Auditing an Oracle database for security issues is very important. PeteFinnigan.com provides all of the information and tools that you will need Click here for details of PeteFinnigan.com Limited's detailed Oracle database security audit service Click here for details of PeteFinnigan.com Limited's Oracle Security Training Courses
     
Cookie Policy:We only use essential cookies on small sections of this website. For details see here.

Welcome, Guest. Please Login.
Sep 22nd, 2018, 12:39pm
News: If you would like to register contact the forum admin
Home | Help | Search | Members | Login
   Pete Finnigan's Oracle Security Forum
   Oracle Security
   Oracle Security (Moderator: Pete Finnigan)
   Default passwords		 « Previous topic | Next topic »
Pages: 1  Reply | Notify of replies | Send Topic | Print
   Author  Topic: Default passwords  (Read 5370 times)
Pete Finnigan
PeteFinnigan.com Administrator
*****




Oracle Security is easier if you design for it

   
View Profile | WWW | Email

Gender: male
 Posts: 309
Default passwords
« on: Apr 8th, 2013, 12:46pm »		 Quote | Modify
Hi,
 
I'm in favor to change default passwords EVEN if the account (dip, wmsys, etc) is locked. But an external dba says it is not necessary to change the password because the accounts are locked. I've argumented that there such an account could be unlocked (for some reason) and that that would cause a security issue. Do you have some other arguments to change default passwords of locked account?
 
regards,
 
Ivan
IP Logged
Pete Finnigan (email:pete@petefinnigan.com)
Oracle Security Web site: http://www.petefinnigan.com
Forum: http://www.petefinnigan.com/forum/yabb/YaBB.cgi
Oracle security blog: http://www.petefinnigan.com/weblog/entries/index.html
Pete Finnigan
PeteFinnigan.com Administrator
*****




Oracle Security is easier if you design for it

   
View Profile | WWW | Email

Gender: male
 Posts: 309
Re: Default passwords
« Reply #1 on: Apr 30th, 2013, 10:47am »		 Quote | Modify
Before discussing about active / inactive user accounts there is a "Enforcing Password Complexity Verification" rule that defines criterias a password have to fulfill at the time is set. This is not only internally DBA but you will see it everywhere, in OS or other databases. Before discussing about account status the password is breaking the rules. If there is some way attackers can get use of such account (i.e. because locking mechanisms not consistently checked internally but only at logon-time or because bugs/ or way to overpass protections) the accounts will be exposed just because someone ignored this minimal rule at the time of setting that account (password). This is covered by the old NIST CVE-2007-6260 and the advice was to change the default passwords not matter the context or when are set; even the accounts are locked, expired at the end of instance creation; DBCA was changed a bit in 10g but as mentioned in http://www.securityfocus.com/archive/1/483652 there is a timeframe the instance is vulnerable (could be enough for a trojan like attack) and the same, there is possible that accidentally unlocking to expose on issues. On the other hand, attacks which only require a existing valid account, not matter if active or not (in DoS) could experiment such accounts too. Please note that there is no warning back to DBA about the complexity of the password when a DBA is unlocking user accounts and theoretically there are no clues about the fact that for i.e. user apps_002 is having password identical with user name (because of privacyHuh) so a DBA is simple unlocking the user not being aware about the fact it is opening the DB for intruders. Regards, Paul B.
IP Logged
Pete Finnigan (email:pete@petefinnigan.com)
Oracle Security Web site: http://www.petefinnigan.com
Forum: http://www.petefinnigan.com/forum/yabb/YaBB.cgi
Oracle security blog: http://www.petefinnigan.com/weblog/entries/index.html
Pages: 1  Reply | Notify of replies | Send Topic | Print

« Previous topic | Next topic »

Powered by YaBB 1 Gold - SP 1.4!
Forum software copyright © 2000-2004 Yet another Bulletin Board