Oracle Observations

September 28, 2007

A little security foible?

Filed under: Security — bigdaveroberts @ 12:03 pm

Having attended the most recent UKOUG Oracle on windows SIG and heard the excellent talk on security by Pete Finnegan (, obviously the first thing I did was check the default user name and passwords supplied with Oracle on some of our systems.

And as anticipated OUTLN/OUTLN and DBSNMP/DBSNMP both let me log onto the database.

So I raised the issue with our DBA who was sure that the accounts had been locked.

Indeed, after further investigation, the development databases, which had been cloned from production did have all the appropriate accounts locked!

The only thing that had happened recently in production is that we did a database re organisation that included the full cycle of:

Full export.
Database re-creation.
Full import with data.
Full import without data.

So our current theory is that somewhere in this process, the fact that these default accounts were locked has been lost.

One to check when I have a little more time.

Meanwhile, I’d advise both locking and changing the passwords on these accounts, which is probably what we should have been doing anyway!


Create a free website or blog at