Oracle Observations

September 28, 2007

A little security foible?

Filed under: Security — bigdaveroberts @ 12:03 pm

Having attended the most recent UKOUG Oracle on windows SIG and heard the excellent talk on security by Pete Finnegan (, obviously the first thing I did was check the default user name and passwords supplied with Oracle on some of our systems.

And as anticipated OUTLN/OUTLN and DBSNMP/DBSNMP both let me log onto the database.

So I raised the issue with our DBA who was sure that the accounts had been locked.

Indeed, after further investigation, the development databases, which had been cloned from production did have all the appropriate accounts locked!

The only thing that had happened recently in production is that we did a database re organisation that included the full cycle of:

Full export.
Database re-creation.
Full import with data.
Full import without data.

So our current theory is that somewhere in this process, the fact that these default accounts were locked has been lost.

One to check when I have a little more time.

Meanwhile, I’d advise both locking and changing the passwords on these accounts, which is probably what we should have been doing anyway!


Leave a Comment »

No comments yet.

RSS feed for comments on this post. TrackBack URI

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Blog at

%d bloggers like this: