application , security

Database Security Assessment Overview

February 27, 2010

Oracle Security Assessment Checklist

1. Is the Oracle software owner account locked to prevent remote logins?
2. Are the Audit database user activities – logins and failures – logged?
3. Where is the Audit information stored?
4. Does the Oracle user own all of the files in $Oracle_root$/bin?
5. Are there any help and sample data installed (files and directories)?
6. How often is it reviewed?
7. Are default installed user accounts present (i.e. TNSLSNR, sys, system, etc)?


MS-SQL Security Assessment Checklist

1. Is account login auditing is enabled? Where are these auditable events stored?
2. Is cross-database ownership chaining enabled?
3. Are encrypted drives and SSL connections used?
4. Do the Administrator account(s) have strong password complexity enforced?
5. Is the Kill Password (KillPwd) utility is used to prevent account/user information disclosure?
6. Is access to the database tables restricted by permissions for users and groups?
7. Are only authorized users and groups permitted direct access to database tables and other database commands (i.e. Insert, Delete, Select, etc)?
8. Are ‘views’ used to assist column and row security instead of only applying security settings to the database tables?
9. Is the registry secured to ensure only authorized users (i.e. Administrators, SQL services, etc) have access to the registry keys?
10. Is access to services TCP 1433 and UDP 1434 are restricted to authorized users, hosts or networks?
11. Are there any legacy configuration and setup files on the system?
12. Are there any sample files and directories?