0 Replies Latest reply: Jul 23, 2012 3:12 AM by user3927618 RSS

    Oracle Service 'RunAs' and security

    user3927618
      Hi,

      I guess this question is partly to do with installation and partly to do with security.
      When I install Oracle (10g/11g under Windows) the service for TNS Listener and the database itself is set to run under 'Local System', however in order to enable network file access previously this has been altered to 'Administrator' (which since the box is a Domian controller has to be the Domain Administrator). So this is probably not a good idea, security-wise. I have been trying to find how to make this better but I cant find anything in the documentation about this. Most things I read about Oracle security advise creating a low-priv Windows service account with the necessary filesystem permissions, however if I do this and make the user a member of the ORA_DBA groups there are problems running the service(s). After some investigation with Oracle Support they tell me that the RunAs user for the services has to be a local admin which I don't believe.
      One possible solution is to set the services to run as 'LOCAL_SYSTEM' or 'NETWORK_SERVICE' and then grant COMPUTERNAME network file access to the required shares.
      Can anyone please suggest a standard way of setting this all up so that Oracle runs securely and has network access. (Yes I know it shoudn't be on a domian controller and that all filesystem acces should be local, but this isnt the ideal world!)

      Thanks
      Rob

      Edited by: user3927618 on 23-Jul-2012 01:12