump of 11 g Db located in encrypted tablespace
Hi All,
I have a schema where all the tables are residing in encrypted tablespace.
When I try to take Schema dump ,it gives me an error that Table resides in encrypted
tablespace and will not be exported.
How will I be able to take the schema dump?Please advice.
Thanks in Advance,
KrishnaHi Madrid,
Yeah you are correct I TDE is being used.I have the encryption key and the wallet password. Can you point me to the syntax to take the schema dump using these parameters.Also who will be the privileged user to take the dump?
I tried to search but was in vain.
Thanks ,
Krishna -
Goldengate 11.1.1.1 Oracle 11.2 Encrypted tablespace
Please advise why this error is showing and help us on this situation
Line: -----
Windows 2008 x64
Oracle 11.2.0.1 x64
Oracle Goldengate 11.1.1.1 x64
++++++++++++SOURCE++++++++++++++
sql>conn / as sysdba
**************CREATE TABLESPACE AND TABLE********************
CREATE TABLESPACE encrypted_ts
DATAFILE 'd:\oradata\test\encrypted_ts01.dbf' SIZE 128K
SIZE 15M
AUTOEXTEND ON NEXT 20M
MAXSIZE UNLIMITED
LOGGING
ENCRYPTION USING 'AES192'
EXTENT MANAGEMENT LOCAL
SEGMENT SPACE MANAGEMENT AUTO
DEFAULT NOCOMPRESS STORAGE(ENCRYPT);
CREATE TABLE TESTA
ID NUMBER,
NAME VARCHAR2(16 CHAR)
LOGGING
NOCOMPRESS
NOCACHE
NOPARALLEL
MONITORING;
cmd> mkstore -wrl d:\test\wallet -createEntry ORACLE.SECURITY.CL.ENCRYPTION.ORACLEGG
Enter <secret> : test
cmd>mkstore -wrl d:\test\wallet -viewEntry ORACLE.SECURITY.CL.ENCRYPTION.ORACLEGG
ORACLE.SECURITY.CL.ENCRYPTION.ORACLEGG = test
sql>ALTER SYSTEM SET ENCRYPTION WALLET CLOSE IDENTIFIED BY 'welcome1';
sql>ALTER SYSTEM SET ENCRYPTION WALLET OPEN IDENTIFIED BY 'welcome1';
Compile dbms_internal_clkm package.
sql>@prvtclkm.plb
sql>GRANT EXECUTE ON SYS.DBMS_INTERNAL_CLKM TO GGS_OWNER;
**********************************GOLDENGATE******************************************
ggsci>dblogin userid ggs_owner, ggs_owner
ggsci>add extract ext2ts, tranlog, begin now
ggsci>add rmttrail D:\ggs\dirdat\ts, extract ext2ts
ggsci>ENCRYPT PASSWORD test ENCRYPTKEY DEFAULT
Using default key...
Encrypted password: AACAAAAAAAAAAAEAZAMEFCPGPEOHYDHE
ggsci>edit params ext2ts
EXTRACT ext2ts
USERID ggs_owner, PASSWORD ggs_owner
RMTHOST 192.168.0.2, MGRPORT 7809
RMTTRAIL D:\ggs\dirdat\ts
DBOPTIONS DECRYPTPASSWORD AACAAAAAAAAAAAEAZAMEFCPGPEOHYDHE ENCRYPTKEY DEFAULT -- ???
TABLE TESTA;
+++++++++++++TARGET++++++++++++++++
sql> conn / as sysdba
**************CREATE TABLESPACE AND TABLE********************
cmd>
CREATE TABLESPACE ts
LOGGING DATAFILE 'd:\oradata\test\ts.dbf'
SIZE 15M
AUTOEXTEND ON NEXT 20M
EXTENT MANAGEMENT
LOCAL SEGMENT SPACE
MANAGEMENT AUTO;
CREATE TABLE TESTA
ID NUMBER,
NAME VARCHAR2(16 CHAR)
LOGGING
NOCOMPRESS
NOCACHE
NOPARALLEL
MONITORING;
************************************GOLDENGATE*****************************************
ggsci>DBLOGIN USERID ggs_owner, PASSWORD ggs_owner
ggsci>ADD CHECKPOINTTABLE GGS_OWNER.CHKPTAB
ggsci>ADD REPLICAT rep1, EXTTRAIL D:\ggs\dirdat\ts, CHECKPOINTTABLE GGS_OWNER.CHKPTAB
ggsci>EDIT PARAMS rep1
REPLICAT rep1
ASSUMETARGETDEFS
USERID ggs_owner, PASSWORD ggs_owner
MAP GGS_OWNER.TESTA, TARGET GGS_OWNER.TESTA;
+++++++++++++TARGET+++++++++++++++
ggsci>start replicat rep1
+++++++++++++SOURCE+++++++++++++++
ggsci>start extract ext2ts
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!EXTRACT - REPORT!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
2011-07-05 11:46:50 ERROR OGG-01028 ORA-06521: PL/SQL: Error mapping function
ORA-06512: at "SYS.DBMS_INTERNAL_CLKM", line 3
ORA-06512: at line 1.
2011-07-05 11:46:50 ERROR OGG-01668 PROCESS ABENDING.
Edited by: Oyunbold on Jul 7, 2011 3:25 AM
Edited by: Oyunbold on Jul 19, 2011 6:09 PMYesterday, I met the same problem. How do you solve it ? Plz, help me.
OS : AIX 5.3
DB : Oracle 11.1.0.7
OGG : 11.1.1.1
2011-09-06 15:26:56 INFO OGG-01515 Oracle GoldenGate Capture for Oracle, eora01.prm: Positioning to begin time Sep 2, 2011 6:50:49 PM.
2011-09-06 15:26:56 ERROR OGG-01028 Oracle GoldenGate Capture for Oracle, eora01.prm: ORA-12427: invalid input value for FLAGS parameter ORA-06512: at "SYS.DBMS_INTERNAL_CLKM", line 3 ORA-06512: at line 1.
2011-09-06 15:26:56 ERROR OGG-01668 Oracle GoldenGate Capture for Oracle, eora01.prm: PROCESS ABENDING.
Our Extract configuration is below :
EXTRACT EORA01
USERID ogg, PASSWORD AACAAAAAAAAAAADAHBMDHBECUCZBPIYE, encryptkey XKEY
DBOPTIONS DECRYPTPASSWORD AACAAAAAAAAAAAIARIXFKCQBMFIGFARA ENCRYPTKEY DEFAULT
ENCRYPTTRAIL
exttrail ./dirdat/ea
EOFDELAYCSECS 50
FLUSHCSECS 50
DISCARDFILE ./dirrpt/EORA01.DSC, APPEND, MEGABYTES 500
DISCARDROLLOVER AT 07:30
TABLE TVANBT.TLF_BUYS_MISS;
... -
Hello,
We have requirement to modify Advanced Security Settings (Audit Settings for folders) on windows 2008. I am looking for a command which does this job.
I know, using group policies I can do this; in fact I had done this using group policies. However, I need to do this on number of servers which are not in domain. There are around 15 folders on which I need to enable Auditing; manual editing folder advanced
permissions is a cumbersome job. Hence, I am looking for a command line options.
I need to know how command can be utilised to enable Audit option on a folder. Please share a command which can do this; once I get the command, I will create a batch file for other necessary folders. (BTW, this is not a scripting question, I just need to
know the command hence, please do not re-direct me to scripting forum)
Manually through GUI, I am setting following.. snaps are given below
Thanks !You can try using Auditpol.exe: http://technet.microsoft.com/en-us/library/cc731451%28v=ws.10%29.aspx
This
posting is provided "AS IS" with no warranties or guarantees , and confers no rights.
Microsoft
Student Partner 2010 / 2011
Microsoft
Certified Professional
Microsoft
Certified Systems Administrator: Security
Microsoft
Certified Systems Engineer: Security
Microsoft
Certified Technology Specialist: Windows Server 2008 Active Directory, Configuration
Microsoft
Certified Technology Specialist: Windows Server 2008 Network Infrastructure, Configuration
Microsoft
Certified Technology Specialist: Windows Server 2008 Applications Infrastructure, Configuration
Microsoft
Certified Technology Specialist: Windows 7, Configuring
Microsoft
Certified Technology Specialist: Designing and Providing Volume Licensing Solutions to Large Organizations
Microsoft Certified IT Professional: Enterprise Administrator
Microsoft Certified IT Professional: Server Administrator
Microsoft Certified Trainer
Thanks but I guess, auditpol ca be used only to manipulate system audit policies. how do I specify a folder and user in auditpol ? I could not find or understand how folder can be included with auditpol command line options.
Thanks ! -
Conversion of postscript (converted from secure or encrypted pdf) to pdf
I have a postscript file which has been created from secure or encrypted (opening restriction) pdf.
Now when i use distiller to convert this postscript file to pdf then distiller cannot produce a pdf file.
The log file contains following text:
This PostScript file was created from an encrypted PDF file.
Redistilling encrypted PDF is not permitted.
%%[ Flushing: rest of job (to end-of-file) will be ignored ]%%
%%[ Warning: PostScript error. No PDF file produced. ] %%
1) Is there a way to convert this postscript file into pdf ?
I have a limitation that i cannot remove security from secure pdf.
2) Do distiller provide any settings which can be changed to convert
this kind of ps(from secure pdf) to pdf.
3) Can we provide password to distiller during process of conversion to
pdf.
4) If above methods do not work then is there a way we can
programatically using Distiller Api's for conversion to pdf.
Like methods 'FileToPdf' etc.
Thanks in advance.I am facing a similar problem.
My workflow dictates that I convert the input PDF job initially to PS and finally back to PDF. If the input PDF file is secure (it's not encrypted - you will still be able to open the document), the redistillation of PS to PDF fails while using Normalizer 6.0 && 9.0 libraries. If I use Normalizer 505 library, the redistillation succeeds. I have checked with the same generated PS on both Distiller 6.0 && 9.0, and both the versions fail to reconvert as well. I am a little surprised that 6.0 and 9.0 will fail to do something that 505 library manages.
Any suggestions? -
Oracle advanced security problem
I have the following situation:
Oracle 10.2.0.2.0 database running on RHEL 3.0
Oracle advanced security is installed
sqlnet.ora on the server
# sqlnet.ora Network Configuration File: c:\oracle\NETWORK\ADMIN\sqlnet.ora
# Generated by Oracle configuration tools.
NAMES.DIRECTORY_PATH= (TNSNAMES, EZCONNECT)
# This file is actually generated by netca. But if customers choose to
# install "Software Only", this file wont exist and without the native
# authentication, they will not be able to connect to the database on NT.
SQLNET.CRYPTO_SEED = 'gkjhkh987987979'
SQLNET.CRYPTO_CHECKSUM_TYPES_SERVER= (MD5)
SQLNET.CRYPTO_CHECKSUM_SERVER = required
SQLNET.ENCRYPTION_TYPES_SERVER= (DES40, DES, 3DES112)
SQLNET.ENCRYPTION_SERVER = required
#SQLNET.CRYPTO_CHECKSUM_TYPES_CLIENT= (MD5)
#SQLNET.CRYPTO_CHECKSUM_CLIENT = accepted
#SQLNET.ENCRYPTION_TYPES_CLIENT = ("DES40,DES")
#SQLNET.ENCRYPTION_CLIENT = accepted
On the client I have two homes
1. Oracle 10g client
I can connect to the database even if there is no crypto and checksum types specified.
2. Application which is using oracle 8 client
if there are no crypto and checksum types I get
ORA-12660: Encryption or crypto-checksumming parameters incompatible
Cause: One side of the connection specified "REQUIRED" for encryption or crypto-checksumming, while the other side specified "REJECTED".
if the slqnet.ora is
# sqlnet.ora Network Configuration File: c:\oracle\NETWORK\ADMIN\sqlnet.ora
# Generated by Oracle configuration tools.
NAMES.DIRECTORY_PATH= (TNSNAMES, EZCONNECT)
# This file is actually generated by netca. But if customers choose to
# install "Software Only", this file wont exist and without the native
# authentication, they will not be able to connect to the database on NT.
SQLNET.CRYPTO_SEED = 'gkjhkh987987979'
#SQLNET.CRYPTO_CHECKSUM_TYPES_SERVER= (MD5)
#SQLNET.CRYPTO_CHECKSUM_SERVER = required
#SQLNET.ENCRYPTION_TYPES_SERVER= (DES40, DES, 3DES112)
#SQLNET.ENCRYPTION_SERVER = required
SQLNET.CRYPTO_CHECKSUM_TYPES_CLIENT= (MD5)
SQLNET.CRYPTO_CHECKSUM_CLIENT = accepted
SQLNET.ENCRYPTION_TYPES_CLIENT = ("DES40,DES")
SQLNET.ENCRYPTION_CLIENT = accepted
I get
ORA-12649: Unknown encryption or data integrity algorithm
Cause: An Oracle Advanced Security list-of-algorithms parameter included an algorithm name that was not recognized.
Any Ideas?I have the following situation:
Oracle 10.2.0.2.0 database running on RHEL 3.0
Oracle advanced security is installed
sqlnet.ora on the server
# sqlnet.ora Network Configuration File: c:\oracle\NETWORK\ADMIN\sqlnet.ora
# Generated by Oracle configuration tools.
NAMES.DIRECTORY_PATH= (TNSNAMES, EZCONNECT)
# This file is actually generated by netca. But if customers choose to
# install "Software Only", this file wont exist and without the native
# authentication, they will not be able to connect to the database on NT.
SQLNET.CRYPTO_SEED = 'gkjhkh987987979'
SQLNET.CRYPTO_CHECKSUM_TYPES_SERVER= (MD5)
SQLNET.CRYPTO_CHECKSUM_SERVER = required
SQLNET.ENCRYPTION_TYPES_SERVER= (DES40, DES, 3DES112)
SQLNET.ENCRYPTION_SERVER = required
#SQLNET.CRYPTO_CHECKSUM_TYPES_CLIENT= (MD5)
#SQLNET.CRYPTO_CHECKSUM_CLIENT = accepted
#SQLNET.ENCRYPTION_TYPES_CLIENT = ("DES40,DES")
#SQLNET.ENCRYPTION_CLIENT = accepted
On the client I have two homes
1. Oracle 10g client
I can connect to the database even if there is no crypto and checksum types specified.
2. Application which is using oracle 8 client
if there are no crypto and checksum types I get
ORA-12660: Encryption or crypto-checksumming parameters incompatible
Cause: One side of the connection specified "REQUIRED" for encryption or crypto-checksumming, while the other side specified "REJECTED".
if the slqnet.ora is
# sqlnet.ora Network Configuration File: c:\oracle\NETWORK\ADMIN\sqlnet.ora
# Generated by Oracle configuration tools.
NAMES.DIRECTORY_PATH= (TNSNAMES, EZCONNECT)
# This file is actually generated by netca. But if customers choose to
# install "Software Only", this file wont exist and without the native
# authentication, they will not be able to connect to the database on NT.
SQLNET.CRYPTO_SEED = 'gkjhkh987987979'
#SQLNET.CRYPTO_CHECKSUM_TYPES_SERVER= (MD5)
#SQLNET.CRYPTO_CHECKSUM_SERVER = required
#SQLNET.ENCRYPTION_TYPES_SERVER= (DES40, DES, 3DES112)
#SQLNET.ENCRYPTION_SERVER = required
SQLNET.CRYPTO_CHECKSUM_TYPES_CLIENT= (MD5)
SQLNET.CRYPTO_CHECKSUM_CLIENT = accepted
SQLNET.ENCRYPTION_TYPES_CLIENT = ("DES40,DES")
SQLNET.ENCRYPTION_CLIENT = accepted
I get
ORA-12649: Unknown encryption or data integrity algorithm
Cause: An Oracle Advanced Security list-of-algorithms parameter included an algorithm name that was not recognized.
Any Ideas? -
Oracle Advanced Security in Developer Forms 10g (10.1.2.)
Hi everybody,
I have installed Oracle RDBMS 10g v.2 (10.2.0) and Developer Suite 10g (v 10.1.2) on XP platform on the same machine.
I want to configure encryption and SSL authentication (Oracle Advanced Security) using Oracle Net Manager of Developer Suite as I have done before on Oracle Net Manager of Oracle Database Server and Oracle Client 10g as well....
The problem is that there is no such a selection in Oracle Net Manager and i'm wondering if there is the capability to install and configure Oracle Advanced Security in Developer Suite 10.1.2..
Is there Developer Suite 10.2. downloadable from OTN....????
Thanks , for your interest...
SimonI believe they need to be in separate folders.
I extracted them into separate folders, then ran setup.exe from disk 1. It will ask you for the location of disk 2, enter that path and away it went. -
Advanced Security Server /Entrust-enabled SSL
We are expermenting to configure Advanced Security Server to work with Entrust. I had a quick look on Oracle 9i Advanced Security Server /Administrators Guide, and found a lot more detailed instructions about configuring Entrust-enabled SSL.. In addition, there are samples of how sqlnet.ora will look like. The question: Can we use 9i manual to configure Entrust-enabled SSL for Oracle 817? If we can't use the 9i manual, is there any addendum document to the Chapter 10-Enabling Entrust
Authentication in Oracle8i Advanced Security Administrators Guide, other than CR #281745 ....
nullHi Justin,
The Visual Basic application software uses Oracle OLEDB Provider 9.2.0.7.0
We use various classes available in OLEDB for acessing the database. For example, the connection string looks like the following:
Provider=oraoledb.oracle; data source=oraserve; user id=myuserid; password=mypasswd;
The application uses ADODB objects to access data.
Hope this clarifies
Regards,
SAM -
Have Effective Permissions but not showing in Advanced Security in AD UC
I'm trying to find out where a user account is getting permissions to our Active Directory Users & Computers. On the entire domain it has the ability to modify all properties, modify permissions, change owner, and a bunch of stuff that it
shouldn't. I found this out when testing and verified it with using "effective permissions". The weird thing is, when looking at Advanced security, neither the user nor the security group it is in are explicitly given permissions anywhere
in ADUC. My question is: where could it be getting these rights? How do I find it if it's not in the Advanced Security Settings area of ADUC?
I know the problem is the security group and not the user account. After I removed the user account from its security group, it no longer had the extra permissions it shouldn't have.
TestUserA is a member of SecurityGroupA: TestUserA has rights to all of our AD domain (unexpected, not sure where the rights are coming from)
TestUserA removed from SecurityGroupA: TestUserA only has basic "read" rights to our AD domain (the desired level of permissions)
Any help or suggestions of where to find SecurityGroupA's permissions are coming from would be helpful. Thank you!Any ideas? I would really like to know the answer to this question because there is no way for me to audit these permissions or know which other groups may be getting more permissions than expected.
I know for sure the user is getting permissions from SecurityGroupA. I can clearly see using Effective Permissions that TestUserA gets added permissions in AD when I add them to this group, and the permissions get removed when no longer a member of
this group. It's odd to me that this group isn't explicitly listed anywhere
in AD Security, and it isn't a member of any other groups. Where in the world are the permissions coming from? Viewing the Advanced Security through the mmc and running DCACLS are both useless. The permissions are completely invisible
to us unless we run Effective Permissions specifically against the user.
We are likely going to explicitly deny the group permissions since we cannot figure out how or why this group is getting permissions to AD. This is just a quick-fix, as there still might be other security holes in our environment. -
8iR2 and Advanced Security Option?
Can anyone confirm if 8iR2 (I'm downlaoding my copy now) fully implements the Advanced Security Option ... for sql*net, JDBC, and IIOP connections?
I ask this 'coz in 8i (up to 8.1.5.0.2), even though the Advanced Security Option is 'enabled', I never got them to work and it complains of "uninstalled (or somethine like that) algorithms".John,
The advance Security Option on the current release only supports the SSL protocol. The version that you have downloaded supports only "export" encryption.
We are planning to release a full update of the ASO option to add things like kerberos authentication and others by mid June. We also plan to add the "strong encryption" capaility.
Sorry for the delay.
Regards,
Josue Amaro
Product Line Manager
Linux Products
Oracle Corporation
Maybe you are looking for
-
One iTunes/Apple account-2 users
We have an iPod Touch and 1 iTunes acccount and one Apple ID. we also have 2 iPod classics as well and an iPhone with quite a few apps. I am trying to figure out the best way to go about separating or not into 2 users. iPod Touch is new and there is
-
Transfer of specific gl account balances transfer
We want to transfer the particular GL account balances not all gl account balances. How to transfer. I dont find any list of selection gl accounts in F.16 or FAGLGVTR
-
Hi, I'm a Java developer that developed some Java Web Dynpro for my company. Unfortunately my boss said to me that we don't have work to do on Java Web Dynpros and told me to learn ABAP Web Dynpros. Is there any resource or quick reference for Java P
-
Old version of firefox in add remove programs
When I originally installed Firefox on my machines it was Firefox 11 I have updated to the most recent version Firefox 16 but in Add/Remove programs is still shows Version 11. When I do a scan on my network it still shows version 11 on all my machine
-
Time Capsule not working with cable modem
I have a WebStar modem using Cox cable internet. When I plug the ethernet cable into my Macbook directly out of the modem, I have internet. When I plug the Ethernet cable into my Time Capsule - I have no internet and the lights on the modem do not fl