|
|
Archives of the TeradataForum
Message Posted: Thu, 17 Feb 2006 @ 01:11:17 GMT
Subj: | | Re: Password Self-service |
|
From: | | Hough, David A |
We have mixture of web based and desktop tools for userid/password management for 4,000 users, and we're relatively new to it all. I'd like to
offer some security issues for consideration:
First, you need to be using at least V2R6 & TTU8.1 drivers (ODBC, CLIv2, etc.) with data-in-flight encryption before any of the proposed
methods are secure from a network sniffer. V2R5.1 & TTU8.0 may be enough, but I'm not sure. This matters to you if you have a defense in
depth requirement, i.e. someone punches through your perimeter firewall and the individual system security has to stand on their own until repairs
are made.
Second, anyone with access to DBQL (or accesslog) controls can gain access to all the password change information. Changing the logging levels
to include whatever SQL you are using for password reset, like a stored procedure, is relatively easy. And it doesn't matter if the logging is
intentional or not, any place those password entries touch down becomes sensitive (archive tables, tape backups, whatever).
Depending on how you set things up, you may be able to harden MP-RAS enough to use SSL or SSH and do your secure connections that way. It
means two logins (one MP-RAS and one Teradata), but at least it would be secure.
/dave hough
| |