Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Usenet -> c.d.o.server -> Re: Typical DB install - security risk?

Re: Typical DB install - security risk?

From: Jonathan Lewis <jonathan_at_jlcomp.demon.co.uk>
Date: Fri, 27 Oct 2000 07:38:10 -0000
Message-ID: <972632708.5166.1.nnrp-13.9e984b29@news.demon.co.uk> 







The problem isn't so much the typical install as the
default database.  The function of the typical install
is to get the software in place and working, the presence
of the database helps to prove that it works.



Personally I always do a 'typical' install with default
database (whatever the platform) for every new release
of Oracle I have to handle, just to check that I can
make the database work.  Then I dump the database
and build a new, clean one.



It is VERY dangerous to go to production using the
default database unless you have cleaned it up.
Several of the accounts installed have DBA rights
and well-known passwords.



If you have accounts like


    CTSSYS, MDSYS, DBSNMP, then the password
    is usually the same as the account name.  These
    are typically high privilege accounts.



There are likely to be several accounts with human'
names - the passwords to these are things like
'paper', 'wood', 'cotton', and the script that creates
them can be found in one of the DEMO directories
under the oracle_home.  These are low privilege
accounts used in various of the SQL and Pro*C
demonstration packages.



--

Jonathan Lewis
Yet another Oracle-related web site:  http://www.jlcomp.demon.co.uk

Practical Oracle 8i:  Building Efficient Databases
Publishers:  Addison Wesley Longman
Book bound date now 1st Dec 2000

jrevenn_at_emory.edu wrote in message ...


>

>I just installed the typical database during an Oracle 8i installation on a

>Windows 2000 server.  After the installation, I went into DBA studio and

>noticed that a lot of users have been created for me.  My very newbie

>question is, which accounts can I delete and which accounts must I keep?

>There is SYS (password:change_on_install).  I'm assuming that I am supposed

>to change this password and keep the account?  I keep hearing a lot about

>Scott (password:tiger(?)).  Yes he is on my system, but his password isn't

>'tiger'.  I don't know what it is, but I can't login to DBA studio with his

>account.  I suspect I'm doing something wrong.  Can I delete this account?

>There are a bunch of other accounts with various names.  I have no idea

>what their passwords could be.  Is it ok to simply modify the database that

>the Oracle installed created for me during the typical installation for my

>purpose. Should I delete the database and create another from scratch?  I

>would rather just modify this one.  Since I've had so many problems

>configuring the listener after creating an Oracle databases from scratch, I

>would like to simply keep and modify this database that the Oracle

>Installer configured for me perfectly (I think?).  I'm just not sure if

>there are any security loop-holes in this preconfigured database?  Also,

>what is the importance of the extproc... database that is alway located

>above my database?  Is my database somehow datalinked to this database for

>PL/SQL calls?

>

>Thanks for your help,

>

>Brian



Received on Fri Oct 27 2000 - 02:38:10 CDT












Original text of this message













  HOME |
  ASK QUESTION |
  ADD INFO |
  SEARCH |
  E-MAIL US