Ebs Security Top 10 Tips 1906570

1
Copyright 2012, Oracle and/or its affiliates. All rights reserved.
The Top 10 (Free) Things

You Can Do to Secure Your
Oracle E-Business Suite
Instance
Eric Bing
Applications Product Security
The following is intended to outline our general product

direction It is intended for information purposes only
direction.
only, and
may not be incorporated into any contract. It is not a
commitment to deliver any material, code, or functionality,
and should not be relied upon in making purchasing
decisions. The development, release, and timing of any
f t
features
or functionality
f
ti
lit described
d
ib d ffor O
Oracle's
l ' products
d t
remains at the sole discretion of Oracle.
3
Copyright
Oracle
2012, Oracle
its affiliates.
All reserved.
rights
Copyright
2012,
and/or and/or
its affiliates.
All rights
reserved.
Agenda
g
Deployment and Configuration
Secure Configuration Scripts
Top 10: 1-5
Top 10: 6-10
Top 10: Bonus
Credit Card Encryption
E-Business Suite template for Data Masking Pack
Deployment and
Configuration
Secure E-Business Suite Deployment

p y
General EBS advice
Stay current with patching
Apply Critical Patch Updates (CPUs) + Security Alerts
Patch
P t hS
Setup
t U
Update
d t (PSU
(PSUs)) are an option
ti ffor ttechstack
h t k
Apply most recent maintenance pack (yes, security improves as well)
Follow our recommendations for secure deployment
p y
Secure Configuration Guide for Oracle E-Business Suite
Oracle E-Business Suite Configuration in a DMZ
Note: Follow this if deploying any parts of EBS to the Internet
E-Business Suite Secure Configuration Guides

(previously known as Best Practice documents)
Release 11i, MOS Note 189367.1

Release 12, MOS Note 403537.1
E-Business Suite Secure Configuration

g
Guides
Advice for security-related switches to set/verify
Many recommendations automated via AutoConfig and Oracle
Application Manager (OAM)

Advice
Ad i also
l provided
id d for
f optional
ti
l security
it related
l t d products
d t ((such
h as
database options)
Guidelines are based upon
p current p
patch levels
11.5.10 and up 12.0.6 and up 12.1.2 and up
Please raise an SR with support against the Guides if you feel there
are problems
bl
or omissions
i i
with
ith th
the advice
d i
8
Secure Configuration
g
Scripts
p
Current State vs Recommendations
ERRORS Likely vulnerable to issues
WARNINGS Likely violating Secure Config Guidelines
Run
R anywhere
h
Scripts attempt to identify code level when required
Any supported version of EBS
Any supported version of the DB
Secure Config
g Scripts
p
Packaged as SQL and Shell scripts
EBSSecConfigChecks.sql runs all (12) other SQL scripts
Compiles them into a single report
Script
S i t comments
t often
ft have
h
hints
hi t for
f resolution
l ti
EBSCheckModSecurity.sh shell script
Ongoing Health
Health Checks
Checks to ensure critical security functionality
Run them early and often
Once you have a baseline check for diffs
Roadmap: Online Dashboard with alerts

10
Top Ten
11
What makes the Top

p 10 cut?
Biggest bang for the buck
Most common issues seen at customer sites
Not as well known / new features
Least effort
Applicable to many releases
Free
12
Top 10: Items 1-5

1. Check Profile Settings
2. Change Default Passwords
3 Secure APPLSYSPUB
3.
4. Activate Server Security
5.
5 Implement IP address restrictions
13
1. Profile Settings
g
Note 946372.1 Secure Configuration of E-Business Suite Profiles
Check script - EBSCheckProfilesMissing.sql
Reports on missing profiles
Check script - EBSCheckProfileErrors.sql

Reports on configuration errors
Check script - EBSCheckProfileWarnings.sql

Reports on configuration warnings
14
Missing
g Profiles
Check script - EBSCheckProfilesMissing.sql
Server Security (discussed in detail later)
FND_SERVER_SEC / FND_SERVER_IP_SEC missing:

Patch#12715586:R12.FND.A delivers these missing profiles for R12.0.4+
Patch#12715586:R12.FND.B delivers these missing profiles for R12.1.1+
Attachments Secure Configuration (discussed later)
FND_SECURITY_FILETYPE_RESTRICT_DFLT /
FND_DISABLE_ANTISAMY_FILTER
Introduced with January 2012 CPU
15
Profiles Configuration
g
Errors
Check settings of critical profile options
FND Validation Level
Error
FND Function Validation Level Error

Framework
F
k Validation
V lid ti L
Levell
Restrict Text Input
E
Error
Attachments Secure Configuration

g
((discussed later))
Validation Level Profiles will be removed in 12.2
16
Profiles Configuration
g
Warnings
g
Check settings of profile warnings
FND Diagnostics
No
Utilities Diagnostics
No
Personalize
P
li S
Self-service
lf
i D
Defn
f
N
No
Attachments Secure Configuration (discussed later)
17
2. Default Passwords
E-Business Suite User Passwords
Check script - EBSCheckUserPasswords.sql
Checks EBS User passwords for default passwords
Secure seeded application accounts, end date, and change password

See the Secure Configuration Guide
Oracle E-Business Suite Security / Authentication
18
2. Default Passwords
Database Passwords
Check script - EBSCheckDBPasswords.sql
Checks User and DB passwords
select * from dba_users_with_defpwd (11g only)

Fix
Fi using:
i
AFPASSWD / FNDCPASS APPS controlled accounts
Password / alter user - for non-APPS controlled
accounts
The Secure Configuration Guide Appendix C lists each user and
provides advice
19
3. Secure APPLSYSPUB
Change password
Only in R12
Must run AutoConfig to populate the change to configuration files
APPLSYSPUB password
d mustt always
l
be
b uppercase
(even if Case Sensitive Passwords have been turned on)
20
3. Secure APPLSYSPUB
SCG - REVOKE UNNECESSARY GRANTS GIVEN TO APPLSYSPUB
Check script - EBSCheckApplsyspubPrivs.sql
Check privileges
Fix privs:
Run $FND_TOP/patch/115/sql/afpubfix.sql
$
21
4. Activate Server Security

y
Secure Config Guide - ACTIVATE SERVER SECURITY
Check script - EBSCheckServerSecurity.sql
select 'Server Security is on

from FND_NODES
where server_address
server address = '*' and server_id=
server id='SECURE'
SECURE
Switch Server Security
y to SECURE mode
System Administrators Guide, Administering Server Security
22
Server Security
y feature
Sample DBC file created by AdminAppServer or AdminDesktop
GWYUID=APPLSYSPUB/PUB
GUEST USER PWD GUEST/ORACLE
GUEST_USER_PWD=GUEST/ORACLE
FNDNAM=APPS
APPL_SERVER_ID=AC70BE2E89CAC15F64235254236135131826220
TWO TASK PROD
TWO_TASK=PROD
DB_PORT=1521
DB_HOST=pdb1213.example.com
APPS JDBC URL=jdbc\:oracle\:thin\:@(DESCRIPTION\= (ADDRESS\=
APPS_JDBC_URL=jdbc\:oracle\:thin\:@(DESCRIPTION\=
(PROTOCOL\=tcp)(HOST\=pdb1213.example.com)(PORT\=1521)))(CONNEC
T_DATA\=(SERVICE_NAME\=PROD)))
JDBC\:oracle jdbc maxCachedBufferSize=358400
JDBC\:oracle.jdbc.maxCachedBufferSize=358400
23
Using
g AdminDesktop
p
Use AdminDesktop to create DBC files for non-EBS nodes
Non-EBS nodes are BPEL and WebService nodes
Create the DBC file on an EBS AppTier node
Create it to be IP Address specific
Maintain
M i t i mode
d 600 while
hil creating
ti and
d copying
i tto th
the recipient
i i t node
d
Documented in Note: 974949.1 "AppsDataSource, Java Authentication
and Authorization Service,, and Utilities for Oracle E-Business Suite".
24
5. Implement
p
IP address restrictions
387859.1: Using AutoConfig to Manage System Configurations
Use a whitelist of IP addresses
Profile: Allow Restricted (FND_SQLNET_ACCESS)
Tells autoconfig to automate this when run on the DB server
$TNS_ADMIN/sqlnet.ora:
tcp.validnode_checking = YES
tcp.invited_nodes
tcp invited nodes = ( X
X.X.X.X,
X X X hostname
hostname, ... )
25
5. Implement
p
IP address restrictions
387859.1: Using AutoConfig to Manage System Configurations
No automated check via scripts
Manual check from a node not in white list
Should get a hang up:
bash$
$ telnet ebs.example.com 4443
Trying 115.X.X.X...
Connected to ebs.example.com
E
Escape
character
h
t is
i '^]
Connection closed by foreign host.
26
Top 10: Items 6-10

6. Migrate to Password Hashing
7. Enable Application Tier Secure Socket
Layer (SSL)
8. Move
M
Off off Client/Server
Cli t/S
Components
9 Secure Configuration of Attachments
9.
10. Turn on ModSecurity
27
6. Migrate Oracle Applications User Passwords

to Non-Reversible Hash Password
MOS Note 457166.1 - FNDCPASS Utility New Feature
Check script - EBSCheckHashedPasswords.sql
select 'Hashed passwords are not on' "Password Mode"

from dual where FND_WEB_SEC.GET_PWD_ENC_MODE is null;
Switch to hashed passwords for applications users Note 457166
457166.1
1
FNDCPASS apps/apps 0 Y system/manager USERMIGRATE SHA1
Upgrade any desktop clients FNDPUB DLL/Libraries

Discoverer, Configurator, Desktop ADI
Or even better, replace these with their web variant
28
7. Enable SSL/TLS for web listener

Note 376700.1 Enabling SSL for Oracle Applications Release 12
Check script - EBSCheckSSL.sql
Checks via FND_WEB_CONFIG.PROTOCOL
Enable SSL (https) for web listener

Avoid weak ciphers and protocols (<128 bit & SSLv2)
Using Telnet Mobile Web Apps?
Mechanism for securing MWA Telnet communication via Stunnel (Note
1493091.1)
29
8. Move off of client/server components

p
End User PCs should not have a direct DB connection
Switch to equivalent Web components when possible
Desktop ADI -> Web ADI and Report Manager
Put client/server components on a secured server (Note 277535.1)

Windows Server Terminal Services
Secure Global Desktop
Users should not be able to access the DBC file directly
30
9. Secure Configuration
g
of Attachments
Check script Part of the profile checks
File Upload Limits for Attachments
Attachments file type validation
Tag scanning of HTML Attachments
31
File Upload
p
Limits for Attachments
Note 604458.1 - How to Limit The Attachment File Size?
Allowing unlimited attachment sizes can allow for a Denial of Service
attack (DOS)
Profile: Upload File Size Limit (UPLOAD_FILE_SIZE_LIMIT)
Limits
Li it th
the maximum
i
Att
Attachment
h
t file
fil size
i th
thatt can b
be uploaded
l d d
Specified in KB (e.g. 2000KB)
32
Attachments File Type

yp Validation
Note 1357849.1 - Security Configuration Mechanism in Attachments
Delivered as part of January 2012 CPU
Profile: Attachment File Upload Restriction Default
Yes (default): Blacklist behavior Disallow types marked as N
No (recommended): Whitelist behavior Only allow types marked as Y
Attachments file type validation
New column - FND_MIME_TYPES.

FND MIME TYPES ALLOW_FILE_UPLOAD
ALLOW FILE UPLOAD values N & Y
Configured by default as a black list
33
Tag
g scanning
g of HTML Attachments
Delivered as part of January 2012 CPU
Tag scanning of HTML Attachments
OWASP Antisamy allows a specific (white list) of HTML tags
Profile: FND: Disable Antisamy Filter
False (default / recommended) sanitize HTML pages
The document you uploaded has been modified to remove restricted

tags. Please check the document and replace it if necessary.
34
Tag
g scanning
g of HTML Attachments
Warning: Antisamy scan requires the character set to be known:
Can cause character set issues for binary attachments
Fix (patch14141465) will use meta tag or
FND NATIVE CLIENT ENCODING

FND_NATIVE_CLIENT_ENCODING
Need to take this p
patch up
p if yyou see character set issues in binary
y
attachments
35
10. Ensure ModSecurity

y is on
Check script - EBSCheckModSecurity.sh
Usage: EBSCheckModSecurity.sh https://ebs.example.com:4443
Shell script not included in EBSSecConfigChecks.sql
ModSecurity
M dS
it - Web
W bA
Application
li ti Fi
Firewallll apache
h module
d l
Part of iAS 1.0.2.2 and OHS 10.1.3
Automatically configured
ModSecurity blocks bad requests (black list) can also white list
Null bytes, directory crawling, URL encoding, UTF-8 encoding
Stops obviously bad requests early
36
Top 10: Bonus

11. Encrypt Credit Card Data
12. Separation of Duties: Review Access
To Sensitive Administrative Pages
37
11. Credit Card Encryption

yp
Check script - EBSCheckCCEncryption.sql
1. Checks whether credit cards are encrypted in Immediate mode
Info on encryption - Payments User Implementation guide.
For more info on PA-DSS compliance - Note 981033.1 .
38
11. Credit Card Encryption

yp
New features
Check script - EBSCheckCCEncryption.sql
2. Checks Supplemental Credit Card Data Encryption
Encrypts expiration date and card holder name
MOS Note 981033.1 - 'Payments 12.1.2 Release Notes'
3. Enhanced Hashing
Defends against brute forcing of hashes
Concurrent program to rehash
Patch 13114025:R12.IBY.B
39
12. Sensitive Administrator Functionality

y
Note 1334930.1 Sensitive Administrative Pages in Oracle EBS
Security Administrator
Control of access to pages and profiles
Administrator / Developer Functionality

Pages / profiles which allow for Application Development at Runtime
SQL fragments, HTML fragments, OS commands
Should be disabled, controlled, and audited in production environments
Flexfield definitions
Forms and Framework personalization
Designed-in
g
SQL injections
j
or XSS injections
j
40

y
Identifies new categories of sensitive functionality:
Oracle Forms-based Forms Controlled by Function Security (~40)
HTML Pages Controlled by Function Security (~25)
Pages and Forms Controlled by Profile Options (3)
Pages Controlled by JTF Roles and Permissions (3)
41

y
Check Script: EBSCheckSensitivePageAccess.sql
Not called by default from EBSSecConfigChecks.sql
SQL scripts drive off of page and form names (not functions)
Slower,
Sl
b
butt ensures we pick
i k up custom
t
ffunctions
ti
th
thatt iinclude
l d th
these
Reduce and eliminate access to these pages by admins in production

Use Fine Grained Auditing to audit the tables associated with these
pages
43
44

Ebs Security Top 10 Tips 1906570

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Ebs Security Top 10 Tips 1906570

Uploaded by

Copyright:

Available Formats

1

Copyright 2012, Oracle and/or its affiliates. All rights reserved.

The Top 10 (Free) Things

Copyright 2012, Oracle and/or its affiliates. All rights reserved.

The following is intended to outline our general product

E-Business Suite template for Data Masking Pack

Copyright 2012, Oracle and/or its affiliates. All rights reserved.

Copyright 2012, Oracle and/or its affiliates. All rights reserved.

Secure E-Business Suite Deployment

Copyright 2012, Oracle and/or its affiliates. All rights reserved.

E-Business Suite Secure Configuration Guides

Release 11i, MOS Note 189367.1

Copyright 2012, Oracle and/or its affiliates. All rights reserved.

E-Business Suite Secure Configuration

Application Manager (OAM)

Copyright 2012, Oracle and/or its affiliates. All rights reserved.

Copyright 2012, Oracle and/or its affiliates. All rights reserved.

Roadmap: Online Dashboard with alerts

Copyright 2012, Oracle and/or its affiliates. All rights reserved.

Copyright 2012, Oracle and/or its affiliates. All rights reserved.

What makes the Top

Copyright 2012, Oracle and/or its affiliates. All rights reserved.

Top 10: Items 1-5

Copyright 2012, Oracle and/or its affiliates. All rights reserved.

Check script - EBSCheckProfileErrors.sql

Check script - EBSCheckProfileWarnings.sql

Copyright 2012, Oracle and/or its affiliates. All rights reserved.

FND_SERVER_SEC / FND_SERVER_IP_SEC missing:

Attachments Secure Configuration (discussed later)

Copyright 2012, Oracle and/or its affiliates. All rights reserved.

FND Function Validation Level Error

Attachments Secure Configuration

Validation Level Profiles will be removed in 12.2

Copyright 2012, Oracle and/or its affiliates. All rights reserved.

Attachments Secure Configuration (discussed later)

Copyright 2012, Oracle and/or its affiliates. All rights reserved.

Secure seeded application accounts, end date, and change password

Copyright 2012, Oracle and/or its affiliates. All rights reserved.

select * from dba_users_with_defpwd (11g only)

Copyright 2012, Oracle and/or its affiliates. All rights reserved.

(even if Case Sensitive Passwords have been turned on)

Copyright 2012, Oracle and/or its affiliates. All rights reserved.

Copyright 2012, Oracle and/or its affiliates. All rights reserved.

4. Activate Server Security

select 'Server Security is on

Copyright 2012, Oracle and/or its affiliates. All rights reserved.

Copyright 2012, Oracle and/or its affiliates. All rights reserved.

Documented in Note: 974949.1 "AppsDataSource, Java Authentication

and Authorization Service,, and Utilities for Oracle E-Business Suite".

Copyright 2012, Oracle and/or its affiliates. All rights reserved.

Copyright 2012, Oracle and/or its affiliates. All rights reserved.

Copyright 2012, Oracle and/or its affiliates. All rights reserved.

Top 10: Items 6-10

Copyright 2012, Oracle and/or its affiliates. All rights reserved.

6. Migrate Oracle Applications User Passwords

select 'Hashed passwords are not on' "Password Mode"

Upgrade any desktop clients FNDPUB DLL/Libraries

Copyright 2012, Oracle and/or its affiliates. All rights reserved.

7. Enable SSL/TLS for web listener

Enable SSL (https) for web listener

Copyright 2012, Oracle and/or its affiliates. All rights reserved.

8. Move off of client/server components

Put client/server components on a secured server (Note 277535.1)