Oracle FAQ Your Portal to the Oracle Knowledge Grid

Home -> Community -> Mailing Lists -> Oracle-L -> Re: how to stop access of OEM

Re: how to stop access of OEM

From: stephen booth <>
Date: Mon, 27 Jun 2005 18:23:46 +0100
Message-ID: <>

On 27/06/05, Mercadante, Thomas F (LABOR) <> wrote:
> That will work until they download the Oracle Client software and re-install
> OEM.

Which is why I specified also locking down the machine to prevent re-installation.

Security is like an Ogre^H^H^Hnion, it's got layers. Removing the software is one layer, locking down the PC is another (done right it also helps protect against viruses, trojans and spyware, although it's a not a substitute for antivirus software, firewalls and running a spyware detector periodically), putting in firewalls with reasonably paranoid settings helps a lot, as does segmenting your network (ideally physically but logically helps) and keeping an eye on traffic crossing segments. Keeping an eye on what users have what privs and checking they actually need it helps a lot (application vendors who say their applications schema account should just be given DBA role should generally be kneecapped then chased out of town by bull whip wielding support DBAs). A sane password management policy (e.g. force changes periodically and enforce a reasonable degree of complexity, but not too often or too complex else users will have to write the password down and stick it to their monitor because they can't remember it) helps a lot, especially if you have single sign-on so the user only has to remember one username and one password, they don't have an excuse to write it down and you only have to change one password or disable one account if it's been revealed or they've just been called into the manager's office for a surprise sacking (there's been a few times I've been the first person outside of management to know a person is being sacked because I've had a message from the manager to the effect of "When X is called into my office and I close the door immediately kill all his logins and disable his accounts.").


It's better to ask a silly question than to make a silly assumption.
Received on Mon Jun 27 2005 - 13:29:49 CDT

Original text of this message