Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Usenet -> c.d.o.server -> Re: Typical DB install - security risk?

Re: Typical DB install - security risk?

From: Howard J. Rogers <howardjr_at_www.com>
Date: Sun, 29 Oct 2000 15:09:14 +1100
Message-ID: <39fb9524@news.iprimus.com.au> 






<jrevenn_at_emory.edu> wrote in message


news:svi6k6gts2fgd3_at_news.supernews.com...


>

> I just installed the typical database during an Oracle 8i installation on

 a


> Windows 2000 server.  After the installation, I went into DBA studio and

> noticed that a lot of users have been created for me.  My very newbie

> question is, which accounts can I delete and which accounts must I keep?

> There is SYS (password:change_on_install).  I'm assuming that I am

 supposed


> to change this password and keep the account?  I keep hearing a lot about

> Scott (password:tiger(?)).  Yes he is on my system, but his password isn't

> 'tiger'.  I don't know what it is, but I can't login to DBA studio with

 his


> account.  I suspect I'm doing something wrong.




First, the standard users are SYS and SYSTEM, and yes you should change
their passwords (from change_on_install and manager respectively) if you
intend to do any serious work with this database.  For God's sake don't
delete them, because they are the key movers in actually being able to
administer the database (Oracle won't let you anyway, even if you try, not
without some real hard work on your part, anyway).



Next: there is indeed a user called Scott, and his password *is* tiger.
I've just fired up DBA Studio here -first it asks whether to connect to the
database directly, or go via a Management Server.  If you go directly to the
database and try and login as Scott/tiger, you will get an error mesasge
that says something like "This application requires more database privileges
than you have currently granted to you"... if the password had been wrong,
it would have said 'invalid username/password'.  You can use boring old
SQL*Plus to conect as scott/tiger and see that things are working correctly.



(Hint: if you think things are going wrong, always post the actual error
message.)



Incidentally, the reason for the ability to connect as Scott is that DBA
Studio is intended to be your one-stop-shop for doing admin-y type things to
the database (new users, changing privileges, creating tables etc...), not
the kind of thing that humble ol' Scott is likely to be permitted to do.



Third, you will see Users CTXSYS, MDSYS, ORDSYS and OUTLN.  I only actually
know what the last one does (owner of Stored Outlines for SQL stability
reasons).  But a quick check of, for example, CTXSYS, indicates he owns a
whole bunch of spooky-sounding tables, such as DR$CLASS and so on... my
advice would be to NOT delete any of these Users, but to change their
passwords to anything you fancy.



Fourth: there's also a bunch of Users with vaguely human names (such as
Adams, Blake and Clark) who appear to own no tables that I can see.  They
are probably there to make demo scripts and so on work.  General advice is:
they can be deleted quite easily, and ought to be if you're paranoid, and
no -I couldn't work out what their passwords are either (though you could
log in as SYSTEM and simply change them to something you will remember).



Fifth: Scott owns the EMP and DEPT tables (and some others too) which are
good for practising with, and whilst you should certainly consider changing
his password, I wouldn't actually drop him at this stage (because he owns
objects, you'll have to do a 'drop user scott cascade' when the time comes).



Finally, I understand your concerns about the Listener configuration
process, but this is definitely something you'll have to become proficient
in, and it isn't *that* hard.  The basic advice is: if this system is for
your own testing and learning and so on, stick with the default database for
now, and move on when you feel the need.  However, if this database is going
out into production at any time, forget it: you can spend ages tweaking it
and fine-tuning it, and it still won't be perfect.  Production databases
deserve proper configuration from the outset.



Regards


HJR





>Can I delete this account?

> There are a bunch of other accounts with various names.  I have no idea

> what their passwords could be.  Is it ok to simply modify the database

 that


> the Oracle installed created for me during the typical installation for my

> purpose. Should I delete the database and create another from scratch?  I

> would rather just modify this one.  Since I've had so many problems

> configuring the listener after creating an Oracle databases from scratch,

 I


> would like to simply keep and modify this database that the Oracle

> Installer configured for me perfectly (I think?).  I'm just not sure if

> there are any security loop-holes in this preconfigured database?  Also,

> what is the importance of the extproc... database that is alway located

> above my database?  Is my database somehow datalinked to this database for

> PL/SQL calls?

>

> Thanks for your help,

>

> Brian

Received on Sat Oct 28 2000 - 23:09:14 CDT












Original text of this message













  HOME |
  ASK QUESTION |
  ADD INFO |
  SEARCH |
  E-MAIL US