Auditing an Oracle database for security issues is very important. PeteFinnigan.com provides all of the information and tools that you will need Click here for details of PeteFinnigan.com Limited's detailed Oracle database security audit service Click here for details of PeteFinnigan.com Limited's Oracle Security Training Courses
Cookie Policy:We only use essential cookies on small sections of this website. For details see here.

Welcome, Guest. Please Login.
Nov 23rd, 2017, 7:05am
News: If you would like to register contact the forum admin
Home | Help | Search | Members | Login
   Pete Finnigan's Oracle Security Forum
   Oracle Security
   Oracle Security
(Moderator: Pete Finnigan)
   Default passwords
« Previous topic | Next topic »
Pages: 1  Reply | Notify of replies | Send Topic | Print
   Author  Topic: Default passwords  (Read 4924 times)
isaez
PeteFinnigan.com Junior Member
**



Ivan

   
View Profile |

Gender: male
Posts: 76
Default passwords
« on: Apr 8th, 2013, 12:46pm »
Quote | Modify

Hi,
 
I'm in favor to change default passwords EVEN if the account (dip, wmsys, etc) is locked. But an external dba says it is not necessary to change the password because the accounts are locked. I've argumented that there such an account could be unlocked (for some reason) and that that would cause a security issue. Do you have some other arguments to change default passwords of locked account?
 
regards,
 
Ivan
IP Logged

regards,

Ivan
Paul Breniuc
PeteFinnigan.com Newbie
*



I love this!

  syntheticbyte  
View Profile | WWW | Email

Gender: male
Posts: 12
Re: Default passwords
« Reply #1 on: Apr 30th, 2013, 10:47am »
Quote | Modify

Before discussing about active / inactive user accounts there is a "Enforcing Password Complexity Verification" rule that defines criterias a password have to fulfill at the time is set. This is not only internally DBA but you will see it everywhere, in OS or other databases. Before discussing about account status the password is breaking the rules. If there is some way attackers can get use of such account (i.e. because locking mechanisms not consistently checked internally but only at logon-time or because bugs/ or way to overpass protections) the accounts will be exposed just because someone ignored this minimal rule at the time of setting that account (password). This is covered by the old NIST CVE-2007-6260 and the advice was to change the default passwords not matter the context or when are set; even the accounts are locked, expired at the end of instance creation; DBCA was changed a bit in 10g but as mentioned in http://www.securityfocus.com/archive/1/483652 there is a timeframe the instance is vulnerable (could be enough for a trojan like attack) and the same, there is possible that accidentally unlocking to expose on issues. On the other hand, attacks which only require a existing valid account, not matter if active or not (in DoS) could experiment such accounts too. Please note that there is no warning back to DBA about the complexity of the password when a DBA is unlocking user accounts and theoretically there are no clues about the fact that for i.e. user apps_002 is having password identical with user name (because of privacyHuh) so a DBA is simple unlocking the user not being aware about the fact it is opening the DB for intruders. Regards, Paul B.
« Last Edit: Apr 30th, 2013, 10:48am by Paul Breniuc » IP Logged
Pages: 1  Reply | Notify of replies | Send Topic | Print

« Previous topic | Next topic »

Powered by YaBB 1 Gold - SP 1.4!
Forum software copyright 2000-2004 Yet another Bulletin Board