| Oracle FAQ | Your Portal to the Oracle Knowledge Grid | |
 |
 | |||
| Oracle FAQ | Your Portal to the Oracle Knowledge Grid | |
|
| |||
Home -> Community -> Mailing Lists -> Oracle-L -> RE: Sql Developer
I would recommend that you drop a user like scott from your database
unless you have a business reason to keep it. You may feel that this is
a development environment and you want to give folks the freedom to look
around at things they may not see in production. But, consider
this...does your development environment parallel your production
environment in the form of accounts that are present, location of data
files, tablespace names,...giving someone this freedom to look around
gives them an insight into your production system. This insight can end
up giving a hacker a leg-up on breaking things. (Giving folks the
ability to view the password column in the view dba_users will permit
them to use password cracking software to obtain passwords for accounts
like SYS and SYSTEM. Then the garage door is open to the house...
Take a look at this article that is free on Oracle's Technet site for securing your database. It's informative and a good start to help secure your database.
http://www.oracle.com/technology/pub/articles/project_lockdown/phase1.ht ml
Bill
From: oracle-l-bounce_at_freelists.org
[mailto:oracle-l-bounce_at_freelists.org] On Behalf Of Rumpi Gravenstein
Sent: Tuesday, June 12, 2007 12:31 PM
To: DennisCutshall_at_mail.und.nodak.edu
Cc: oracle-l_at_freelists.org
Subject: Re: Sql Developer
What a user can browse is more a reflection on the privileges you've given the user than insight into a tool's capabilities. In the case you've described, any user that can logon as Scott will be able to browse the same objects. What the tool is doing for you is shining some light on the privileges the Scott account has been granted. I would think that in a development setting this would be a good thing as many of the system objects should be helpful in the building of your applications. In production the privileges should be limited to what is needed.
On 6/12/07, Dennis Cutshall <DennisCutshall_at_mail.und.nodak.edu> wrote:
Hi,
We are looking at using Oracle's SQL Developer as a development tool. Does anyone have any experience with this product? If so, please pass on your findings. We are particularly concerned about security. We noticed that any user e.g. Scott, can look at many of the objects in SYS and SYSTEM. Is this a concern, or are those normally public?
Dennis
Dennis Cutshall
Data Base Administrator
University of North Dakota ITSS
Phone: <chrome://skype_ff_toolbar_win/content/cb_transparent_l.gif><chrome://skype_ff_toolbar_win/content/space.gif> (701) 777-4109
<chrome://skype_ff_toolbar_win/content/famfamfam/us.gif>
<chrome://skype_ff_toolbar_win/content/space.gif>
<chrome://skype_ff_toolbar_win/content/space.gif>
<chrome://skype_ff_toolbar_win/content/arrow.gif>
<chrome://skype_ff_toolbar_win/content/space.gif>
<chrome://skype_ff_toolbar_win/content/space.gif>
<chrome://skype_ff_toolbar_win/content/space.gif>
<chrome://skype_ff_toolbar_win/content/space.gif>
<chrome://skype_ff_toolbar_win/content/space.gif>
<chrome://skype_ff_toolbar_win/content/space.gif>
-- Rumpi Gravenstein -- http://www.freelists.org/webpage/oracle-lReceived on Tue Jun 12 2007 - 12:04:01 CDT
 |
 |