1 / 82

The Top 10 (Free) Things You Can Do to Secure Your Oracle E-Business Suite Instance

The Top 10 (Free) Things You Can Do to Secure Your Oracle E-Business Suite Instance. Eric Bing, Erik Graversen Applications Product Security Contributors: Elke Phelps. Safe Harbor Statement.

salaam
Download Presentation

The Top 10 (Free) Things You Can Do to Secure Your Oracle E-Business Suite Instance

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. The Top 10 (Free) Things You Can Do to Secure Your Oracle E-Business Suite Instance Eric Bing, Erik Graversen Applications Product Security Contributors: Elke Phelps

  2. Safe Harbor Statement The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described for Oracle’s products remains at the sole discretion of Oracle.

  3. Program Agenda • Secure Deployment and Configuration • Secure Configuration Scripts • Top 10 Things You Can Do to Secure Your Deployment • New Security Features for Release 12.2 • Leveraging the Oracle Technology Stack

  4. E-Business Suite: Secure Deployment and Configuration

  5. Stay current with patching How to Deploy E-Business Suite Securely 1 2 Follow secure deployment recommendations

  6. How to Deploy E-Business Suite Securely Stay Current with Patching • Apply Critical Patch Updates (CPUs) + Security Alerts • Critical Patch Advisory Page http://www.oracle.com/technetwork/topics/security/alerts-086861.htm • Patch Setup Update (PSUs) are an option for the database • PSUs include CPUs + other database recommended patches • EBS customers can apply either CPUs or PSUs for the DB • As of 12c only PSUs will be supported • Apply most current maintenance pack • Yes, maintenance packs improve security as well

  7. How to Deploy E-Business Suite Securely Follow Secure Deployment Recommendations • Secure Configuration Guide for Oracle E-Business Suite • Previously known as “Best Practice” documents • Release 11i, MOS Note 189367.1 • Release 12.0.x, 12.1.x and 12.2.x, MOS Note 403537.1 • Oracle E-Business Suite Configuration in a DMZ • Follow this guide if your E-Business environment is internet accessible • Release 11i, MOS Note 287176.1 • Release 12.0.x and 12.1.x, MOS Note 380490.1 • Release 12.2.x, MOS Note 1375670.1

  8. E-Business Suite Secure Configuration Guides Release 11i and Release 12 • Guidelines are based upon current patch levels • 11.5.10+, 12.0.6+, 12.1.2+, and 12.2.2+ • Advice for security-related “switches” to set/verify • Advice also provided for optional security related products (such as database options) • Many recommendations automated via AutoConfig and Oracle Application Manager (OAM) • Please raise an SR with support against the Guides if you feel there are problems or omissions with the advice

  9. Secure Configuration Scripts MOS Note 403537.1, Secure Configuration Guide for Oracle E-Business Suite Updated scripts available! • Packaged as SQL and Shell scripts • Periodically check for updated scripts • EBSSecConfigChecks.sql – runs all (12) other SQL scripts • Compiles them into a single report • Script comments often have hints for resolution • EBSCheckModSecurity.sh – shell script • Ongoing “Health Checks” to ensure critical security functionality • Run them early and often… • Once you have a baseline check for diffs

  10. Secure Configuration Scripts MOS Note 403537.1, Secure Configuration Guide for Oracle E-Business Suite • Current State vs Recommendations • ERRORS – Likely vulnerable to vulnerabilities • WARNINGS – Should understand context and reason for setting • Run anywhere • Scripts attempt to identify code level when required • Any version of EBS • Any certified version of the DB

  11. Secure Configuration Scripts MOS Note 403537.1, Secure Configuration Guide for Oracle E-Business Suite

  12. Top Ten Things You Can Do to Secure Your Oracle E-Business Suite Instance

  13. What Makes the “Top 10” Cut? Biggest bang for the buck • Most common issues seen at customer sites • Not as well known / new features • Least effort • Applicable to many releases • Free

  14. Top 10+ Things You Can Do to Secure Your E-Business Suite Deployment • Enable Application Tier Secure Socket Layer • Move Off Client/Server Components • Secure Configuration for Attachments • Turn on ModSecurity • Encrypt Credit Card Data • Secure Sensitive Administrator Functionality • Check Profile Settings • Change Default Passwords • Secure APPLSYSPUB • Activate Server Security • Implement IP Address Restrictions • Migrate to Non-Reversible Hash Passwords Bonus Items!

  15. Top 10+ Things You Can Do to Secure Your E-Business Suite Deployment • Enable Application Tier Secure Socket Layer • Move Off Client/Server Components • Secure Configuration for Attachments • Turn on ModSecurity • Encrypt Credit Card Data • Secure Sensitive Administrator Functionality • Check Profile Settings • Change Default Passwords • Secure APPLSYSPUB • Activate Server Security • Implement IP Address Restrictions • Migrate to Non-Reversible Hash Passwords

  16. 1. Check Profile Settings MOS Note 946372.1, Secure Configuration of E-Business Suite Profiles • Check script - EBSCheckProfilesMissing.sql • Reports on missing profiles • Check script - EBSCheckProfileErrors.sql • Reports on configuration errors • Check script - EBSCheckProfileWarnings.sql • Reports on configuration warnings

  17. Missing Profiles Note 946372.1, Secure Configuration of E-Business Suite Profiles • Check script - EBSCheckProfilesMissing.sql • Server Security (discussed in detail later) FND_SERVER_SEC / FND_SERVER_IP_SEC missing: • Patch#12715586:R12.FND.A delivers these missing profiles for R12.0.4+ • Patch#12715586:R12.FND.B delivers these missing profiles for R12.1.1+ • Attachments Secure Configuration (discussed later)FND_SECURITY_FILETYPE_RESTRICT_DFLT / FND_DISABLE_ANTISAMY_FILTER • Introduced with January 2012 CPU

  18. Profiles – Configuration Errors MOS Note 946372.1, Secure Configuration of E-Business Suite Profiles • Check settings of critical profile options • FND Validation Level Error • FND Function Validation Level Error • Framework Validation Level Error • Note: “Validation Level” Profiles will be removed in 12.2 • Restrict Text Input Y • Web ADI – Global Integrator Access N • Attachments Secure Configuration (discussed later)

  19. Profiles – Configuration Warnings MOS Note 946372.1, Secure Configuration of E-Business Suite Profiles • Check settings of profile warnings • FND Diagnostics No • Utilities Diagnostics No • Personalize Self-service DefnNo • Attachments Secure Configuration (discussed later)

  20. Top 10+ Things You Can Do to Secure Your E-Business Suite Deployment • Enable Application Tier Secure Socket Layer • Move Off Client/Server Components • Secure Configuration for Attachments • Turn on ModSecurity • Encrypt Credit Card Data • Secure Sensitive Administrator Functionality • Check Profile Settings • Change Default Passwords • Secure APPLSYSPUB • Activate Server Security • Implement IP Address Restrictions • Migrate to Non-Reversible Hash Passwords

  21. 2. Change Default Passwords E-Business Suite User Passwords • Check script - EBSCheckUserPasswords.sql • Checks EBS User passwords for default passwords • Secure seeded application accounts, end date, and change password • Refer to the Secure Configuration Guide • Oracle E-Business Suite Security / Authentication • Limitations on changing GUEST password MOS Note 443353.1 - How To Successfully Change The Guest Password In E-Business Suite 11.5.10 and R12

  22. 2. Change Default Passwords Database Passwords • Check script - EBSCheckDBPasswords.sql • Checks database passwords for all Oracle seeded accounts • Reports on account status (locked) • Fix using: • AFPASSWD / FNDCPASS – APPS controlled accounts • password / alter user… - for non-APPS controlled accounts • Refer to Secure Configuration Guide • Appendix C lists each user and provides advice

  23. Top 10+ Things You Can Do to Secure Your E-Business Suite Deployment • Enable Application Tier Secure Socket Layer • Move Off Client/Server Components • Secure Configuration for Attachments • Turn on ModSecurity • Encrypt Credit Card Data • Secure Sensitive Administrator Functionality • Check Profile Settings • Change Default Passwords • Secure APPLSYSPUB • Activate Server Security • Implement IP Address Restrictions • Migrate to Non-Reversible Hash Passwords

  24. 3. Secure APPLSYSPUB • Change password • Only in R12 • Must run AutoConfig to populate the change to configuration files • APPLSYSPUB password must always be uppercase(even if database case sensitive passwords have been turned on)

  25. 3. Secure APPLSYSPUB SCG - REVOKE UNNECESSARY GRANTS GIVEN TO APPLSYSPUB • Check script - EBSCheckApplsyspubPrivs.sql • Check privileges • Fix privileges with the following: • Run $FND_TOP/patch/115/sql/afpubfix.sql

  26. Top 10+ Things You Can Do to Secure Your E-Business Suite Deployment • Enable Application Tier Secure Socket Layer • Move Off Client/Server Components • Secure Configuration for Attachments • Turn on ModSecurity • Encrypt Credit Card Data • Secure Sensitive Administrator Functionality • Check Profile Settings • Change Default Passwords • Secure APPLSYSPUB • Activate Server Security • Implement IP Address Restrictions • Migrate to Non-Reversible Hash Passwords

  27. 4. Activate Server Security Secure Config Guide - ACTIVATE SERVER SECURITY • Check script - EBSCheckServerSecurity.sql select 'Server Security is on’ from FND_NODES where server_address = '*' and server_id='SECURE‘ • Switch “Server Security” to SECURE mode • Refer to System Administrators Guide • Administering Server Security

  28. “Server Security” feature Sample DBC file created by AdminAppServer or AdminDesktop GWYUID=APPLSYSPUB/PUB GUEST_USER_PWD=GUEST/ORACLE FNDNAM=APPS APPL_SERVER_ID=AC70BE2E89CAC15F…64235254236135131826220 TWO_TASK=PROD DB_PORT=1521 DB_HOST=pdb1213.example.com APPS_JDBC_URL=jdbc\:oracle\:thin\:@(DESCRIPTION\= (ADDRESS\= (PROTOCOL\=tcp)(HOST\=pdb1213.example.com)(PORT\=1521)))(CONNECT_DATA\=(SERVICE_NAME\=PROD))) JDBC\:oracle.jdbc.maxCachedBufferSize=358400

  29. Using AdminDesktop Use AdminDesktop to create DBC files for non-EBS nodes • Secure configuration for DBC files for non-EBS nodes • Create the DBC file on an EBS AppTier node • Create it to be IP Address specific • Maintain mode 600 while creating and copying to the recipient node • Examples of Non-EBS nodes are BPEL and WebService nodes • Refer to AppsDataSource, Java Authentication and Authorization Service, and Utilities for Oracle E-Business Suite (Note 974949.1)

  30. Top 10+ Things You Can Do to Secure Your E-Business Suite Deployment • Enable Application Tier Secure Socket Layer • Move Off Client/Server Components • Secure Configuration for Attachments • Turn on ModSecurity • Encrypt Credit Card Data • Secure Sensitive Administrator Functionality • Check Profile Settings • Change Default Passwords • Secure APPLSYSPUB • Activate Server Security • Implement IP Address Restrictions • Migrate to Non-Reversible Hash Passwords

  31. 5. Implement IP Address Restrictions MOS Note 387859.1, Using AutoConfig to Manage System Configurations… • Lock down your database listener • Set IP addresses in $TNS_ADMIN/sqlnet.ora: • tcp.validnode_checking = YES • tcp.invited_nodes = ( X.X.X.X, hostname, ... ) • Manage via AutoConfig • Set Profile: “SQLNet Access” (FND_SQLNET_ACCESS) to Allow Restricted • Run autoconfig on the database server • Use a whitelist of IP addresses

  32. 5. Implement IP Address Restrictions MOS Note 387859.1, Using AutoConfig to Manage System Configurations… • No automated check via scripts • Manual check from a node not in white list • Should get a hang up: bash$ telnet ebs.example.com 1521Trying 115.X.X.X...Connected to ebs.example.comEscape character is '^]`Connection closed by foreign host.

  33. Top 10+ Things You Can Do to Secure Your E-Business Suite Deployment • Enable Application Tier Secure Socket Layer • Move Off Client/Server Components • Secure Configuration for Attachments • Turn on ModSecurity • Encrypt Credit Card Data • Secure Sensitive Administrator Functionality • Check Profile Settings • Change Default Passwords • Secure APPLSYSPUB • Activate Server Security • Implement IP Address Restrictions • Migrate to Non-Reversible Hash Passwords

  34. 6. Migrate to Non-Reversible Hash Password MOS Note 457166.1, FNDCPASS Utility • Check script - EBSCheckHashedPasswords.sqlselect 'Hashed passwords are not on' "Password Mode" from dual where FND_WEB_SEC.GET_PWD_ENC_MODE is null; • Switch to hashed passwords for applications users Note 457166.1 • FNDCPASS apps/apps 0 Y system/manager USERMIGRATE SHA1 • Upgrade any desktop clients FNDPUB DLL/Libraries • Discoverer, Configurator, Desktop ADI… • Or even better, replace these with their web variant

  35. Top 10+ Things You Can Do to Secure Your E-Business Suite Deployment • Enable Application Tier Secure Socket Layer • Move Off Client/Server Components • Secure Configuration for Attachments • Turn on ModSecurity • Encrypt Credit Card Data • Secure Sensitive Administrator Functionality • Check Profile Settings • Change Default Passwords • Secure APPLSYSPUB • Activate Server Security • Implement IP Address Restrictions • Migrate to Non-Reversible Hash Passwords

  36. 7. Enable SSL/TLS for web listener MOS Note 376700.1, Enabling SSL for Oracle Applications Release 12 MOS Note 1367293.1, Enabling SSL in Oracle Applications Release 12.2 • Check script - EBSCheckSSL.sql • Checks via FND_WEB_CONFIG.PROTOCOL • Enable SSL (https) for web listener • Avoid weak ciphers and protocols (<128 bit & SSLv2) • Using Telnet Mobile Web Apps? • Mechanism for securing MWA Telnet communication via stunnel • MOS Note 1493091.1

  37. Top 10+ Things You Can Do to Secure Your E-Business Suite Deployment • Enable Application Tier Secure Socket Layer • Move Off Client/Server Components • Secure Configuration for Attachments • Turn on ModSecurity • Encrypt Credit Card Data • Secure Sensitive Administrator Functionality • Check Profile Settings • Change Default Passwords • Secure APPLSYSPUB • Activate Server Security • Implement IP Address Restrictions • Migrate to Non-Reversible Hash Passwords

  38. 8. Move Off of Client/Server Components  End User PCs should not have Direct DB Connection • Switch to equivalent Web components when possible • Desktop ADI -> Web ADI and Report Manager • Put client/server components on a secured server (Note 277535.1) • Setup access through a Windows Server Terminal Services or Secure Global Desktop • Activate Server Security (per Number 4 on the Top 10 list) • Eliminate end user direct access to the DBC file

  39. Top 10+ Things You Can Do to Secure Your E-Business Suite Deployment • Enable Application Tier Secure Socket Layer • Move Off Client/Server Components • Secure Configuration for Attachments • Turn on ModSecurity • Encrypt Credit Card Data • Secure Sensitive Administrator Functionality • Check Profile Settings • Change Default Passwords • Secure APPLSYSPUB • Activate Server Security • Implement IP Address Restrictions • Migrate to Non-Reversible Hash Passwords

  40. 9. Secure Configuration of Attachments • Check script – Part of the profile checks • File Upload Limits for Attachments • Attachments file type extension validation • Tag scanning of HTML Attachments

  41. File Upload Limits for Attachments MOS Note 604458.1, How to Limit The Attachment File Size? • Set Profile: Upload File Size Limit (UPLOAD_FILE_SIZE_LIMIT) • Limits the maximum Attachment file size that can be uploaded • Specified in KB (e.g. 2000KB) • Allowing unlimited attachment sizes can allow for a Denial of Service attack (DOS)

  42. Attachments File Type Validation MOS Note 1357849.1, Security Configuration Mechanism in Attachments • Set Profile: Attachment File Upload Restriction Default • Yes (default): Black list behavior – Disallow types marked as ‘N’ • No (recommended): White list behavior – Only allow types marked as ‘Y’ • Validate attachments file type extensions • New column - FND_MIME_TYPES. ALLOW_FILE_UPLOAD – values N & Y • Delivered as part of January 2012 CPU

  43. Tag Scanning of HTML Attachments MOS Note 1357849.1, Security Configuration Mechanism in Attachments • Set Profile: FND: Disable Antisamy Filter • False (default / recommended) – sanitize HTML pages • OWASP Antisamy – allows a specific (white list) of HTML elements and attributes • Error Message if uploaded HTML file was modified: The document you uploaded has been modified to remove restricted tags.  Please check the document and replace it if necessary. • Delivered as part of January 2012 CPU

  44. Top 10+ Things You Can Do to Secure Your E-Business Suite Deployment • Enable Application Tier Secure Socket Layer • Move Off Client/Server Components • Secure Configuration for Attachments • Turn on ModSecurity • Encrypt Credit Card Data • Secure Sensitive Administrator Functionality • Check Profile Settings • Change Default Passwords • Secure APPLSYSPUB • Activate Server Security • Implement IP Address Restrictions • Migrate to Non-Reversible Hash Passwords

  45. 10. Turn on ModSecurity • Check script - EBSCheckModSecurity.sh • Usage: EBSCheckModSecurity.sh https://ebs.example.com:4443 • Shell script – not run by EBSSecConfigChecks.sql • ModSecurity - Web Application Firewall apache module • Part of iAS 1.0.2.2 and OHS 10.1.3 and OHS 11.1.1.6 • Automatically configured • ModSecurity blocks “bad” requests (black list) – can also white list • Null bytes, directory crawling, URL encoding, UTF-8 encoding • Stops “obviously bad” requests early

  46. Top 10+ Things You Can Do to Secure Your E-Business Suite Deployment • Enable Application Tier Secure Socket Layer • Move Off Client/Server Components • Secure Configuration for Attachments • Turn on ModSecurity • Encrypt Credit Card Data • Secure Sensitive Administrator Functionality • Check Profile Settings • Change Default Passwords • Secure APPLSYSPUB • Activate Server Security • Implement IP Address Restrictions • Migrate to Non-Reversible Hash Passwords

  47. 11. Encrypt Credit Card Data • Check script - EBSCheckCCEncryption.sql • 1. Checks whether credit cards are encrypted in ‘Immediate’ mode • Info on encryption - Payments User Implementation guide. • For more info on PA-DSS compliance - MOS Note 981033.1 .

  48. 11. Encrypt Credit Card Data • Check script - EBSCheckCCEncryption.sql • 2. Checks Supplemental Credit Card Data Encryption • Encrypts expiration date and card holder name • MOS Note 981033.1 - 'Payments 12.1.2 Release Notes' • 3. Enhanced Hashing • Defends against brute forcing of hashes • Concurrent program to rehash • Patch 13114025:R12.IBY.B

  49. Top 10+ Things You Can Do to Secure Your E-Business Suite Deployment • Enable Application Tier Secure Socket Layer • Move Off Client/Server Components • Secure Configuration for Attachments • Turn on ModSecurity • Encrypt Credit Card Data • Secure Sensitive Administrator Functionality • Check Profile Settings • Change Default Passwords • Secure APPLSYSPUB • Activate Server Security • Implement IP Address Restrictions • Migrate to Non-Reversible Hash Passwords

More Related