Home » RDBMS Server » Security » restrict toad to access database
restrict toad to access database [message #260982] Tue, 21 August 2007 07:56 Go to next message
reyazan
Messages: 53
Registered: February 2005
Member
i am using oracle 8i 1.7 on windows 2000 server.
i want to restrict toad or other utility to access database.
pls help


Re: restrict toad to access database [message #260985 is a reply to message #260982] Tue, 21 August 2007 08:04 Go to previous messageGo to next message
Michel Cadot
Messages: 68625
Registered: March 2007
Location: Nanterre, France, http://...
Senior Member
Account Moderator
1/ 8i is no more supported
2/ Is 8i certified for W2000?
3/ Search a little bit, this question has been asked many times
Come back if you don't find anything.

Regards
Michel
Re: restrict toad to access database [message #261021 is a reply to message #260985] Tue, 21 August 2007 09:35 Go to previous messageGo to next message
DreamzZ
Messages: 1666
Registered: May 2007
Location: Dreamzland
Senior Member
Some thing like this

begin 
FOR REC IN (SELECT USERNAME,PROGRAM,MODULE,TERMINAL,MODULE_HASH FROM V$SESSION
WHERE AUDSID = USERENV('SESSIONID')) 
LOOP
if rec.username not in ('SYS','SYSTEM','ABBC','XYZ') 
and
upper(rec.terminal) not like '%Computername%'
and
(rec.module is not null
OR
upper(rec.program) like '%EXP%'
OR
upper(rec.program) like '%IMP%'
OR
upper(rec.program) like '%VRMGR%'
OR
upper(rec.program) like '%EZSQL.EXE'
OR
rec.program is NULL 
OR
upper(rec.program) like '%TOAD.EXE')
then
RAISE_APPLICATION_ERROR(-20001,'Sorry You are not Authorise to Logon from this tool');
end if;
end loop;
END;
Re: restrict toad to access database [message #261025 is a reply to message #260982] Tue, 21 August 2007 09:37 Go to previous messageGo to next message
BlackSwan
Messages: 26766
Registered: January 2009
Location: SoCal
Senior Member
$ RENAME TOAD.EXE SNEAKY.EXE
$ SNEAKY.EXE
Re: restrict toad to access database [message #269383 is a reply to message #261025] Fri, 21 September 2007 22:01 Go to previous messageGo to next message
smunir362
Messages: 310
Registered: September 2007
Senior Member
In case of rename no problem above script would not work.
Acyually that script was developed by me.
If rename then we can check on module column. When u connect with taod the module is populated sometking like
"toad.2.1" so modily that code ..........

Regards,
Munir
Re: restrict toad to access database [message #269388 is a reply to message #260982] Fri, 21 September 2007 23:19 Go to previous messageGo to next message
BlackSwan
Messages: 26766
Registered: January 2009
Location: SoCal
Senior Member
>i want to restrict toad or other utility to access database.
You may be able to preclude access by TOAD (TBD), but I prefer rolling my own access using Perl DBI/DBD.

If I have valid Oracle username/password, you'll be challenged to prevent access.
Re: restrict toad to access database [message #269438 is a reply to message #269388] Sat, 22 September 2007 05:39 Go to previous messageGo to next message
smunir362
Messages: 310
Registered: September 2007
Senior Member
Ok let us come in front me! Challenge.

What can u do?
Pls describe ur approach.




Re: restrict toad to access database [message #269457 is a reply to message #269438] Sat, 22 September 2007 07:50 Go to previous messageGo to next message
Michel Cadot
Messages: 68625
Registered: March 2007
Location: Nanterre, France, http://...
Senior Member
Account Moderator
Do you really expect someone to explain hacking?
Ana is right. If he has a valid username/password he can connect (unless you put some IP restrictions on net services, and even in this case IP spoofing exists).
You can never list all the names a program can have in your trigger.
full stop.

Regards
Michel
Re: restrict toad to access database [message #270601 is a reply to message #269457] Thu, 27 September 2007 11:24 Go to previous messageGo to next message
smunir362
Messages: 310
Registered: September 2007
Senior Member
But

1- On the other side we can allow only our own apps to allow and all other to blocks........
2- We can set in our application startup to set SET_CLIENT_INFO=allowable
3- Then we can create trigger on logon and check above two conditions if it is true then logon otherwise block.
4- No need to block IP through protocol.ora

Agree or not.........
Re: restrict toad to access database [message #270611 is a reply to message #270601] Thu, 27 September 2007 11:39 Go to previous messageGo to next message
Michel Cadot
Messages: 68625
Registered: March 2007
Location: Nanterre, France, http://...
Senior Member
Account Moderator
Client info can only be set AFTER logon so trigger on logon is useless.

Regards
Michel
Re: restrict toad to access database [message #270894 is a reply to message #270611] Fri, 28 September 2007 05:06 Go to previous messageGo to next message
smunir362
Messages: 310
Registered: September 2007
Senior Member
Ok.

Triger is after logon...... not before logon
However oracle provide both type on logon. But I m using after on logon......

And What about my 1,3,4 points....
Re: restrict toad to access database [message #270911 is a reply to message #270894] Fri, 28 September 2007 06:18 Go to previous messageGo to next message
Michel Cadot
Messages: 68625
Registered: March 2007
Location: Nanterre, France, http://...
Senior Member
Account Moderator
Trigger is internally after logon but during logon from user point of view and he only can set client_info after the logon return. So it can't be check in logon trigger.

Regards
Michel
Re: restrict toad to access database [message #270999 is a reply to message #270911] Fri, 28 September 2007 12:48 Go to previous messageGo to next message
smunir362
Messages: 310
Registered: September 2007
Senior Member
OK.
Then list ....
what can be checked on logon
Re: restrict toad to access database [message #271002 is a reply to message #270999] Fri, 28 September 2007 13:08 Go to previous messageGo to next message
Michel Cadot
Messages: 68625
Registered: March 2007
Location: Nanterre, France, http://...
Senior Member
Account Moderator
Have a look at DreamzZ procedure above.
Have a look at sys_context function.
Have a look at v$session.
Make test to see what is set at logon time and what is not.
Then come back with the list.

Regards
Michel
Re: restrict toad to access database [message #271431 is a reply to message #271002] Mon, 01 October 2007 11:57 Go to previous messageGo to next message
MarcL
Messages: 455
Registered: November 2006
Location: Connecticut, USA
Senior Member
What is the POINT ??

If they have a database login, control access with database roles and privs. Whatever they can do in TOAD can be done with any other tool.

A short list:
sqlplus/pl sql developer/sql developer/ MS ACCESS/ VB


Why do you care which tool is being used to access the database?

I am very curious to hear the business reason to block this access.
Re: restrict toad to access database [message #271445 is a reply to message #271431] Mon, 01 October 2007 12:27 Go to previous message
Michel Cadot
Messages: 68625
Registered: March 2007
Location: Nanterre, France, http://...
Senior Member
Account Moderator
Business reason, there is none.
Badly written application reasons, there are many like giving update privilege to user when they are only allowed to update through the application and these updates should be done via packages.

Regards
Michel
Previous Topic: Audit Vault Configuration : Http Connection error: 500
Next Topic: Implementation of Oracle Data Encryption [Merged]
Goto Forum:
  


Current Time: Thu Mar 28 11:37:39 CDT 2024