You are on page 1of 43

1

Copyright 2012, Oracle and/or its affiliates. All rights reserved.

The Top 10 (Free) Things


You Can Do to Secure Your
Oracle E-Business Suite
Instance
Eric Bing
Applications Product Security

Copyright 2012, Oracle and/or its affiliates. All rights reserved.

The following is intended to outline our general product


direction It is intended for information purposes only
direction.
only, and
may not be incorporated into any contract. It is not a
commitment to deliver any material, code, or functionality,
and should not be relied upon in making purchasing
decisions. The development, release, and timing of any
f t
features
or functionality
f
ti
lit described
d
ib d ffor O
Oracle's
l ' products
d t
remains at the sole discretion of Oracle.

3
Copyright
Oracle
2012, Oracle
its affiliates.
All reserved.
rights
Copyright
2012,
and/or and/or
its affiliates.
All rights
reserved.

Agenda
g
Deployment and Configuration
Secure Configuration Scripts
Top 10: 1-5
Top 10: 6-10
Top 10: Bonus
Credit Card Encryption

E-Business Suite template for Data Masking Pack

Copyright 2012, Oracle and/or its affiliates. All rights reserved.

Deployment and
Configuration

Copyright 2012, Oracle and/or its affiliates. All rights reserved.

Secure E-Business Suite Deployment


p y
General EBS advice
Stay current with patching
Apply Critical Patch Updates (CPUs) + Security Alerts
Patch
P t hS
Setup
t U
Update
d t (PSU
(PSUs)) are an option
ti ffor ttechstack
h t k
Apply most recent maintenance pack (yes, security improves as well)
Follow our recommendations for secure deployment
p y
Secure Configuration Guide for Oracle E-Business Suite
Oracle E-Business Suite Configuration in a DMZ
Note: Follow this if deploying any parts of EBS to the Internet

Copyright 2012, Oracle and/or its affiliates. All rights reserved.

E-Business Suite Secure Configuration Guides


(previously known as Best Practice documents)

Release 11i, MOS Note 189367.1


Release 12, MOS Note 403537.1

Copyright 2012, Oracle and/or its affiliates. All rights reserved.

E-Business Suite Secure Configuration


g
Guides
Advice for security-related switches to set/verify
Many recommendations automated via AutoConfig and Oracle

Application Manager (OAM)


Advice
Ad i also
l provided
id d for
f optional
ti
l security
it related
l t d products
d t ((such
h as

database options)
Guidelines are based upon
p current p
patch levels
11.5.10 and up 12.0.6 and up 12.1.2 and up

Please raise an SR with support against the Guides if you feel there

are problems
bl
or omissions
i i
with
ith th
the advice
d i
8

Copyright 2012, Oracle and/or its affiliates. All rights reserved.

Secure Configuration
g
Scripts
p
Current State vs Recommendations
ERRORS Likely vulnerable to issues
WARNINGS Likely violating Secure Config Guidelines

Run
R anywhere
h
Scripts attempt to identify code level when required
Any supported version of EBS
Any supported version of the DB

Copyright 2012, Oracle and/or its affiliates. All rights reserved.

Secure Config
g Scripts
p
Packaged as SQL and Shell scripts
EBSSecConfigChecks.sql runs all (12) other SQL scripts
Compiles them into a single report
Script
S i t comments
t often
ft have
h
hints
hi t for
f resolution
l ti
EBSCheckModSecurity.sh shell script

Ongoing Health
Health Checks
Checks to ensure critical security functionality
Run them early and often
Once you have a baseline check for diffs

Roadmap: Online Dashboard with alerts


10

Copyright 2012, Oracle and/or its affiliates. All rights reserved.

Top Ten

11

Copyright 2012, Oracle and/or its affiliates. All rights reserved.

What makes the Top


p 10 cut?
Biggest bang for the buck
Most common issues seen at customer sites
Not as well known / new features
Least effort
Applicable to many releases
Free

12

Copyright 2012, Oracle and/or its affiliates. All rights reserved.

Top 10: Items 1-5


1. Check Profile Settings
2. Change Default Passwords
3 Secure APPLSYSPUB
3.
4. Activate Server Security
5.
5 Implement IP address restrictions

13

Copyright 2012, Oracle and/or its affiliates. All rights reserved.

1. Profile Settings
g
Note 946372.1 Secure Configuration of E-Business Suite Profiles
Check script - EBSCheckProfilesMissing.sql
Reports on missing profiles

Check script - EBSCheckProfileErrors.sql


Reports on configuration errors

Check script - EBSCheckProfileWarnings.sql


Reports on configuration warnings

14

Copyright 2012, Oracle and/or its affiliates. All rights reserved.

Missing
g Profiles
Note 946372.1 Secure Configuration of E-Business Suite Profiles
Check script - EBSCheckProfilesMissing.sql
Server Security (discussed in detail later)

FND_SERVER_SEC / FND_SERVER_IP_SEC missing:


Patch#12715586:R12.FND.A delivers these missing profiles for R12.0.4+
Patch#12715586:R12.FND.B delivers these missing profiles for R12.1.1+

Attachments Secure Configuration (discussed later)

FND_SECURITY_FILETYPE_RESTRICT_DFLT /
FND_DISABLE_ANTISAMY_FILTER
Introduced with January 2012 CPU
15

Copyright 2012, Oracle and/or its affiliates. All rights reserved.

Profiles Configuration
g
Errors
Note 946372.1 Secure Configuration of E-Business Suite Profiles
Check settings of critical profile options
FND Validation Level

Error

FND Function Validation Level Error


Framework
F
k Validation
V lid ti L
Levell
Restrict Text Input

E
Error

Attachments Secure Configuration


g
((discussed later))

Validation Level Profiles will be removed in 12.2

16

Copyright 2012, Oracle and/or its affiliates. All rights reserved.

Profiles Configuration
g
Warnings
g
Note 946372.1 Secure Configuration of E-Business Suite Profiles
Check settings of profile warnings
FND Diagnostics

No

Utilities Diagnostics

No

Personalize
P
li S
Self-service
lf
i D
Defn
f

N
No

Attachments Secure Configuration (discussed later)

17

Copyright 2012, Oracle and/or its affiliates. All rights reserved.

2. Default Passwords
E-Business Suite User Passwords
Check script - EBSCheckUserPasswords.sql
Checks EBS User passwords for default passwords

Secure seeded application accounts, end date, and change password


See the Secure Configuration Guide
Oracle E-Business Suite Security / Authentication

18

Copyright 2012, Oracle and/or its affiliates. All rights reserved.

2. Default Passwords
Database Passwords
Check script - EBSCheckDBPasswords.sql
Checks User and DB passwords

select * from dba_users_with_defpwd (11g only)


Fix
Fi using:
i
AFPASSWD / FNDCPASS APPS controlled accounts
Password / alter user - for non-APPS controlled

accounts
The Secure Configuration Guide Appendix C lists each user and

provides advice

19

Copyright 2012, Oracle and/or its affiliates. All rights reserved.

3. Secure APPLSYSPUB
Change password
Only in R12
Must run AutoConfig to populate the change to configuration files
APPLSYSPUB password
d mustt always
l
be
b uppercase

(even if Case Sensitive Passwords have been turned on)

20

Copyright 2012, Oracle and/or its affiliates. All rights reserved.

3. Secure APPLSYSPUB
SCG - REVOKE UNNECESSARY GRANTS GIVEN TO APPLSYSPUB
Check script - EBSCheckApplsyspubPrivs.sql
Check privileges

Fix privs:
Run $FND_TOP/patch/115/sql/afpubfix.sql
$

21

Copyright 2012, Oracle and/or its affiliates. All rights reserved.

4. Activate Server Security


y
Secure Config Guide - ACTIVATE SERVER SECURITY
Check script - EBSCheckServerSecurity.sql

select 'Server Security is on


from FND_NODES
where server_address
server address = '*' and server_id=
server id='SECURE'
SECURE
Switch Server Security
y to SECURE mode
System Administrators Guide, Administering Server Security

22

Copyright 2012, Oracle and/or its affiliates. All rights reserved.

Server Security
y feature
Sample DBC file created by AdminAppServer or AdminDesktop
GWYUID=APPLSYSPUB/PUB
GUEST USER PWD GUEST/ORACLE
GUEST_USER_PWD=GUEST/ORACLE
FNDNAM=APPS
APPL_SERVER_ID=AC70BE2E89CAC15F64235254236135131826220
TWO TASK PROD
TWO_TASK=PROD
DB_PORT=1521
DB_HOST=pdb1213.example.com
APPS JDBC URL=jdbc\:oracle\:thin\:@(DESCRIPTION\= (ADDRESS\=
APPS_JDBC_URL=jdbc\:oracle\:thin\:@(DESCRIPTION\=
(PROTOCOL\=tcp)(HOST\=pdb1213.example.com)(PORT\=1521)))(CONNEC
T_DATA\=(SERVICE_NAME\=PROD)))
JDBC\:oracle jdbc maxCachedBufferSize=358400
JDBC\:oracle.jdbc.maxCachedBufferSize=358400
23

Copyright 2012, Oracle and/or its affiliates. All rights reserved.

Using
g AdminDesktop
p
Use AdminDesktop to create DBC files for non-EBS nodes
Non-EBS nodes are BPEL and WebService nodes
Create the DBC file on an EBS AppTier node
Create it to be IP Address specific
Maintain
M i t i mode
d 600 while
hil creating
ti and
d copying
i tto th
the recipient
i i t node
d

Documented in Note: 974949.1 "AppsDataSource, Java Authentication

and Authorization Service,, and Utilities for Oracle E-Business Suite".

24

Copyright 2012, Oracle and/or its affiliates. All rights reserved.

5. Implement
p
IP address restrictions
387859.1: Using AutoConfig to Manage System Configurations
Use a whitelist of IP addresses
Profile: Allow Restricted (FND_SQLNET_ACCESS)
Tells autoconfig to automate this when run on the DB server

$TNS_ADMIN/sqlnet.ora:
tcp.validnode_checking = YES
tcp.invited_nodes
tcp invited nodes = ( X
X.X.X.X,
X X X hostname
hostname, ... )

25

Copyright 2012, Oracle and/or its affiliates. All rights reserved.

5. Implement
p
IP address restrictions
387859.1: Using AutoConfig to Manage System Configurations
No automated check via scripts
Manual check from a node not in white list
Should get a hang up:

bash$
$ telnet ebs.example.com 4443
Trying 115.X.X.X...
Connected to ebs.example.com
E
Escape
character
h
t is
i '^]
Connection closed by foreign host.

26

Copyright 2012, Oracle and/or its affiliates. All rights reserved.

Top 10: Items 6-10


6. Migrate to Password Hashing
7. Enable Application Tier Secure Socket

Layer (SSL)
8. Move
M
Off off Client/Server
Cli t/S
Components
9 Secure Configuration of Attachments
9.
10. Turn on ModSecurity

27

Copyright 2012, Oracle and/or its affiliates. All rights reserved.

6. Migrate Oracle Applications User Passwords


to Non-Reversible Hash Password
MOS Note 457166.1 - FNDCPASS Utility New Feature
Check script - EBSCheckHashedPasswords.sql

select 'Hashed passwords are not on' "Password Mode"


from dual where FND_WEB_SEC.GET_PWD_ENC_MODE is null;
Switch to hashed passwords for applications users Note 457166
457166.1
1
FNDCPASS apps/apps 0 Y system/manager USERMIGRATE SHA1

Upgrade any desktop clients FNDPUB DLL/Libraries


Discoverer, Configurator, Desktop ADI
Or even better, replace these with their web variant

28

Copyright 2012, Oracle and/or its affiliates. All rights reserved.

7. Enable SSL/TLS for web listener


Note 376700.1 Enabling SSL for Oracle Applications Release 12
Check script - EBSCheckSSL.sql
Checks via FND_WEB_CONFIG.PROTOCOL

Enable SSL (https) for web listener


Avoid weak ciphers and protocols (<128 bit & SSLv2)
Using Telnet Mobile Web Apps?
Mechanism for securing MWA Telnet communication via Stunnel (Note

1493091.1)

29

Copyright 2012, Oracle and/or its affiliates. All rights reserved.

8. Move off of client/server components


p
End User PCs should not have a direct DB connection
Switch to equivalent Web components when possible
Desktop ADI -> Web ADI and Report Manager

Put client/server components on a secured server (Note 277535.1)


Windows Server Terminal Services
Secure Global Desktop

Users should not be able to access the DBC file directly

30

Copyright 2012, Oracle and/or its affiliates. All rights reserved.

9. Secure Configuration
g
of Attachments
Check script Part of the profile checks
File Upload Limits for Attachments
Attachments file type validation
Tag scanning of HTML Attachments

31

Copyright 2012, Oracle and/or its affiliates. All rights reserved.

File Upload
p
Limits for Attachments
Note 604458.1 - How to Limit The Attachment File Size?
Allowing unlimited attachment sizes can allow for a Denial of Service

attack (DOS)
Profile: Upload File Size Limit (UPLOAD_FILE_SIZE_LIMIT)
Limits
Li it th
the maximum
i
Att
Attachment
h
t file
fil size
i th
thatt can b
be uploaded
l d d
Specified in KB (e.g. 2000KB)

32

Copyright 2012, Oracle and/or its affiliates. All rights reserved.

Attachments File Type


yp Validation
Note 1357849.1 - Security Configuration Mechanism in Attachments
Delivered as part of January 2012 CPU
Profile: Attachment File Upload Restriction Default
Yes (default): Blacklist behavior Disallow types marked as N
No (recommended): Whitelist behavior Only allow types marked as Y

Attachments file type validation

New column - FND_MIME_TYPES.


FND MIME TYPES ALLOW_FILE_UPLOAD
ALLOW FILE UPLOAD values N & Y
Configured by default as a black list

33

Copyright 2012, Oracle and/or its affiliates. All rights reserved.

Tag
g scanning
g of HTML Attachments
Note 1357849.1 - Security Configuration Mechanism in Attachments
Delivered as part of January 2012 CPU
Tag scanning of HTML Attachments
OWASP Antisamy allows a specific (white list) of HTML tags
Profile: FND: Disable Antisamy Filter
False (default / recommended) sanitize HTML pages

The document you uploaded has been modified to remove restricted


tags. Please check the document and replace it if necessary.

34

Copyright 2012, Oracle and/or its affiliates. All rights reserved.

Tag
g scanning
g of HTML Attachments
Note 1357849.1 - Security Configuration Mechanism in Attachments
Warning: Antisamy scan requires the character set to be known:
Can cause character set issues for binary attachments
Fix (patch14141465) will use meta tag or

FND NATIVE CLIENT ENCODING


FND_NATIVE_CLIENT_ENCODING
Need to take this p
patch up
p if yyou see character set issues in binary
y

attachments

35

Copyright 2012, Oracle and/or its affiliates. All rights reserved.

10. Ensure ModSecurity


y is on
Check script - EBSCheckModSecurity.sh
Usage: EBSCheckModSecurity.sh https://ebs.example.com:4443
Shell script not included in EBSSecConfigChecks.sql

ModSecurity
M dS
it - Web
W bA
Application
li ti Fi
Firewallll apache
h module
d l
Part of iAS 1.0.2.2 and OHS 10.1.3
Automatically configured

ModSecurity blocks bad requests (black list) can also white list
Null bytes, directory crawling, URL encoding, UTF-8 encoding
Stops obviously bad requests early
36

Copyright 2012, Oracle and/or its affiliates. All rights reserved.

Top 10: Bonus


11. Encrypt Credit Card Data
12. Separation of Duties: Review Access

To Sensitive Administrative Pages

37

Copyright 2012, Oracle and/or its affiliates. All rights reserved.

11. Credit Card Encryption


yp
Check script - EBSCheckCCEncryption.sql
1. Checks whether credit cards are encrypted in Immediate mode
Info on encryption - Payments User Implementation guide.
For more info on PA-DSS compliance - Note 981033.1 .

38

Copyright 2012, Oracle and/or its affiliates. All rights reserved.

11. Credit Card Encryption


yp
New features
Check script - EBSCheckCCEncryption.sql
2. Checks Supplemental Credit Card Data Encryption
Encrypts expiration date and card holder name
MOS Note 981033.1 - 'Payments 12.1.2 Release Notes'

3. Enhanced Hashing
Defends against brute forcing of hashes
Concurrent program to rehash
Patch 13114025:R12.IBY.B

39

Copyright 2012, Oracle and/or its affiliates. All rights reserved.

12. Sensitive Administrator Functionality


y
Note 1334930.1 Sensitive Administrative Pages in Oracle EBS
Security Administrator
Control of access to pages and profiles

Administrator / Developer Functionality


Pages / profiles which allow for Application Development at Runtime
SQL fragments, HTML fragments, OS commands
Should be disabled, controlled, and audited in production environments
Flexfield definitions
Forms and Framework personalization
Designed-in
g
SQL injections
j
or XSS injections
j

40

Copyright 2012, Oracle and/or its affiliates. All rights reserved.

12. Sensitive Administrator Functionality


y
Note 1334930.1 Sensitive Administrative Pages in Oracle EBS
Identifies new categories of sensitive functionality:
Oracle Forms-based Forms Controlled by Function Security (~40)
HTML Pages Controlled by Function Security (~25)
Pages and Forms Controlled by Profile Options (3)
Pages Controlled by JTF Roles and Permissions (3)

41

Copyright 2012, Oracle and/or its affiliates. All rights reserved.

12. Sensitive Administrator Functionality


y
Note 1334930.1 Sensitive Administrative Pages in Oracle EBS
Check Script: EBSCheckSensitivePageAccess.sql
Not called by default from EBSSecConfigChecks.sql
SQL scripts drive off of page and form names (not functions)
Slower,
Sl
b
butt ensures we pick
i k up custom
t
ffunctions
ti
th
thatt iinclude
l d th
these

Reduce and eliminate access to these pages by admins in production


Use Fine Grained Auditing to audit the tables associated with these

pages

43

Copyright 2012, Oracle and/or its affiliates. All rights reserved.

44

Copyright 2012, Oracle and/or its affiliates. All rights reserved.