banner overview authentication to banner & 3 rd party apps authorization to banner & 3 rd...
TRANSCRIPT
Auditing Authentication & Authorization in
Banner
Presented by:
Jeff White & Timothy Hollar
From Tennessee Department of Audit
Topics
Banner overview
Authentication to Banner & 3rd Party Apps
Authorization to Banner & 3rd Party Apps
Overview of Banner ArchitectureSection 1
Banner Overview
Higher Education Enterprise Resource Planning (ERP) system.
Original vendor – SunGard Higher Ed› Now supported by Ellucian› Ellucian serves 2,400+ higher
education institutions globally
Banner INB vs SSB
Banner INB – Internet Native BannerThe functional user Interface for accounting, human resources, and other administrative staff
Banner SSB – Self Service BannerThe web-based interface to Banner functionality for students & Finance reporting functionality
Banner INB Overview
Includes multiple distinct “systems” or modules:
› Finance› Human Resources› Financial Aid› Advancement
List above is not exhaustive!
Banner INB Architecture
Distributed architecture generally includes:› Application Server› Database Server› Job Scheduling Server› Web Server (Luminis)
This is not meant to be a comprehensive list – only the basics
Banner INB Architecture
Oracle Database
Application Server
JAVA Web Form (in browser)
3rd Party Applications
Many available for varied purposes
Common 3rd Party Apps:
› SciQuest E-Procurement
› Touchnet U.Commerce
Authentication vs. Authorization
AuthenticationThe process of
identifying a user – usually by a user
name and password
AuthorizationThe function of
specifying or granting access rights to
resources in information systems
Authentication to Banner & 3rd Party ApplicationsSection 2
Banner User Accounts
When a user connects to Banner, that user also connects to the Oracle database
All Banner INB accounts require individual Oracle database accounts. Banner SSB accounts do not work the same way.
Banner INB authentication & authorization use Oracle database info & processes› Security is configured by granting privileges to a
User Profile in Oracle
User Authentication Details
Oracle uses a User Name & Password to identify a user› Stored encrypted in the SYS.USER$ Table
Authentication requires one Oracle privilege: CREATE_SESSION
Banner INB AuthenticationStep 1
• Enter user name/password
Step 2
• Oracle checks credentials
Step 3
• Oracle checks privileges/security rights:• Default Role(s)• Directly granted privileges• PUBLIC account privileges (granted to everyone)
Method 1: Direct Login
Banner INB Authentication
Method 1:Direct Login
› Oracle Database Password Profiles
› Login to App Server directly via web browser
Method 2:Web-Facing Portal
› Directory Service Password Policies
› Login to Luminis web server first, then connect to App Server
VS
Banner INB
Banner Direct Login
Page
Oracle Credentials
Method 1:Direct Login
Method 1:Direct Login
Uses the internet browser and Oracle Fusion Middleware Forms Service - a Java JRE Plug-in to display the Banner Forms in an Oracle Java Applet
Example URL:http://APPPRD.ExampleCollege.edu:###0/forms/frmservlet?config=prod
Banner INB
Luminis Web Server Login
Banner Direct Login Page
Oracle Credentials
Active Directory
Credentials or LDAP
Method 2:Web Server(Luminis)
Method 2:Web Server(Luminis)
Luminis Web Server can use a directory service for user authentication› Login requires directory service credentials› Possible to configure as Single Sign-On or
as another layer of network security.
Direct login via Oracle credentials may still be required!
Risks with Multiple Methods
All paths to authentication should have proper controls if
both methods are used!
Method 2
Banner INB
Method 1
Oracle Password Profiles
DBA_PROFILES
PW Verify Function› “IF” Function for password
complexity V$PARAMETERS includes other
security settings such as case sensitivity.
PROFILE
RESOURCE_NAME
RESOURCE LIMIT
DEFAULT
FAILED_LOGIN_ATTEMPTS PASSWORD
UNLIMITED
DEFAULT PASSWORD_LIFE_TIME PASSWORD
UNLIMITED
DEFAULT
PASSWORD_REUSE_TIME PASSWORD
UNLIMITED
DEFAULT
PASSWORD_REUSE_MAX PASSWORD
UNLIMITED
DEFAULT
PASSWORD_VERIFY_FUNCTION PASSWORD NULL
DEFAULT
PASSWORD_LOCK_TIME PASSWORD
UNLIMITED
DEFAULT
PASSWORD_GRACE_TIME PASSWORD
UNLIMITED
Active Directory Password Policy
Active Directory User Account Control (UAC)
UAC can override other group policy settings› Codes to consider:
Value Description
512 Enabled Account
544 Enabled, Password Not Required
66048 Enabled, Password Doesn’t Expire
66080 Enabled, Password Doesn’t Expire & Not Required
3rd Party App Authentication
Authentication for each 3rd party application can vary.
Must inquire about how authentication & security are configured.
Also, consider network security such as Virtual Private Networks (VPN)
Examples – 3rd Party Apps
SciQuest can be synchronized with Active Directory.› Uses AD credentials for authentication
Touchnet generally uses built-in security and authentication.› Unique login URL for each user› Unique Touchnet user IDs and passwords› Touchnet has its own password controls
Take-Away’s for Auditing
Look before you leap!› Identifying relevant control points is key.
Determine the layers of network security
All Banner INB accounts can access the Oracle database directly – increases risk!
Authorization in Banner & 3rd Party ApplicationsSection 3
Your system administrator has determined that your current activity is providing a level of enjoyment beyond that which is allowed on company time. Your enjoyment will now be disabled. You may continue with this activity, but you may not enjoy it. See your system administrator for more information.
Banner Security
Oracle database security structures serve as “building blocks”
Oracle security configuration can either strengthen or undermine security
Banner Security Basics Banner uses “Role-based” security
Banner “Roles” = Oracle Roles› Containers for Oracle system privileges› Can be password-protected
A Banner “Class” is used to group Roles & database objects together in one container
Banner Security Basics
However, Banner objects can also be directly granted outside of a class; increases risk of security being undermined.
Banner CLASS
Role(Oracle Privs.)
OBJECTS
Banner Security Basics
BANNER CLASSRole Access Level Banner Object/Form
BAN_DEFAULT_M Read/Write FOMPROF
BAN_DEFAULT_M Read/Write FAAINVE
BAN_DEFAULT_Q Read Only GSASECR
Banner Classes are containers for Role/Object
assignments
Banner Security Basics
Users are assigned to Classes to stream-line security management
Banner Class
User
User User
User
Just “Role” with it!
(1) Banner Classes When associated
with “objects” in a Banner Class
For Navigational Security
“BAN_DEFAULT”
(2) Default Roles Controls “default”
privileges upon login
Oracle security construct
“USR_DEFAULT”
Oracle roles are used in two different capacities in Banner
(1) Roles for Banner Classes
Banner roles for Classes & Navigational Security:› BAN_DEFAULT_M*
Full read/write access
› BAN_DEFAULT_Q* Read-only access
*These roles are created upon Banner installation with an encrypted password that no human knows!
(2) Banner Default Roles
Banner-created Default Roles› USR_DEFAULT_M
Full read/write access› USR_DEFAULT_Q
Read-only access› USR_DEFAULT_CONNECT
Ability to connect to the database/Banner only; provides no navigational access
*Note – none of these roles are password protected; more on that soon!
Role Details – Oracle System PrivilegesUSR/
BAN_DEFAULT_MCREATE SESSION
SELECT ANY TABLE
EXECUTE ANY PROCEDURE
SELECT ANY SEQUENCE
UPDATE ANY TABLE
SELECT ANY DICTIONARY
DELETE ANY TABLE
INSERT ANY TABLE
LOCK ANY TABLE
USR/BAN_DEFAULT_Q
CREATE SESSION
SELECT ANY TABLE
These privileges provide full “write” access.
“Read only” Access
USR_DEFAULT_CONNECT
CREATE SESSION
Connect Only
Banner Form Authorization
Step 1
• Navigate to a Banner form
Step 2
• Banner Checks for an Oracle role• E.g. BAN_DEFAULT_M
Step 3
• Banner Checks for the “object”
Step 4
• Banner Decrypts Oracle Role Password• This “activates” the role’s privileges only for that object
Step 5
• Access to object granted based on Role’s privileges• E.g. BAN_DEFAULT_M = full read/write access
Banner Security & Default Roles
Banner security manuals recommend that all users be assigned one Default Role› USR_DEFAULT_CONNECT
Assigning powerful roles as “Default” can create security risks
Password Protected Roles
Roles that are Password Protected in Oracle (11g) must be invoked at an SQL prompt, even if assigned as DEFAULT› SET ROLE Statement with the password
No user can manually invoke the BAN_DEFAULT roles because no one knows the system-generated passwords.
Banner Default Role RisksScenario #1
BAN_DEFAULT_M as a Default Role?
Low Risk!
BAN_DEFAULT roles are password-protected w/ system-generated, encrypted passwords.
Banner Default Role RisksScenario #2
USR_DEFAULT_M as a user’s default role?
Risky!
Grants the user full write access to everything in Banner/Oracle that is not protected within another “schema”› A Schema is “owned” by a database user & has
the same name as that user.
BANSECR & GSASECR
BANSECR = default Banner security administration account
Only BANSECR can access or execute the GSASECR (Security Maintenance) form› “Distributed Security Administrators”
can also access GSASECR
Authorization in 3rd Party Apps
Depends upon the application!
Example:› Touchnet & SciQuest use internal security
structure
Relevant Data for Audits
Obtain security data for Banner/Oracle› Key Tables Include:
Obtain 3rd Party App security data› May require coordination with the vendor
Table Name Description
DBA_USERS Listing of Database Accounts/Status
DBA_ROLE_PRIVS All database accounts/default roles
GUVUACC “Object Access by User View” = All Banner Accounts, Classes, Objects, & Roles
Take-Away’s for Auditing
Determine who has access to BANSECR
Evaluate accounts assigned USR_DEFAULT_M or _Q as a Default Role
Evaluate users with access to make changes on other security forms like FOMPROF, Finance Security Maintenance Form
Take-Away’s for Auditing
User Authorization Documentation› Consider how the entity documents user
access: By Role/Object or by Class?
› Consider whether specific “access levels” (i.e. classes) are requested and that requests are not for access “like” an existing user.
Take-Away’s for Auditing
Periodic Review/Reauthorizatioin› Consider auditing how management
monitors Banner access: Review of classes granted to users Review of terminated user access Review of objects granted directly to users
Final Thoughts
Banner & Oracle are “tightly coupled” – creates security enhancements & risks.
Banner security can be bypassed through poor Oracle database security
Third-party applications may require extra audit effort to understand; don’t forget about SOC/SSAE 16 Audit Reports!