Auditing Authentication & Authorization in

Banner

Presented by:

Jeff White & Timothy Hollar

From Tennessee Department of Audit

Topics

Banner overview

Authentication to Banner & 3rd Party Apps

Authorization to Banner & 3rd Party Apps

Overview of Banner ArchitectureSection 1

Banner Overview

Higher Education Enterprise Resource Planning (ERP) system.

Original vendor – SunGard Higher Ed› Now supported by Ellucian› Ellucian serves 2,400+ higher

education institutions globally

Banner INB vs SSB

Banner INB – Internet Native BannerThe functional user Interface for accounting, human resources, and other administrative staff

Banner SSB – Self Service BannerThe web-based interface to Banner functionality for students & Finance reporting functionality

Banner INB Overview

Includes multiple distinct “systems” or modules:

› Finance› Human Resources› Financial Aid› Advancement

List above is not exhaustive!

Banner INB Architecture

Distributed architecture generally includes:› Application Server› Database Server› Job Scheduling Server› Web Server (Luminis)

This is not meant to be a comprehensive list – only the basics

Banner INB Architecture

Oracle Database

Application Server

JAVA Web Form (in browser)

3rd Party Applications

Many available for varied purposes

Common 3rd Party Apps:

› SciQuest E-Procurement

› Touchnet U.Commerce

Authentication vs. Authorization

AuthenticationThe process of

identifying a user – usually by a user

name and password

AuthorizationThe function of

specifying or granting access rights to

resources in information systems

Authentication to Banner & 3rd Party ApplicationsSection 2

Banner User Accounts

When a user connects to Banner, that user also connects to the Oracle database

All Banner INB accounts require individual Oracle database accounts. Banner SSB accounts do not work the same way.

Banner INB authentication & authorization use Oracle database info & processes› Security is configured by granting privileges to a

User Profile in Oracle

User Authentication Details

Oracle uses a User Name & Password to identify a user› Stored encrypted in the SYS.USER$ Table

Authentication requires one Oracle privilege: CREATE_SESSION

Banner INB AuthenticationStep 1

• Enter user name/password

Step 2

• Oracle checks credentials

Step 3

• Oracle checks privileges/security rights:• Default Role(s)• Directly granted privileges• PUBLIC account privileges (granted to everyone)

Method 1: Direct Login

Banner INB Authentication

Method 1:Direct Login

› Oracle Database Password Profiles

› Login to App Server directly via web browser

Method 2:Web-Facing Portal

› Directory Service Password Policies

› Login to Luminis web server first, then connect to App Server

VS

Banner INB

Banner Direct Login

Page

Oracle Credentials

Method 1:Direct Login

Method 1:Direct Login

Uses the internet browser and Oracle Fusion Middleware Forms Service - a Java JRE Plug-in to display the Banner Forms in an Oracle Java Applet

Example URL:http://APPPRD.ExampleCollege.edu:###0/forms/frmservlet?config=prod

Banner INB

Luminis Web Server Login

Banner Direct Login Page

Oracle Credentials

Active Directory

Credentials or LDAP

Method 2:Web Server(Luminis)

Method 2:Web Server(Luminis)

Luminis Web Server can use a directory service for user authentication› Login requires directory service credentials› Possible to configure as Single Sign-On or

as another layer of network security.

Direct login via Oracle credentials may still be required!

Risks with Multiple Methods

All paths to authentication should have proper controls if

both methods are used!

Method 2

Banner INB

Method 1

Oracle Password Profiles

DBA_PROFILES

PW Verify Function› “IF” Function for password

complexity V$PARAMETERS includes other

security settings such as case sensitivity.

PROFILE

RESOURCE_NAME

RESOURCE LIMIT

DEFAULT

FAILED_LOGIN_ATTEMPTS PASSWORD

UNLIMITED

DEFAULT PASSWORD_LIFE_TIME PASSWORD

UNLIMITED

DEFAULT

PASSWORD_REUSE_TIME PASSWORD

UNLIMITED

DEFAULT

PASSWORD_REUSE_MAX PASSWORD

UNLIMITED

DEFAULT

PASSWORD_VERIFY_FUNCTION PASSWORD NULL

DEFAULT

PASSWORD_LOCK_TIME PASSWORD

UNLIMITED

DEFAULT

PASSWORD_GRACE_TIME PASSWORD

UNLIMITED

Active Directory Password Policy

Active Directory User Account Control (UAC)

UAC can override other group policy settings› Codes to consider:

Value Description

512 Enabled Account

544 Enabled, Password Not Required

66048 Enabled, Password Doesn’t Expire

66080 Enabled, Password Doesn’t Expire & Not Required

3rd Party App Authentication

Authentication for each 3rd party application can vary.

Must inquire about how authentication & security are configured.

Also, consider network security such as Virtual Private Networks (VPN)

Examples – 3rd Party Apps

SciQuest can be synchronized with Active Directory.› Uses AD credentials for authentication

Touchnet generally uses built-in security and authentication.› Unique login URL for each user› Unique Touchnet user IDs and passwords› Touchnet has its own password controls

Take-Away’s for Auditing

Look before you leap!› Identifying relevant control points is key.

Determine the layers of network security

All Banner INB accounts can access the Oracle database directly – increases risk!

Authorization in Banner & 3rd Party ApplicationsSection 3

Your system administrator has determined that your current activity is providing a level of enjoyment beyond that which is allowed on company time. Your enjoyment will now be disabled. You may continue with this activity, but you may not enjoy it. See your system administrator for more information.

Banner Security

Oracle database security structures serve as “building blocks”

Oracle security configuration can either strengthen or undermine security

Banner Security Basics Banner uses “Role-based” security

Banner “Roles” = Oracle Roles› Containers for Oracle system privileges› Can be password-protected

A Banner “Class” is used to group Roles & database objects together in one container

Banner Security Basics

However, Banner objects can also be directly granted outside of a class; increases risk of security being undermined.

Banner CLASS

Role(Oracle Privs.)

OBJECTS

Banner Security Basics

BANNER CLASSRole Access Level Banner Object/Form

BAN_DEFAULT_M Read/Write FOMPROF

BAN_DEFAULT_M Read/Write FAAINVE

BAN_DEFAULT_Q Read Only GSASECR

Banner Classes are containers for Role/Object

assignments

Banner Security Basics

Users are assigned to Classes to stream-line security management

Banner Class

User

User User

User

Just “Role” with it!

(1) Banner Classes When associated

with “objects” in a Banner Class

For Navigational Security

“BAN_DEFAULT”

(2) Default Roles Controls “default”

privileges upon login

Oracle security construct

“USR_DEFAULT”

Oracle roles are used in two different capacities in Banner

(1) Roles for Banner Classes

Banner roles for Classes & Navigational Security:› BAN_DEFAULT_M*

Full read/write access

› BAN_DEFAULT_Q* Read-only access

*These roles are created upon Banner installation with an encrypted password that no human knows!

(2) Banner Default Roles

Banner-created Default Roles› USR_DEFAULT_M

Full read/write access› USR_DEFAULT_Q

Read-only access› USR_DEFAULT_CONNECT

Ability to connect to the database/Banner only; provides no navigational access

*Note – none of these roles are password protected; more on that soon!

Role Details – Oracle System PrivilegesUSR/

BAN_DEFAULT_MCREATE SESSION

SELECT ANY TABLE

EXECUTE ANY PROCEDURE

SELECT ANY SEQUENCE

UPDATE ANY TABLE

SELECT ANY DICTIONARY

DELETE ANY TABLE

INSERT ANY TABLE

LOCK ANY TABLE

USR/BAN_DEFAULT_Q

CREATE SESSION

SELECT ANY TABLE

These privileges provide full “write” access.

“Read only” Access

USR_DEFAULT_CONNECT

CREATE SESSION

Connect Only

Banner Form Authorization

Step 1

• Navigate to a Banner form

Step 2

• Banner Checks for an Oracle role• E.g. BAN_DEFAULT_M

Step 3

• Banner Checks for the “object”

Step 4

• Banner Decrypts Oracle Role Password• This “activates” the role’s privileges only for that object

Step 5

• Access to object granted based on Role’s privileges• E.g. BAN_DEFAULT_M = full read/write access

Banner Security & Default Roles

Banner security manuals recommend that all users be assigned one Default Role› USR_DEFAULT_CONNECT

Assigning powerful roles as “Default” can create security risks

Password Protected Roles

Roles that are Password Protected in Oracle (11g) must be invoked at an SQL prompt, even if assigned as DEFAULT› SET ROLE Statement with the password

No user can manually invoke the BAN_DEFAULT roles because no one knows the system-generated passwords.

Banner Default Role RisksScenario #1

BAN_DEFAULT_M as a Default Role?

Low Risk!

BAN_DEFAULT roles are password-protected w/ system-generated, encrypted passwords.

Banner Default Role RisksScenario #2

USR_DEFAULT_M as a user’s default role?

Risky!

Grants the user full write access to everything in Banner/Oracle that is not protected within another “schema”› A Schema is “owned” by a database user & has

the same name as that user.

BANSECR & GSASECR

BANSECR = default Banner security administration account

Only BANSECR can access or execute the GSASECR (Security Maintenance) form› “Distributed Security Administrators”

can also access GSASECR

Authorization in 3rd Party Apps

Depends upon the application!

Example:› Touchnet & SciQuest use internal security

structure

Relevant Data for Audits

Obtain security data for Banner/Oracle› Key Tables Include:

Obtain 3rd Party App security data› May require coordination with the vendor

Table Name Description

DBA_USERS Listing of Database Accounts/Status

DBA_ROLE_PRIVS All database accounts/default roles

GUVUACC “Object Access by User View” = All Banner Accounts, Classes, Objects, & Roles

Take-Away’s for Auditing

Determine who has access to BANSECR

Evaluate accounts assigned USR_DEFAULT_M or _Q as a Default Role

Evaluate users with access to make changes on other security forms like FOMPROF, Finance Security Maintenance Form

Take-Away’s for Auditing

User Authorization Documentation› Consider how the entity documents user

access: By Role/Object or by Class?

› Consider whether specific “access levels” (i.e. classes) are requested and that requests are not for access “like” an existing user.

Take-Away’s for Auditing

Periodic Review/Reauthorizatioin› Consider auditing how management

monitors Banner access: Review of classes granted to users Review of terminated user access Review of objects granted directly to users

Final Thoughts

Banner & Oracle are “tightly coupled” – creates security enhancements & risks.

Banner security can be bypassed through poor Oracle database security

Third-party applications may require extra audit effort to understand; don’t forget about SOC/SSAE 16 Audit Reports!

That’s All Folks!

Questions?

Jeff White – Jeff.White@cot.tn.gov

Timothy Hollar – Tim.Hollar@cot.tn.gov