Oracle on UNIX
Delphix support for Oracle on UNIX requires an OS account (delphix_os) on source database servers and on target servers that will host virtual databases or files. The Delphix Engine uses SSH to send commands to this user, which performs operations on the host. Some of these commands require elevated privileges.
There is no actual requirement that the account be named delphix_os on both sources and targets. You can name the account anything you want; you can also use separate accounts on every source and target.
Restrict su - delphix_os to named Delphix admins and system administrators
Other users of the system do not need access to the delphix_os user. Your Delphix Admins and System Administrators should retain su ability to facilitate troubleshooting.
Use SSH Key exchange to allow the Delphix engine to communicate with targets
Implement public/private key exchange instead of username/password. This allows you to keep the password of delphix_os completely secret.
Put delphix_os on password rotation Rotate the delphix_os password in accordance with your enterprise security policy for application software accounts. You should either:
implement SSH Key exchange prior to placing delphix_os on password rotation, or
script CLI commands to update the password inside the engine as part of the rotation process.
Delphix Professional Services can assist you in integrating Delphix with your enterprise password rotation system.
Restrict elevated privilege commands to the lowest level needed The Delphix Engine uses elevated privileges to provide core features as well as optional features. The Delphix docs describe in detail which privileges are absolutely necessary, as well as techniques for further restricting the commands that can be used. The Delphix Engine ships with support for “sudo” as the privilege elevation system, but also allows for integration with third-party and custom centralized privilege management systems.
Delphix support for SQL Server requires two OS accounts for Windows:
delphix_src – used on the source database server
delphix_trgt – used on the servers which host Virtual Databases Both are required for the Validated Sync target
There is no actual requirement that the account is named delphix_src/delphix_trgt. You can name the account anything you want; you can also use separate accounts on every source and target. Finally, you can create a single account for use everywhere, but this is not recommended since it violates the separation of duties.
Restrict privileged commands to the lowest level needed
The Delphix user or domain account should have exactly the privileges required in the Delphix documentation. Do not grant additional privileges.
Put delphix_src and delphix_trgt on password rotation
Change the user or domain account password at regular intervals or in accordance with security policies for application software accounts. Use CLI scripts to quickly modify the password across the Delphix ecosystem. Delphix Professional Services can assist you in scripting and integrating Delphix with your enterprise password rotation system.
Use minimum privileges on your SMB share
Consult http://technet.microsoft.com/en-us/library/cc754178.aspx to understand how shared folder privileges work. Use the minimum privileges.
Use windows authentication for SQL server
SQL Server allows authentication via Windows or Mixed mode. Mixed mode allows authentication via Windows or SQL Server.
Windows authentication is more secure; it uses Kerberos security protocol, provides password policy enforcement with regard to complexity validation for strong passwords, provides support for account lockout, and supports password expiration. http://msdn.microsoft.com/en-us/library/ms144284.aspx