Call: +44 (0)7759 277220 Call
Forum

Welcome, Guest. Please Login.
Nov 23rd, 2024, 4:55pm
News: Welcome to Pete Finnigan's Oracle security forum
Home | Help | Search | Members | Login
   Pete Finnigan's Oracle Security Forum
   Oracle Security
   Oracle Security
(Moderator: Pete Finnigan)
   Disabling Oracle user accounts
« Previous topic | Next topic »
Pages: 1  Reply | Notify of replies | Send Topic | Print
   Author  Topic: Disabling Oracle user accounts  (Read 7881 times)
Pete Finnigan
PeteFinnigan.com Administrator
*****




Oracle Security is easier if you design for it

   
View Profile | WWW | Email

Gender: male
Posts: 309
Disabling Oracle user accounts
« on: Feb 28th, 2006, 8:19pm »
Quote | Modify

Hi Pete,
 
In our organization, we are working on some security issues and trying to secure all our Oracle databases. In such discussions, someone brought out a point saying that sys and system accounts in Oracle should be disabled and accounts which replicate them must be created. Is this possible (disabling sys and system) and if yes, how can we accomplish that. What other default Oracle user accounts should be disabled. Please let me know.
 
Thanks.
IP Logged

Pete Finnigan (email:pete@petefinnigan.com)
Oracle Security Web site: http://www.petefinnigan.com
Forum: http://www.petefinnigan.com/forum/yabb/YaBB.cgi
Oracle security blog: http://www.petefinnigan.com/weblog/entries/index.html
Pete Finnigan
PeteFinnigan.com Administrator
*****




Oracle Security is easier if you design for it

   
View Profile | WWW | Email

Gender: male
Posts: 309
Re: Disabling Oracle user accounts
« Reply #1 on: Mar 16th, 2006, 9:50pm »
Quote | Modify

I agree that the use of sys and system should be restricted.  I would not lock/disable these accounts.  The better solution would be a very long password phrase for both accounts. (write it down, and place it in the company safe)  This will make usage of the account difficult, but not impossible.    
 
I would also make the same recommendation for the "oracle" software owner too!  If OS authentication is enabled oracle is just as good as sys.  If you loose the oracle account password, the systems administrator can always reset it for you.
 
-Kevin Hrim
 
IP Logged

Pete Finnigan (email:pete@petefinnigan.com)
Oracle Security Web site: http://www.petefinnigan.com
Forum: http://www.petefinnigan.com/forum/yabb/YaBB.cgi
Oracle security blog: http://www.petefinnigan.com/weblog/entries/index.html
Pete Finnigan
PeteFinnigan.com Administrator
*****




Oracle Security is easier if you design for it

   
View Profile | WWW | Email

Gender: male
Posts: 309
Re: Disabling Oracle user accounts
« Reply #2 on: Mar 24th, 2006, 8:42pm »
Quote | Modify

Cool
Oracle use same Unix like philosophy on identifying users. Each one get an numeric ID starting from 0 = sys. You cannot cancel something that does not exist ("phantomatic" user ID=0 in reallity does exist). Theoretically speaking sys, system (less diff. as sys) users can be renamed as for internal user IDs...(symboliques) "names" are used but as some default obfuscated packages know and use this user to connect... stop playing with serious things... external authentif., privs, roles and (transparent) encryption may be used instead. Try this!
IP Logged

Pete Finnigan (email:pete@petefinnigan.com)
Oracle Security Web site: http://www.petefinnigan.com
Forum: http://www.petefinnigan.com/forum/yabb/YaBB.cgi
Oracle security blog: http://www.petefinnigan.com/weblog/entries/index.html
Pete Finnigan
PeteFinnigan.com Administrator
*****




Oracle Security is easier if you design for it

   
View Profile | WWW | Email

Gender: male
Posts: 309
Re: Disabling Oracle user accounts
« Reply #3 on: May 3rd, 2006, 11:54pm »
Quote | Modify

I think there are essentially two reasons why someone would want to do this:  1) prevent shooting oneself painfully while using SYS, and 2) since these are known accounts, bad guys have half the info they need to get into your databases.   I think a good solution would be to disable remote administration, lock SYSTEM, and create your own account (with the dba role) to use for daily administration.
IP Logged

Pete Finnigan (email:pete@petefinnigan.com)
Oracle Security Web site: http://www.petefinnigan.com
Forum: http://www.petefinnigan.com/forum/yabb/YaBB.cgi
Oracle security blog: http://www.petefinnigan.com/weblog/entries/index.html
Pete Finnigan
PeteFinnigan.com Administrator
*****




Oracle Security is easier if you design for it

   
View Profile | WWW | Email

Gender: male
Posts: 309
Re: Disabling Oracle user accounts
« Reply #4 on: May 4th, 2006, 8:48pm »
Quote | Modify

Hi Jim,
 
I would go further and say that you should not simply use the canned DBA role for in house administrator accounts. Design a DBA account for the purpose its is used for. How many DBA's need all the privileges offered via the DBA role regularly or even a reasonable number of them? not many.
 
It is always better to design your own roles as Oracle will one day, delete these canned roles.
 
The new "Database Vault" product looks great as it should solve some of the issues of allowing access to SYS and SYSTEM. It is possible using this product to prevent access to the data by the SYS and SYSTEM accounts.
 
cheers
 
Pete
IP Logged

Pete Finnigan (email:pete@petefinnigan.com)
Oracle Security Web site: http://www.petefinnigan.com
Forum: http://www.petefinnigan.com/forum/yabb/YaBB.cgi
Oracle security blog: http://www.petefinnigan.com/weblog/entries/index.html
Pages: 1  Reply | Notify of replies | Send Topic | Print

« Previous topic | Next topic »

Powered by YaBB 1 Gold - SP 1.4!
Forum software copyright © 2000-2004 Yet another Bulletin Board
  • PFCLScan PFCLScan

    Simply connect PFCLScan to your Oracle database and it will automatically discover the security issues that could make your Oracle database vulnerable to attack and to the potential loss of your data.

  • PFCL Obfuscate PFCLObfuscate

    PFCLObfuscate is the only tool available that can automatically add license controls to your PL/SQL code. PFCLObfuscate protects your Intellectual Property invested in your PL/SQL database code.

  • PFCLCode PFCLCode

    PFCLCode is a tool to allow you to analyse your PL/SQL code for many different types of security issues. PFCLCode gives you a detailed review and reports and includes a powerful colour syntax highlighting code editor

  • PFCLForensics PFCLForensics

    PFCLForensics is the only tool available to allow you to do a detailed live response of a breached Oracle database and to then go on and do a detailed forensic analysis of the data gathered.

  • Products We resell PFCLReselling

    PeteFinnigan.com Limited has partnered with a small number of relevant companies to resell their products where they enhance or compliment what we do

  • PFCLATK PFCLATK

    PFCLATK is a toolkit that allows detailed pre-defined policy driven audit trails for your Oracle database. The toolkit also provides for a centralised audit trail and centralised activity reporting

  • PFCLCookie PFCLCookie

    PFCLCookie is a useful tool to use to audit your websites for tracking cookies. Scan websites in a natural way using powerful browser driven scanner

  • PFCL Training PFCLTraining

    PFCLTraining is a set of expert training classes for you, aimed at teaching how to audit your own Oracle database, design audit trails, secure code in PL/SQL and secure and lock down your Oracle database.

  • PFCL Services PFCLServices

    Choose PFCLServices to add PeteFinnigan.com Ltd to your team for your Oracle Security needs. We are experts in performing detailed security audits, data security design work and policy creation

  • PFCLConsulting PFCLConsulting

    Choose PFCLConsulting to ask PeteFinnigan.com Limited to set up and use our products on your behalf

  • PFCLCustom PFCLCustom

    All of our software products can be customised at a number of levels. Choose this to see how our products can be part of your products and services

  • PFCLCloud PFCLCloud

    Private cloud, public cloud, hybrid cloud or no cloud. Learn how all of our services, trainings and products will work in the cloud

  • PFCLUserRights PFCLUserRights

    PFCLUserRights allows you to create a very detailed view of database users rights. The focus of the reports is to allow you to decide what privileges and accounts to keep and which to remove.

  • PFCLSTK PFCLSTK

    PFCLSTK is a toolkit application that allows you to provide database security easily to an existing database. PFCLSTK is a policy driven toolkit of PL/SQL that creates your security

  • PFCLSFTK PFCLSFTK

    PFCLSFTK is a toolkit that solves the problem of securing third party applications written in PL/SQL. It does this by creating a thin layer between the application and database and this traps SQL Injection attempts. This is a static firewall.

  • PFCLSEO PFCLSEO

    PFCLSEO is a web scanner based on the PFCLScan technology so that a user can easily scan a website for technical SEO issues