DBAsupport.com Forums - Powered by vBulletin
Results 1 to 8 of 8

Thread: Locking ( or changing ) sys & system accounts

  1. #1
    Join Date
    Jul 2003
    Posts
    8

    Locking ( or changing ) sys & system accounts

    I would like to consider the changing of my sys & system accounts to help thwart off hackers.
    I have utilized the list of khown username/password combinations available at Finnigan.com to eliminate the "easy guess"
    Why give them half the information they need anyway!!
    I cannot recall encountering this at any of the sites I have worked at.
    I am either innovative or a damn fool.
    Wouldnt the new account with equal elevated privleges be considered a "backdoor" into the DB, and therefore a larger liability than having the the default username(s) in place?
    Would I encounter issues in the periodic admin requirements like on/offlining resources? Tablespaces etc? Starting stopping?
    Patching?
    Pros - cons - pitfalls?
    Thanks for you reply!
    E

  2. #2
    Join Date
    Mar 2004
    Location
    DC,USA
    Posts
    650
    That's not a bad idea!

    If you have a sound Firewall in place, that would block most of the hackers.

    Good practice is to change the sys, system or other users from having their default passwords and Changing the passwords frequently.
    "What is past is PROLOGUE"

  3. #3
    Join Date
    Feb 2003
    Location
    Leeds, UK
    Posts
    367
    Locking the system and sys accounts is viable; I do this on all the databases I manage. You can still / as sysdba when logged into the host and applying patches etc. What do you mean by changing? You're not suggesting creating a new user that will own all the objects that sys currently owns are you?

  4. #4
    Join Date
    Jul 2003
    Posts
    8

    Sys and System accounts

    Actually I was considering another user with dba privleges, but with the SYSTEM account apparently not required to be in a unlocked/enabled state, and the connect / as sysdba working for me I wouldnt need the additional account.

  5. #5
    Join Date
    Sep 2002
    Location
    England
    Posts
    7,334
    thats fine then, though if you want to connect as sysdba over the network then you wouldnt be do this if sys was locked and you didnt have another user setup

  6. #6
    Join Date
    Jul 2003
    Posts
    8

    Sys account

    I was told , but I have not tested that the sys account cannot be locked.
    If you lock it you will get acknowlegement that the lock occurred, but a connect will still work.

  7. #7
    Join Date
    Sep 2002
    Location
    England
    Posts
    7,334
    well if you must make me go test ....

  8. #8
    Join Date
    Sep 2002
    Location
    England
    Posts
    7,334
    well this is a kind of backwards test as you can't log into sys directly normally

    C:\Documents and Settings\>sqlplus sys/oracle@xe

    SQL*Plus: Release 10.2.0.1.0 - Production on Mon Mar 27 23:00:40 2006

    Copyright (c) 1982, 2005, Oracle. All rights reserved.

    ERROR:
    ORA-28000: the account is locked

    So you can lock the sys account, however you cant stop sysdba so when someome connects as sysdba it will work (it has to)


    C:\Documents and Settings\>sqlplus sys/oracle@xe as sysdba

    SQL*Plus: Release 10.2.0.1.0 - Production on Mon Mar 27 23:01:34 2006

    Copyright (c) 1982, 2005, Oracle. All rights reserved.


    Connected to:
    Oracle Database 10g Express Edition Release 10.2.0.1.0 - Production

    SQL>

    even though it says you are connected to sys you arent really in as sys, you are in as sysdba

    as shown here


    C:\Documents and Settings\>sqlplus hr/hr@xe as sysdba

    SQL*Plus: Release 10.2.0.1.0 - Production on Mon Mar 27 23:02:43 2006

    Copyright (c) 1982, 2005, Oracle. All rights reserved.


    Connected to:
    Oracle Database 10g Express Edition Release 10.2.0.1.0 - Production

    SQL> show user
    USER is "SYS"
    SQL>

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  


Click Here to Expand Forum to Full Width