RE: Windows DB best practices

  • From: "Kerber, Andrew W." <Andrew.Kerber@xxxxxxx>
  • To: wjwagman@xxxxxxxxxxx, niall.litchfield@xxxxxxxxx, andert@xxxxxxxxx
  • Date: Wed, 11 Apr 2007 15:33:59 -0500

It probably had more to do with Microsoft than with Oracle...


-----Original Message-----
From: oracle-l-bounce@xxxxxxxxxxxxx
[mailto:oracle-l-bounce@xxxxxxxxxxxxx] On Behalf Of William Wagman
Sent: Wednesday, April 11, 2007 3:11 PM
To: niall.litchfield@xxxxxxxxx; andert@xxxxxxxxx
Cc: oracle-l@xxxxxxxxxxxxx
Subject: RE: Windows DB best practices




I had an interesting experience installing 10gR2 on Windows recently.
The box is running Windows Server 2003 R2 Enterprise Edition SP1. I was
logged in as a user which was a member of the local administrators group
and I installed the client, that is all I needed. I subsequently
encountered difficulties with the networking piece, the reason I
installed the client in the first place, which I was unable to resolve.
I opened an SR with Oracle and was told that they have seen problems
when the installation is done by a user other than the Administrator. I
uninstalled everything, connected as the administrator account and
everything worked. I don't know if this was actually the cause of the
problem or Oracle not wanting to solve the real issues but it was an
interesting situation. This is the second 10gR2 install I have done on
Windows, the other worked fine and I did that under an account that was
a member of the local administrators group. I don't know if I did
something wrong or if there is something to this but perhaps worth
keeping in mind.




Bill Wagman
Univ. of California at Davis
IET Campus Data Center
(530) 754-6208 




From: oracle-l-bounce@xxxxxxxxxxxxx
[mailto:oracle-l-bounce@xxxxxxxxxxxxx] On Behalf Of Niall Litchfield
Sent: Wednesday, April 11, 2007 11:15 AM
To: andert@xxxxxxxxx
Cc: oracle-l@xxxxxxxxxxxxx
Subject: Re: Windows DB best practices

Hi Stephen,

In terms of security, what I recommend is the following - which assumes
a single windows domain rather than workgroup or standalone server.  

First create a global group (called DB Admins or similar). Assign
membership of this group to the personal accounts of your DBAs (and
no-one else - there should be no anonymous accounts in this group). 

Next on each local machine make the global group a member of the local
"administrators" security group.  This will enable the designated dba to
install Oracle. After the install is complete you should make the domain
group a member of the local ORA_DBA security group created by the
install, and optionally remove it from the local administrators group. 

This gets you: 

1.      accountability - since everyone uses their own account. 

2.      groups used for the right things - local groups for access to
resources, global groups for privileges for users. 

I second the recommendation to make sure that you have a dedicated
server for production oracle databases, but don't see that as a windows
specific thing. I've also never worked anywhere that sys admins didn't
share that view. 

On 4/10/07, Stephen Andert <andert@xxxxxxxxx> wrote: 

Yes, I know the first one is "use *nix" but I am tired of fighting
about it and my boss made the decision.

The main question I have is whether to create an oracle-specific
account or just use an administrator account.  Also, any links to 
Windows best practices would be great.


Any idiot can run.
It takes a special kind of idiot to run a marathon. 

Niall Litchfield
Oracle DBA 

NOTICE:  This electronic mail message and any attached files are confidential.  
The information is exclusively for the use of the individual or entity intended 
as the recipient.  If you are not the intended recipient, any use, copying, 
printing, reviewing, retention, disclosure, distribution or forwarding of the 
message or any attached file is not authorized and is strictly prohibited.  If 
you have received this electronic mail message in error, please advise the 
sender by reply electronic mail immediately and permanently delete the original 
transmission, any attachments and any copies of this message from your computer 
system. Thank you.


Other related posts: