Restrict TOAD from accessing a DB?
E. Navarro
Sun OS 5.7
All,
Does anyone know of a solution to prevent users from logging into a
database with certain applications. In my case, I want to prevent users
from logging into our production databases using TOAD.
I can monitor who is logging in and how they are logging in using OEM,
but what I would like is to be alerted the second someone tries to log
in using TOAD. Can this be done?
TIA,
Daniel N.
Oracle DBA
Yong Huang
You can check for v$session for module = 'T.O.A.D', or if the user
hasn't renamed the toad program name, program = 'TOAD.exe', and kill
the session. But it's trivial to even change the binary toad.exe to
hide the 'T.O.A.D' string. Open it with a binary file editor, or even
a text editor that is binary-file friendly such as (g)vim. Find the
string "begin sys.dbms_application_info.set_module('T.O.A.D.', null);
end;" and replace 'T.O.A.D' with any 7 character long string. In a
nutshell, there's no absolute way to prevent it. You may better off
block connections from any terminal other than designated ones using
$TNS_ADMIN/protocol.ora (or .protocol.ora if it's before 8.1.6.2).
If you wish to use product_user_profile table to restrict connections
from third party tools such as Toad, it's not possible. That table can
only block sqlplus connection.
Yong Huang
Joel Garry
> Sun OS 5.7
Apologies if this is posted twice, google suddenly did weird things a
few minutes ago.
>
>
> All,
>
> Does anyone know of a solution to prevent users from logging into a
> database with certain applications. In my case, I want to prevent users
> from logging into our production databases using TOAD.
>
> I can monitor who is logging in and how they are logging in using OEM,
> but what I would like is to be alerted the second someone tries to log
> in using TOAD. Can this be done?
If you have listener logging turned on, you might write a little shell
script that does a tail -f on the log and parse out the PROGRAM=
statement. Then parse out the ip address and ping flood them until
you can get your silver hammer or they complain how slow the system
is. :-O
So what is it they can do with toad that they can't do with anything
else? Sounds like you need better password control.
jg
--
@home.com is bogus.
I wuz only kidding! Honest!
Rauf Sarwar
To add to above, serve the applications that are supposed to have
access to the database from a file server. Give users only read access
to the executables so that they cannot change file name. Only allow
those executables via a logon trigger.... Kick everything else out.
Ofcourse you would need to tweek it a bit if you want users with admin
rights to logon using OEM, Sqlplus etc.
Regards
/Rauf Sarwar
Telemachus
from the Schema Browse
"Joel Garry" <joel-...@home.com> wrote in message
news:91884734.03030...@posting.google.com...
Joel Garry
> Probably the ease of browsing ... and the dictionary hits that you'd take
> from the Schema Browse
Ya think? My experience as a DBA with developers wanting to use TOAD
in production is that they want to go in and start tweaking
application configuration data with no controls. Of course that was
in a big place where there were separate designers and developers, and
the designers would use Oracle tools to browse the schema. I can see
your point though, I've been in smaller places where I might have used
TOAD for such a purpose if I didn't write my own scripts and do
everything from command line.
"It's a masochists wonderland!" Radio ad for local ski/snowboard
resort.