Security Control on Default Oracle Database Users

When you install Oracle databases , some predefined default  users are created.The name of the default users are known by hackers and these users are a attack surface for a database.  These default user passwords are the first passwords which are tried by hackers.Therefore the passwords of these users should be changed after the database installation and at the same time;  these users should be in EXPIRED & LOCKED status.

How we control the password of these passwords. Oracle database includes a view which control the password of these users;

SELECT * FROM DBA_USERS_WITH_DEFPWD;

This view shows the default users which have default passwords. Normally zero records should return from this query.

Let’s check at my database;

Capture

 

As you see nearly all the default users have default passwords at my test database.  Before changing their passwords we should  check the status of these users. If these users are in EXPIRED & LOCKED status. It is acceptable , although they have default passwords.  Zero record should return from this query, otherwise it is a big finding.

SELECT
A.USERNAME ,
B.ACCOUNT_STATUS
FROM
SYS.DBA_USERS_WITH_DEFPWD A,
DBA_USERS B
WHERE
A.USERNAME = B.USERNAME
AND B.ACCOUNT_STATUS <> ‘EXPIRED & LOCKED’;

Let’s run it at my test database;

Capture

Gotcha ; At my database there are two default users which are on OPEN mode . This  is a  finding what I have to  do is;  I have to  change these  passwords and then I have to change their status to EXPIRED & LOCKED too.

SQL> Alter user Adams identified by complexpasswd01
2         account lock password expire;

User altered.

SQL> alter user Orddata identified by complexpasswd02
2 account lock password expire;

User altered.

Now check all default user status;

Capture

 

Good  ; All default users are on EXPIRED & LOCKED status.  But still some of them have default passwords ( except Orddata and adams ). We have to change all default passwords and make them Expired & Locked with the below query

SELECT
‘Alter User ‘||USERNAME||’ identified by ‘
||dbms_random.string(‘U’, 6)
||trunc(dbms_random.value(1000,9999))
||’ account lock password expire;’
FROM
SYS.DBA_USERS_WITH_DEFPWD ;

 

Now run the output of the query;

Alter User DIP identified by JACYDY9781 account lock password expire;
Alter User MDSYS identified by KPIJES7846 account lock password expire;
Alter User SPATIAL_WFS_ADMIN_USR identified by VQOAHQ7579 account lock password expire;
Alter User CTXSYS identified by AQOXGV7508 account lock password expire;
Alter User OLAPSYS identified by RWQIOP7224 account lock password expire;
Alter User OUTLN identified by WZMAQB2175 account lock password expire;
Alter User SPATIAL_CSW_ADMIN_USR identified by YYLLQH7066 account lock password expire;
Alter User EXFSYS identified by CXDMCS3349 account lock password expire;
Alter User ORACLE_OCM identified by GXRUUP7532 account lock password expire;
Alter User DBSNMP identified by DXBASG8552 account lock password expire;
Alter User MDDATA identified by HPEFPE5098 account lock password expire;
Alter User ORDPLUGINS identified by GWOITV2439 account lock password expire;
Alter User ORDSYS identified by ZIPVNJ6941 account lock password expire;
Alter User APPQOSSYS identified by TCTUYF9776 account lock password expire;
Alter User XDB identified by QRGXXV3781 account lock password expire;
Alter User SI_INFORMTN_SCHEMA identified by MHYJOV6216 account lock password expire;
Alter User WMSYS identified by RMYTXH9752 account lock password expire;

With this query we changed default passwords and we made all users EXPIRED&LOCKED again.

Now If you query SYS.DBA_USERS_WITH_DEFPWD , zero record will return. It means that all default passwords have been changed.

SQL> SELECT * FROM DBA_USERS_WITH_DEFPWD;

no rows selected

Have a good day.

Now your default username passwords are secure.

Have a good day.

Anıl Akduygu

 

 

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s