How to Stop access using “/ as sysdba”
You can stop and secure your client database access by restricting the DBA’s connecting to as SYS user by using “/ as sysdba”.
In the file sqlnet.ora located in $ORACLE_HOME/network/admin folder, modify the following line:
Instead of above modify it as:
NONE for no authentication method, including windows native operating system authentication (to use windows native OS set this parameter to NTS. When it is set to ‘NONE’ a valid username and password can be used to access the database.
This will prevent the access of “/ as sysdba” when connected as the ‘oracle user (oracle owner account) but the DBA can easily modify the configuration parameter in SQLNET.ORA, if he has the required permission on the particular file.
As we know that connect / as sysdba would not use the password file and it uses OS authentication only. Thus setting the NONE requires valid OS authentication.
To avoid this change the ownership of the SQLNET.ORA file to ‘root’ or any other functional OS user, and provide a read permission to dba/oinstall group.
chown root:oinstall sqlnet.ora
chmod 640 sqlnet.ora
You can also use the parameter SQLNET.CLIENT_REGISTRATION to set a unique identifier for this client computer. The identifier is passed to the listener with any connection request and is included in the Audit Trail. The identifier can be any alphanumeric up to 128 character long.
Use the SQLNET.ALLOWED_LOGON_VERSION parameter to define the minimum Oracle Database client version that is allowed to attempt connections to Oracle database instances under the control of the given code tree.
If the client version does not meet or exceed the version defined by this parameter, then authentication fails with an ORA-28040 error.
If both Oracle8i and Oracle9i databases are present, then set the parameter as follows: