Call: +44 (0)1904 557620 Call

Pete Finnigan's Oracle Security Weblog

This is the weblog for Pete Finnigan. Pete works in the area of Oracle security and he specialises in auditing Oracle databases for security issues. This weblog is aimed squarely at those interested in the security of their Oracle databases.

[Previous entry: "Frank Nimphius talks about displaying the authenticated username in ADF UIX using EL."] [Next entry: "Oracle secalert_us have sent out emails to tell some customers about the quarterly patch schedule"]

Updates to the default password list and checker for SAP default users

First thanks to Rich Holland who emailed me yesterday to give me some updates to the default password list for the SAP accounts listed. he has corrected me on the schema owner for SAP, it should be listed as SAPR3 for older versions of SAP and also for newer versions it is actually SAP{schema name}. Also he has made me aware that the SAP user listed is an application account as is DDIC. There is also a SAP* account in the application.

I have thought about it and decided to leave the SAP application users in the list even though they should never exist as Oracle database users. The reasoning is that these usernames have been around on various lists for a few years and there is a chance that someone could have created them in the database.

So I have updated the list to correctly identify these users as application users in the descriptions. I have also added a new page to discuss the issues with SAP default users when in an Oracle context.

This has all meant changes to all the list files accessed from the default password list page and also to the check tool to include updated MS Excel spreadsheet and data install scripts. I have added a change history list to the default password list main page.

There has been 2 Comments posted on this article

November 23rd, 2004 at 10:52 pm

Pete Finnigan says:

Hi Pete, this is a valuable tool. I'm a web-app developer, beginning dba, and aspiring entrepreneur. On most of these accounts, the report says "EXPIRED AND LOCKED". Can these accounts remain in this status? or should they be removed. And with regards to DBSNMP, should/can it be deleted, or EXPIRED and LOCKED?


November 24th, 2004 at 02:46 pm

Pete Finnigan says:


Thanks for your comment. Yes they can remain as EXPIRED AND LOCKED but change the passwords from the known values anyway. Whether you can remove these accounts from the database will depend on whether you use the functionality provided by them either directly or indirectly - be careful in establishing this. Unfortunately the best time to remove functionality/features and hence default schema users is at the installation time. A lot of the Oracle default users also come with de-install scripts - unfortunately the location of these is not defined in a central list anywhere...:-(. The other option in some cases is to de-install the feature from the OUI. With 10g of course it gets better as you can choose to not install example schemas at install time; schema users needed for functionality are another matter. The DBSNMP user is needed for the Intelligent Agent. If you do not use OEM or the intelligent agent you can remove this user, again the best way is via the OUI or the de-installation script. Don't forget to remove the dbsnmp binaries (2 of them) as its SUID root.

kind regards