Pete Finnigan's Oracle Security Forum
        (http://www.petefinnigan.com/forum/yabb/YaBB.cgi)
      

        Oracle Security >> Oracle Security >> Disabling Oracle user accounts
        
(Message started by: Pete Finnigan on Feb 28th, 2006, 8:19pm)
Title: Disabling Oracle user accounts
Post by Pete Finnigan on Feb 28th, 2006, 8:19pm
Hi Pete,

In our organization, we are working on some security issues and trying to secure all our Oracle databases. In such discussions, someone brought out a point saying that sys and system accounts in Oracle should be disabled and accounts which replicate them must be created. Is this possible (disabling sys and system) and if yes, how can we accomplish that. What other default Oracle user accounts should be disabled. Please let me know.

Thanks.
Title: Re: Disabling Oracle user accounts
Post by Pete Finnigan on Mar 16th, 2006, 9:50pm
I agree that the use of sys and system should be restricted.  I would not lock/disable these accounts.  The better solution would be a very long password phrase for both accounts. (write it down, and place it in the company safe)  This will make usage of the account difficult, but not impossible.  

I would also make the same recommendation for the "oracle" software owner too!  If OS authentication is enabled oracle is just as good as sys.  If you loose the oracle account password, the systems administrator can always reset it for you.

-Kevin Hrim
Title: Re: Disabling Oracle user accounts
Post by Pete Finnigan on Mar 24th, 2006, 8:42pm
8)
Oracle use same Unix like philosophy on identifying users. Each one get an numeric ID starting from 0 = sys. You cannot cancel something that does not exist ("phantomatic" user ID=0 in reallity does exist). Theoretically speaking sys, system (less diff. as sys) users can be renamed as for internal user IDs...(symboliques) "names" are used but as some default obfuscated packages know and use this user to connect... stop playing with serious things... external authentif., privs, roles and (transparent) encryption may be used instead. Try this!
Title: Re: Disabling Oracle user accounts
Post by Pete Finnigan on May 3rd, 2006, 11:54pm
I think there are essentially two reasons why someone would want to do this:  1) prevent shooting oneself painfully while using SYS, and 2) since these are known accounts, bad guys have half the info they need to get into your databases.   I think a good solution would be to disable remote administration, lock SYSTEM, and create your own account (with the dba role) to use for daily administration.
Title: Re: Disabling Oracle user accounts
Post by Pete Finnigan on May 4th, 2006, 8:48pm
Hi Jim,

I would go further and say that you should not simply use the canned DBA role for in house administrator accounts. Design a DBA account for the purpose its is used for. How many DBA's need all the privileges offered via the DBA role regularly or even a reasonable number of them? not many.

It is always better to design your own roles as Oracle will one day, delete these canned roles.

The new "Database Vault" product looks great as it should solve some of the issues of allowing access to SYS and SYSTEM. It is possible using this product to prevent access to the data by the SYS and SYSTEM accounts.

cheers

Pete


Powered by YaBB 1 Gold - SP 1.4!
Forum software copyright © 2000-2004 Yet another Bulletin Board