What’s Oracle?

Oracle is a product from Oracle corporation, that provides a relational database management system. Oracle’s database simply known as Oracle is a multi-model relational database management system, mainly designed for enterprise grid-computing and data warehousing. It is one of the first choices for enterprises for cost-effective solutions for their applications and data management. It supports SQL as a query language to interact with the database.

Now let’s discuss how to use Oracle in the FDU environment.

Accessing Oracle

FDU provides Oracle access to students and faculty on the Opus server. The Oracle environment is provided to support coursework and skill development.

Opus users are automatically granted access to Oracle after first successful login (It may take up to six hours before access is available).

If you do not already have Opus access you will need to request access by selecting “Opus (Linux) Request” on the FDU Forms site:

Access to the Opus server is restricted to FDU networks only. If you are off campus and would like to access Opus for your Oracle work you will need to use FDU’s Virtual Private Network (VPN).

You will need to use SSH to connect to the Opus server:

The Oracle Database is accessed using the SQL Plus utility, which has a command-line interface. To start using SQL Plus simply type “sqlplus /” on the Opus command line.

Interactive use can then start by entering a SQL statement (terminated by a semicolon), a PL/SQL block, or another command. For example:

SQL> select 'Hello world' as example from dual;

EXAMPLE
--------------------------------
Hello world

Revision Date: 10/1/2016
Original Date: 03/1/2016

With so many threats to your online data, it has never been more important to have a thorough understanding of password security protocols. Towards this end, FDU IT strongly recommends that you familiarize yourself with the information outlined in our Password Policy. You will not only gain an understanding of your responsibilities as a member of our community, but you will also learn helpful tips for password selection and insight into our password construction rules and password change frequency.

I. Overview

1.1 Purpose of Policy

Passwords are an important part of Fairleigh Dickinson University’s [herein after referred to as FDU’s] efforts to protect its technology systems and information assets by ensuring that only approved individuals can access these systems and assets.

FDU recognizes that passwords have serious weaknesses as an access control. For some higher-risk systems, other approved authentication methods that provide higher levels of trust and accountability may be used.

Since most of FDU’s systems continue to rely on passwords alone, this policy is designed to address their weaknesses by establishing best practices for the composition, lifetime and general usage of passwords.

1.2 People Affected

All members of FDU’s student, faculty and staff population as well as all contractors and temporary staff who are approved to access the University’s network and systems.

1.3 People Responsible

The Chief Information Security Officer in consultation with the Data Security Incident Response Team shall be responsible for implementing, changing, enforcing and communicating this policy.

1.4 Structure of Policy

• Policy schema
  
• End users’ responsibilities
  
• Help desk operators’ responsibilities
  
• System developers’ and administrators’ responsibilities

1.5 Enforcement

This policy will be enforced by technical controls wherever feasible; otherwise, this policy will be enforced by line management.

All members of FDU’s faculty and staff have a responsibility to promptly report any known instances of noncompliance to the CISO.

1.6 Consequences of Noncompliance

Failure to comply with this policy can result in disciplinary action as set out in FDU’s Written Information Security Policy [herein after referred to as WISP].

1.7 Language

In the Responsibilities sections of this policy (3, 4 and 5), the keywords “must,” “must not,” “should,” “should not” and “may” are to be interpreted as follows:

• “Must” and “must not” mean that compliance with the policy statement is mandatory.
  
• “Should” and “should not” mean that compliance with the policy statement is strongly recommended. While these recommendations are not required if technical, operational or business issues make them infeasible, supporting rationale may be requested when audit or compliance review findings cite those responsible for noncompliance.
  
• “May” means that compliance with the policy statement is recommended but optional.

II. Policy Schema

2.1 Password Confidentiality

A password can provide effective authentication if and only if it is known only to the individual user. End users will ensure the confidentiality of their passwords at all times. System developers and administrators will ensure that whenever technically possible, systems do not store passwords in clear text.

Administrative processes may necessitate temporary exceptions to this principle, but these will be kept to an absolute minimum.

2.2 Password Construction

Password length and complexity requirements provide resistance to common kinds of attacks. Because of technology constraints, password construction rules may vary from one system to another, but they will meet (or exceed) these requirements wherever possible.

FDU recognizes that long and complex passwords may be difficult for users to remember, and thus, this policy provides guidance to end users on how to construct a memorable password that meets (or exceeds) these requirements.

2.2.1 Password Construction Rules

A password will be made up of:

• Eight (8) or more characters
  
• At least one uppercase letter
  
• At least one lowercase letter
  
• At least one digit (0 through 9)
  
• At least one special character ($, @, # and so on)

A password will not include a single instance of a dictionary word.

Note: The above rule is enforceable only on some systems.

A password will not include:

• The user’s user ID or email address
  
• The name of a group the user account belongs to

A password should not contain anything that is meaningful to the user, such as a name (either real or fictional), a date (such as family birthdays and anniversaries), telephone numbers, postal codes and car registration numbers.

Note: The above is not enforceable on any system.

Additionally, the University is utilizing modeling software that prohibits the use of passwords that are commonly used or appear on compromised lists. If a password meets the construction rules it may be rejected requiring the user to modify the password until it is accepted.

2.3 Password Change and Reuse

Users will be forced to change their passwords periodically in order to minimize the window of opportunity for an attacker who has discovered a user’s password.

A user’s new password will be completely different from any recently used password.

A user will be free to choose a new password at any time. However, performing multiple changes in quick succession to enable continued use of a recently used password will be prohibited.

2.3.1 Password Change and Reuse Rules

A user will change his or her password every 84-90 days depending on the system.

• Datatel/Ellucian password life is set at 84 days
  
• Alpha password life is set at 84 days
  
• Windows Desktop/Office365/NetID password life is set at 90 days
  
• Others not specifically identified shall be 90 days

Note: The above rule may not be enforceable on all systems.

A user’s password will be different from his or her previous (X) passwords as follows:

• Datatel/Ellucian: 5
  
• Alpha: 5
  
• Windows Desktop/Office 365 and NetID: 10
  
• Others not specifically identified shall be 10

Note: The above rule is only enforceable on some systems.

2.4 Password Entry

Whenever technically possible, the password field in a login panel will be configured to mask the password entered by a user to minimize the risk of opportunistic observation by another.

A system will allow multiple successive login attempts (“grace logins”). If the password is not correct on the last allowed attempt, the user’s account will be suspended, and the user will have to contact the Fairleigh Dickinson University Technical Assistance Center (UTAC) and open a ticket to resume the account and, if necessary, reset the password.

2.4.1 Password Entry Rules

A system will allow between 5 and 10 failed login attempts as noted below:

• Datale/Ellucian: 5
  
• Alpha: 5
  
• Windows Desktop/Office 365/NetID: 10
  
• Others not specifically identified shall be 10

Note: This rule is enforceable on only some systems.

2.5 Password Storage

Whenever technically possible, a system will not hold passwords in clear text; it will use an approved irreversible cryptographic transform to protect its users’ passwords.

A system that stores users’ passwords for other systems, and brokers those passwords to those systems on behalf of the user, will use an approved (reversible) encryption algorithm.

III. End Users’ Responsibilities

If you are an end user of FDU’s systems, you have the following responsibilities regarding the password you use on any of FDU’s systems. (See 1.7 Language section for the meanings of the terms in bold type.)

These responsibilities apply even if the system does not enforce any specified rules:

a) You must keep your password confidential at all times.

b) You must not disclose your password to anyone, including FDU’s management and technical support staff, even if they demand it.

c) If this happens, you must escalate to the CISO immediately. You should not use any password that you use on any FDU systems on any external system (including Internet banking and social networking services).

d) You should not write down your password.

e) You should not use the “remember password” feature in any Web browser.

f) You must only use a “password keeper” or “password wallet” software or service that has been approved by policy or otherwise in writing by the CISO.

g) You must choose a password that meets or exceeds the length and complexity requirements set out in 2.2.1 Password Construction Rules section.This is your responsibility even if these rules are not enforced by a particular system. Sometimes, technical restrictions on a system do not allow you to choose a password that meets these requirements. Such systems are enumerated in Schedule [X], along with the password construction rules that apply.

h) You should choose a password that meets or exceeds the other requirements set out in 2.2.1 Password Construction Rules section.A help desk operator, system administrator or other user should never ask you to choose a password that doesn’t meet requirements (g) and (h). If this happens, you must escalate to the CISO immediately.Further, if any help desk operator asks you to change your password on a portal that does not use an HTTPS website with an SSL lock, you should escalate to the CISO immediately.

The following rules, (i) to (l), are enforced on most systems. If the rules are not enforced by the system, you are still expected to comply.

i) You must change your password at least every 90 days.There is no need to access a rarely used system just to change an old password. Most systems will automatically expire the password after 90 days, and you will be prompted to change the password when you next log in.

j) You should not use any of your previous six (5) passwords.

k) You should choose a new password that has no more than four (4) characters in a row in common with your current password.For example, if your password is “anTelope1,” a new password of “anTelope2” is not acceptable, but “anTecede1” is.

l) You should not change your password more than twice in any three (3) days.

Tips for Choosing a Good Password (Advisory)

The length and complexity requirements may appear to make it hard to choose a password that is easy to remember, but it can be pretty straightforward to do so.

A password that meets the minimum length requirement must be rather complex. You can readily construct such a password from the initial letters of a favorite quotation, song lyric, poem and so on, capitalizing some letters, and substituting a number or special character in an appropriate place.

For example:

• Ww1dwysm — What would I do without your smart mouth?
  
• Itwbtd2A — In the week before their departure to Arrakis.

A “very long” password can be relatively simpler. Choose three simple words, capitalizing some letters, and link them with a number or special character.

For example:

• gorilla8banana@SanDiego

IV. Help Desk Operators’ Responsibilities

If you are an FDU IT technician or a system administrator providing support normally done by the help desk, you have the following responsibilities regarding users’ passwords on any of FDU’s systems that you support. (See 1.7 Language section for the meanings of the terms in bold type.)

a) When a user asks you to reset his or her password, you must corroborate the user’s claimed identity in line with approved procedures in Appendix A.

b) You must not disclose a user’s new password to anyone other than the user himself or herself.

c) You must not write down a user’s new password.

d) You must not send any new password to a user electronically.

e) You must not ask any user to tell you his or her password.

V. System Developers’ and Administrators’ Responsibilities

If you are a system developer or system administrator, you have the following responsibilities regarding the passwords used on any of FDU’s systems that you own, develop or maintain. (See 1.7 Language section for the meanings of the terms in bold type.)

If compliance with (a), (c), (g), (h), (i), (j) or (k) is not technically feasible because of system constraints, contact the CISO to agree on and document the exception.

a) You must configure each system to require that any user’s password meets the length and complexity requirements set out in 2.2.1 Password Construction Rules section.

b) You should configure each system to require that any user’s password meets as many of the other requirements set out in 2.2.1 Password Construction Rules section as are technically feasible.

c) You must configure each system to force a user to change his or her password every 90 days.

d) You should configure each system to prohibit a user from using any of his or her previous five (5) passwords.

e) You should configure each system to prohibit a user from choosing a new password that has more than four (4) characters in a row in common with his or her current password.

f) You should configure each system to prohibit a user from changing his or her password more than twice in any three (3) days.

g) You must configure the password field in a login panel to mask the password entered by a user to minimize the risk of opportunistic observation by another.

h) You must configure each system to allow 5 successive login attempts (“grace logins”). If the password is not correct on the 5th attempt, the system must suspend the user’s account such that the user will have to contact an administrator to resume the account and, if necessary, reset the password.

i) Passwords must be implemented in the strongest form the system supports and supports the intended business function. You should implement a cryptographic transform to protect the passwords of the users on each system

5.1 Requirements for Third-Party Systems

All mandatory requirements noted in this section (that is, those denoted by “must” or “must not”) constitute part of the minimum security specification for third-party system software that FDU acquires and implements. That is, it is essential that system software enables system developers and administrators to fulfill these responsibilities.

If a third-party system cannot meet the minimum security specification, contact the CISO to agree on and document the exception.

All optional requirements noted in this section (that is, those denoted by “should” or “should not”) constitute desirable features of third-party system software.

---

What’s SFTP and SCP?

Secure File Transfer Protocol (SFTP) is a file protocol for transferring large files over the web. It builds on the File Transfer Protocol (FTP) and includes Secure Shell (SSH) security components. This term is also known as Secure Shell (SSH) File Transfer Protocol. Secure copy protocol (SCP) is another method to securely transfer files between a your local PC and a remote host or between two remote hosts. It is also based on the Secure Shell (SSH) protocol.

Linux / Mac

If you are running a Linux or Mac computer, SFTP and SCP clients are already installed, so you don’t need to download anything using those OS. You can open up a terminal window and run the either command like below to connect to a remote Linux server.

sftp username@opus.fdu.edu

or

scp filename username@132.238.2.116:

Windows

Option 1 (Recommended): Use WinSCP

You will need to download and install WinSCP:

1. Launch the WinSCP program
   
2. In the login window, click “New Site“
   

1. Fill out the information as follows:
   • Host name: Enter opus.fdu.edu
   • User name: (username on FDU Linux servers will be the part of your FDU NetID to the left of the @ sign)
     
2. Click “Advanced…”
   • Select “Environment > SFTP” and enable “Allow SCP fallback“
     

5. Click “OK“
   
6. Click “Save“, enter a name for the connection, and click “OK“
   
7. In the WinSCP login window, select the connection name and click “Login“

Option 2:

Install Putty, which also includes PSCP (SCP for Windows) and SFTP (SFTP for Windows):

​Please select the latest version of MSI (‘Windows Installer’) for your computer (32-bit or 64-bit)

Optionally you may choose to download only “pscp.exe“(SCP for Windows) or “psftp.exe” (SFTP for Windows) and copy into the folder where you need to use it.

Once you have installed your program of choice, you’ll be able to launch each command from the Command Line of Windows.

pscp -P 22 filename username@opus.fdu.edu:

psftp username@opus.fdu.edu

Accessing the Opus server

The Opus server can be access using secure transport protocols such as SSH and SFTP. Access is only allowed from campus networks. All off campus users will need to access Opus using FDU’s Virtual Private Network (VPN) to use the Opus server

What’s SSH?

SSH stands for Secure Shell, which was invented in 1995 to replace the insecure Telnet (Telecommunication Network). It’s now the primary way for system administrators to securely log into remote Linux servers over the public Internet. Although it looks and acts the same as Telnet, all communications over the SSH protocol are encrypted to prevent packet sniffing.

Linux / Mac

If you are running a Linux or Mac computer, SSH client is installed by default. You can open up a terminal window and run the ssh command like below to connect to a remote Linux server.

ssh username@opus.fdu.edu

or

ssh username@132.238.2.116

Now let’s discuss how to use SSH on Windows.

Windows

Method 1: Windows 10’s Built-in SSH Client

The Microsoft PowerShell team decided to port OpenSSH (both the client and the server) to Windows in 2015. It finally arrived in Windows 10’s Fall Creator Update in 2017 and is enabled by default in the April 2018 Update.

To use the OpenSSH client on Windows 10, simply open a PowerShell window or a command prompt window and run the ssh command. For example, if I want to connect to the Opus Linux server on the FDU network, I would run

ssh username@opus.fdu.edu

username on FDU Linux servers will be the part of your FDU NetID to the left of the @ sign (username@fdu.edu becomes just username) and opus.fdu.edu is name the Linux server you want to access (The IP address of the Linux server can also be used). The first time you connect to a Linux computer, you will be prompted to accept the host key. Then enter your password to login. After login, you can run Linux commands to do tasks.

To log out from the Linux box, run the “exit” command or press “Ctrl+D“.

The default font size in PowerShell Window is very small. To change it, right-click the titlebar and select properties, then you can change the font size, and the background color.

Method 2: Use SSH in Windows Subsystem for Linux

Windows Subsystem for Linux (WSL) enables you to run native Linux command-line tools directly on Windows 10. If you are a system administrator, WSL is probably an overkill for just using SSH because it would install and run a Linux distro (without graphical user interface) on your Windows 10 desktop. WSL is created for web developers or those who need to work on open-source projects. You can use not only SSH but also other Linux command line tools (Bash, sed, awk, etc).

Open the Microsoft Store and enter “WSL” in the search box. Select Run Linux on Windows and install a Linux distro of your choice.

For example, I choose “Ubuntu” and click the “Get” button to install it.

Once your Linux distro is installed, open the Control Panel and select Programs => Turn Windows features on or off. Tick on the checkbox of Windows Subsystem for Linux to enable this feature. (You may need to reboot your Windows PC for this change to take effect.)

Next, you can launch the Linux distro from the start menu by search the distro’s name. The first time you launch it, you need to create a user and set a password.

After that, you can use the ssh command like below to connect to a Linux server or PC that runs a SSH server.

ssh username@opus.fdu.edu

Method 3: Use Putty

Putty is a well-known and the most popular SSH client on Windows before the arrival of Windows OpenSSH client and Windows Subsystem for Linux. To use SSH with Putty, you need to download the Putty program from the official website and install it.

Launch Putty from the Start menu. Then enter the IP address or hostname of the Linux box and click the Open button to connect to it.

Accept the host key and you will be prompted to enter the username and password.