Oracle® Database 2 Day + Security Guide 11g Release 1 (11.1) Part Number B28337-03 |
|
|
View PDF |
You can use many methods to secure database user accounts. For example, Oracle Database has a set of built-in protections for passwords. This chapter explains how you can safeguard default database accounts and passwords, and describes ways to manage database accounts.
This chapter contains the following topics:
See Also:
Oracle Database Security Guide for detailed information about securing user accountsOracle Database 2 Day DBA describes the fundamentals of creating and administering user accounts, including how to manage user roles, what the administrative accounts are, and how to use profiles to establish a password policy.
After you create user accounts for your site, you can use the procedures in this section to further secure these accounts by following these methods:
Safeguarding predefined database accounts. When you install Oracle Database, it creates a set of predefined accounts. You should secure these accounts as soon as possible by changing their passwords. You can use the same method to change all passwords, whether they are with regular user accounts, administrative accounts, or predefined accounts. This guide also provides guidelines on how to create the most secure passwords.
Managing database accounts. You can expire, lock, and unlock database accounts.
Managing passwords. You can manage and protect passwords by using the tools provided with Oracle Database, such as initialization parameters.
See Also:
Oracle Database Security Guide for detailed information about managing user accounts and authentication
"Predefined User Accounts Provided by Oracle Database" for a description of the predefined user accounts that are created when you install Oracle Database
When you install Oracle Database, the installation process creates a set of predefined accounts. These accounts are in the following categories:
A default Oracle Database installation provides a set of predefined administrative accounts. These are accounts that have special privileges required to administer areas of the database, such as the CREATE ANY TABLE
or ALTER SESSION
privilege, or EXECUTE
privileges on packages owned by the SYS
schema. The default tablespace for administrative accounts is either SYSTEM
or SYSAUX
.
To protect these accounts from unauthorized access, the installation process expires and locks most of these accounts, except where noted in Table 3-1. As the database administrator, you are responsible for unlocking and resetting these accounts, as described in "Expiring and Locking Database Accounts".
Table 3-1 lists the administrative user accounts provided by Oracle Database.
Table 3-1 Predefined Oracle Database Administrative User Accounts
User Account | Description | Status After Installation |
---|---|---|
Account that allows HTTP access to Oracle XML DB. It is used in place of the EPG is a Web server that can be used with Oracle Database. It provides the necessary infrastructure to create dynamic applications. |
Expired and locked |
|
The account used to administer Oracle Text. Oracle Text enables you to build text query applications and document classification applications. It provides indexing, word and theme searching, and viewing capabilities for text. |
Expired and locked |
|
The account used by the Management Agent component of Oracle Enterprise Manager to monitor and manage the database. See Oracle Enterprise Manager Grid Control Installation and Basic Configuration. |
Open Password is created at installation or database creation time. |
|
The account used internally to access the See Oracle Database Rules Manager and Expression Filter Developer's Guide. |
Expired and locked |
|
The account used to administer Oracle Label Security (OLS). It is created only when you install the Label Security custom option. See "Enforcing Row-Level Security with Oracle Label Security" and Oracle Label Security Administrator's Guide. |
Expired and locked |
|
The Oracle Spatial and Oracle Multimedia Locator administrator account. |
Expired and locked |
|
An account used by Oracle Enterprise Manager Database Control. |
Open Password is randomly generated at installation or database creation time. Users do not need to know this password. |
|
The account that owns the OLAP Catalog (CWMLite). This account has been deprecated, but is retained for backward compatibility. |
Expired and locked |
|
The account for administrating the Oracle Warehouse Builder repository. Access this account during the installation process to define the base language of the repository and to define Warehouse Builder workspaces and users. A data warehouse is a relational or multidimensional database that is designed for query and analysis. See Oracle Warehouse Builder Installation and Administration Guide. |
Expired and locked |
|
The Oracle Multimedia user. Plug-ins supplied by Oracle and third-party, format plug-ins are installed in this schema. Oracle Multimedia enables Oracle Database to store, manage, and retrieve images, audio, video, DICOM format medical images and other objects, or other heterogeneous media data integrated with other enterprise information. See Oracle Multimedia User's Guide and Oracle Multimedia Reference. |
Expired and locked |
|
The Oracle Multimedia administrator account. See Oracle Multimedia User's Guide, Oracle Multimedia Reference, and Oracle Multimedia DICOM Developer's Guide. |
Expired and locked |
|
The account that supports plan stability. Plan stability prevents certain database environment changes from affecting the performance characteristics of applications by preserving execution plans in stored outlines. |
Expired and locked |
|
The account that stores the information views for the SQL/MM Still Image Standard. See Oracle Multimedia User's Guide and Oracle Multimedia Reference. |
Expired and locked |
|
An account used to perform database administration tasks. |
Open Password is created at installation or database creation time. |
|
The account used to perform Oracle Enterprise Manager database administration tasks. The See Oracle Enterprise Manager Grid Control Installation and Basic Configuration. |
Open Password is created at installation or database creation time. |
|
An account used to perform database administration tasks. |
Open Password is created at installation or database creation time. |
|
An account used for transparent session migration (TSM). |
Expired and locked |
|
The instance administrator for the default instance, Ultra Search provides uniform search-and-location capabilities over multiple repositories, such as Oracle databases, other ODBC compliant databases, IMAP mail servers, HTML documents managed by a Web server, files on disk, and more. |
Expired and locked |
|
An Ultra Search database super-user. |
Expired and locked |
|
An administrative account of Oracle9i Application Server Ultra Search. |
Expired and locked |
|
The account used to store Ultra Search system dictionaries and PL/SQL packages. |
Expired and locked |
|
The account used for storing Oracle XML DB data and metadata. Oracle XML DB provides high-performance XML storage and retrieval for Oracle Database data. |
Expired and locked |
Table 3-2 lists default non-administrative user accounts that are created when you install Oracle Database. Non-administrative user accounts only have the minimum privileges needed to perform their jobs. Their default tablespace is USERS
.
To protect these accounts from unauthorized access, the installation process locks and expires these accounts immediately after installation, except where noted in Table 3-2. As the database administrator, you are responsible for unlocking and resetting these accounts, as described in "Expiring and Locking Database Accounts".
Table 3-2 Predefined Oracle Database Non-Administrative User Accounts
User Account | Description | Status After Installation |
---|---|---|
The Oracle Database Application Express account. Use this account to specify the Oracle schema used to connect to the database through the database access descriptor (DAD). Oracle Application Express is a rapid, Web application development tool for Oracle Database. |
Expired and locked |
|
The Oracle Directory Integration and Provisioning (DIP) account that is installed with Oracle Label Security. This profile is created automatically as part of the installation process for Oracle Internet Directory-enabled Oracle Label Security. |
Expired and locked |
|
The account that owns most of the database objects created during the installation of Oracle Database Application Express. These objects include tables, views, triggers, indexes, packages, and so on. |
Expired and locked |
|
The account that owns the database objects created during the installation of Oracle Database Application Express related to modplsql document conveyance, for example, file uploads and downloads. These objects include tables, views, triggers, indexes, packages, and so on. |
Expired and locked |
|
The schema used by Oracle Spatial for storing Geocoder and router data. Oracle Spatial provides a SQL schema and functions that enable you to store, retrieve, update, and query collections of spatial features in an Oracle database. |
Expired and locked |
|
The account used with Oracle Configuration Manager. This feature enables you to associate the configuration information for the current Oracle Database instance with OracleMetaLink. Then when you log a service request, it is associated with the database instance configuration information. See Oracle Database Installation Guide for your platform. |
Expired and locked |
|
Account used for the Oracle Universal Installer does not lock or expire this account upon installation. Its status is |
Expired and locked |
|
The Catalog Services for the Web (CSW) account. It is used by Oracle Spatial CSW Cache Manager to load all record-type metadata and record instances from the database into the main memory for the record types that are cached. |
Expired and locked |
|
The Web Feature Service (WFS) account. It is used by Oracle Spatial WFS Cache Manager to load all feature type metadata and feature instances from the database into main memory for the feature types that are cached. |
Expired and locked |
|
An internal account that represents the absence of a user in a session. Because |
Expired and locked |
If you install the sample schemas, which you must do to complete the examples in this guide, Oracle Database creates a set of sample user accounts. The sample schema user accounts are all non-administrative accounts, and their tablespace is USERS
.
To protect these accounts from unauthorized access, the installation process locks and expires these accounts immediately after installation. As the database administrator, you are responsible for unlocking and resetting these accounts, as described in "Expiring and Locking Database Accounts". For more information about the sample schema accounts, see Oracle Database Sample Schemas.
Table 3-3 lists the sample schema user accounts, which represent different divisions of a fictional company that manufactures various products.
Table 3-3 Default Sample Schema User Accounts
User Account | Description | Status After Installation |
---|---|---|
The account that owns the See also Oracle Warehouse Builder User's Guide. |
Expired and locked |
|
The account used to manage the |
Expired and locked |
|
The account used to manage the |
Expired and locked |
|
The account used to manage the |
Expired and locked |
|
The account used to manage the |
Expired and locked |
|
The account used to manage the |
Expired and locked |
In addition to the sample schema accounts, Oracle Database provides another sample schema account, SCOTT
. The SCOTT
schema contains the tables EMP
, DEPT
, SALGRADE
, and BONUS
. The SCOTT
account is used in examples throughout the Oracle Database documentation set. When you install Oracle Database, the SCOTT
account is locked and expired.
Oracle Database 2 Day DBA explains how you can use Database Control to unlock database accounts. You also can use Database Control to expire or lock database accounts.
When you expire the password of a user, that password no longer exists. If you want to unexpire the password, you change the password of that account. Locking an account preserves the user password, as well as other account information, but makes the account unavailable to anyone who tries to log in to the database using that account. Unlocking it makes the account available again.
To expire and lock a database account:
Start Database Control.
See Oracle Database 2 Day DBA for instructions about how to start Database Control.
Log in with administrative privileges.
For example:
The Database Home page appears.
Click Server to display the Server subpage.
In the Security section, click Users.
The Users page lists the user accounts created for the current database instance. The Account Status column indicates whether an account is expired, locked, or open.
In the Select column, select the account you want to expire, and then click Edit.
The Edit User page appears.
Do one of the following:
To expire a password, click Expire Password now.
To unexpire the password, enter a new password in the Enter Password and Confirm Password fields. See "Requirements for Creating Passwords" for password requirements.
To lock the account, select Locked.
Click Apply.
When you create a user account, Oracle Database assigns a default password policy for that user. The password policy defines rules for how the password should be created, such as a minimum number of characters, when it expires, and so on. You can strengthen passwords by using password policies.
At a minimum, passwords must be no longer than 30 characters. However, for greater security, follow these additional guidelines:
Make the password between 8 and 30 characters.
Use the database character set for the password's characters, which can include the underscore (_), dollar ($), and number sign (#) characters.
In addition to including at least 1 digit and 1 alphabetic character, include at least 1 punctuation mark in the password.
Do not start the password with a number.
Do not use Oracle reserved words in the password.
See Oracle Database SQL Language Reference for a list of Oracle Database reserved words.
Do not include the password in a dictionary or in a name (for example, an object name).
See Also:
"Finding and Changing Default Passwords" for information about changing user passwords
"Expiring and Locking Database Accounts" for information about locking accounts and expiring passwords
"Predefined User Accounts Provided by Oracle Database" a description of the predefined user accounts that are created when you install Oracle Database
Oracle Database 2 Day DBA for an introduction to password policies
Oracle Database Security Guide for detailed information about managing passwords
Oracle Database Security Guide for more ways to further secure passwords
In Oracle Database 11g Release 1 (11.1), database user accounts, including administrative accounts, are installed without default passwords. During installation, you either create a password the account (always an administrative account), or Oracle Database installs the default accounts, such as those in the sample schemas, locked with their passwords expired.
If you have upgraded from a previous release of Oracle Database, you may have database accounts that have default passwords. These are default accounts that are created when you create a database, such as the HR
, OE
, and SCOTT
accounts.
Security is most easily compromised when a default database user account still has a default password after installation. This is particularly true for the user account SCOTT
, which is a well known account that may be vulnerable to intruders. Find accounts that use default passwords and then change their passwords.
To find and change default passwords:
Log into SQL*Plus with administrative privileges.
SQLPLUS SYSTEM
Enter password: password
Select from the DBA_USERS_WITH_DEFPWD
data dictionary view.
SELECT * FROM DBA_USERS_WITH_DEFPWD;
The DBA_USERS_WITH_DEFPWD
lists the accounts that still have user default passwords. For example:
USERNAME ------------ SCOTT
Change the password for the accounts the DBA_USERS_WITH_DEFPWD
data dictionary view lists.
PASSWORD SCOTT Changing password for SCOTT New password: password Retype new password: password Password changed
Replace password
with a password that is secure, according to the guidelines listed in "Requirements for Creating Passwords". For greater security, do not reuse the same password that was used in previous releases of Oracle Database.
Alternatively, you can use the ALTER USER
SQL statement to change the password:
ALTER USER SCOTT IDENTIFIED BY password;
You can use Database Control to change a user account passwords (not just the default user account passwords) if you have administrative privileges. Individual users can also use Database Control to change their own passwords.
To use Database Control to change the password of a database account:
Start Database Control.
See Oracle Database 2 Day DBA for instructions about how to start Database Control.
Enter an administrator user name and password (for example, SYSTEM
), and then click Login.
Click Server to display the Server subpage.
In the Security section, click Users.
The Users page lists the user accounts created for the current database instance. The Account Status column indicates whether an account is expired, locked, or open.
In the Select column, select the account you want to change, and then click Edit.
The Edit User page appears.
Enter a new password in the Enter Password and Confirm Password fields.
Click Apply.
See Also:
Oracle Database Security Guide for additional methods of configuring password protection
You can use the same or different passwords for the SYS
, SYSTEM
, SYSMAN
, and DBSNMP
administrative accounts. Oracle recommends that you use different passwords for each. In any Oracle Database environment (production or test), assign strong, secure, and distinct passwords to these administrative accounts. If you use Database Configuration Assistant to create a new database, then it requires you to create passwords for the SYS
and SYSTEM
accounts.
Similarly, for production environments, do not use default passwords for any administrative accounts, including SYSMAN
and DBSNMP
. Oracle Database 11g Release 1 (11.1) does not install these accounts with default passwords, but if you have upgraded from an earlier release of Oracle Database, you may still have accounts that use default passwords. You should find and change these accounts by using the procedures in "Finding and Changing Default Passwords".
At the end of database creation, Database Configuration Assistant displays a page that requires you to enter and confirm new passwords for the SYS
and SYSTEM
user accounts.
Apply basic password management rules (such as password length, history, complexity, and so forth) to all user passwords. Oracle Database has password policies enabled for the default profile. "Requirements for Creating Passwords" provides guidelines for creating password policies. Table 3-4 lists initialization parameters that you can set to enforce password management.
You can find information about user accounts by querying the DBA_USERS
view. This view contains a column for passwords, but for stronger security, Oracle Database encrypts (disguises) the data in this column. The DBA_USERS
view provides useful information such as the user account status, whether or not the account is locked, and password versions. You can query DBA_USERS
as follows:
SQLPLUS SYSTEM
Enter password: password
Connected.
SQL> SELECT * FROM DBA_USERS;
Oracle also recommends, if possible, using Oracle Advanced Security (an option to Oracle Database Enterprise Edition) with network authentication services (such as Kerberos), token cards, smart cards, or X.509 certificates. These services provide strong authentication of users, and provide better protection against unauthorized access to Oracle Database.
See Also:
Oracle Database Security Guide for more information about password management
Oracle Database Security Guide for additional views you can query to find information about users and profiles
Oracle Database Advanced Security Administrator's Guide for more information about Oracle Database Advanced Security
Table 3-4 lists initialization parameters that you can set to better secure user accounts.
Table 3-4 Initialization Parameters Used for User Account Security
To modify an initialization parameter, see "Modifying the Value of an Initialization Parameter". For detailed information about initialization parameters, see Oracle Database Reference andOracle Database Administrator's Guide.