Solution Beacon Security Best Practice #13
-
Properly Secure Default Database Accounts
<
back
One of
the most common ways to “hack” a database is to utilize a
default database account that has the default password.
Unfortunately, Oracle provides many, many default accounts
(in addition to SYS and SYSTEM) when a database is installed
(depending on the installation options). The E-Business
Suite adds another 200+ accounts to this default account
list.
Product
feature accounts (e.g. CTXSYS), as well as other
administrative and application accounts all should have the
passwords changed immediately upon installation. Of course,
these passwords should also be changed on a regular basis.
Demonstration accounts (e.g. QS_xyz), should be
dropped (recommended). Other accounts (e.g. system/product
accounts) should be locked and expired.
alter user OUTLN identified by gr#8w1n3s
account lock password expire;
The
following table shows the database schemas that are shipped
with a fresh install of the 11i E-Business suite.
The second column defines if the account password should be
changed, and the third column defines if FNDCPASS should be
used to change the password instead of just changing the
password at the database level.
Database Schemas Shipped with E-Business Suite
|
Schema |
Change? |
FNDCPASS? |
Description |
|
SYS
|
Y |
N |
Initial schema in
any Oracle database. Owns the data dictionary. |
|
SYSTEM
|
Y |
N |
Initial DBA User.
|
|
DBSNMP
|
Y |
N |
Used for database
status monitoring. |
|
SCOTT
|
Y |
N |
Demo account
delivered with RDBMS. |
|
SSOSDK
|
Y |
N |
Single Sign On
SDK. |
|
JUNK_PS, MDSYS,
ODM_MTR, OLAPSYS, ORDPLUGINS, ORDSYS, OUTLN,
OWAPUB |
Y |
N |
Miscellaneous |
|
PORTAL30_DEMO,
PORTAL30_PUBLIC,
PORTAL30_PS,
PORTAL30_SSO_PUBLIC |
Y |
N |
Oracle Portal and
Portal Single Sign On, v3.0.9
|
|
PORTAL30,
PORTAL30_SSO |
Y |
Y |
Oracle Portal and
Portal Single Sign On, v3.0.9
|
|
CTXSYS
|
Y |
Y |
InterMedia schema
used by Online Help and CRM service products for
indexing knowledge base data. |
|
EDWREP
|
Y |
Y |
Embedded Data
Warehouse Metadata Repository
|
|
ODM
|
Y |
Y |
Oracle Data
Manager |
|
APPLSYSPUB
|
N |
Y |
Initial,
pre-authentication user with minimal privileges
to assist with APPS (FND) user authentication.
|
|
APPLSYS
|
Y |
Y |
Contains shared
APPS foundation objects. Need to run Autoconfig
after changing this password. |
|
APPS
|
Y |
Y |
Runtime user for
E-Business Suite. Owns all of the applications
code. Need to run Autoconfig after changing this
password. |
|
APPS_mrc
|
Y |
Y |
Optional,
additional APPS schemas for the (now obsolete)
Multiple Reporting Currencies feature. Defaults
to APPS_MRC, but country code suffixes may be
used, e.g. APPS_UK, APPS_JP. Need to run
Autoconfig after changing this password. |
|
AD_MONITOR |
Y |
N |
Used by Oracle
Applications Manager (OAM) to monitor patching. |
|
ABM, AHL, AHM, …
AP, AR…GL, … ZX |
Y |
Y |
These schemas
belong to individual EBS base products. By
default the password is the same as the SCHEMA
name. Changing the password for these schemas
does not affect any configuration files. |
The
following tables show for each version of the database the
default accounts that are possible, and the default status
upon installation. Note that these passwords need to be
checked regularly, as patches and other DBA actions will
often reset them back to their default value! Demonstration
accounts (e.g. SCOTT, QS_*), as well as any other unneeded
accounts, should be dropped from the database if not
utilized.
Oracle 10g (R1 and R2) EE – Default Accounts and Status
|
Username |
Account Status |
|
ANONYMOUS |
EXPIRED
&
LOCKED |
|
CTXSYS |
EXPIRED
&
LOCKED |
|
DBSNMP |
EXPIRED
&
LOCKED |
|
DIP
|
EXPIRED
&
LOCKED |
|
DMSYS |
EXPIRED
&
LOCKED |
|
EXFSYS |
EXPIRED
&
LOCKED |
|
HR |
EXPIRED
&
LOCKED |
|
LBACSYS |
EXPIRED
&
LOCKED |
|
MDDATA |
EXPIRED
&
LOCKED |
|
MDSYS |
EXPIRED
&
LOCKED |
|
MGMT_VIEW |
EXPIRED
&
LOCKED |
|
ODM |
EXPIRED
&
LOCKED |
|
ODM_MTR |
EXPIRED
&
LOCKED |
|
OE |
EXPIRED
&
LOCKED |
|
OLAPSYS |
EXPIRED
&
LOCKED |
|
ORDPLUGINS |
EXPIRED
&
LOCKED |
|
ORDSYS |
EXPIRED
&
LOCKED |
|
OUTLN |
EXPIRED
&
LOCKED |
|
PM |
EXPIRED
&
LOCKED |
|
QS |
EXPIRED
&
LOCKED |
|
QS_ADM |
EXPIRED
&
LOCKED |
|
QS_CB |
EXPIRED
&
LOCKED |
|
QS_CBADM |
EXPIRED
&
LOCKED |
|
QS_CS |
EXPIRED
&
LOCKED |
|
QS_ES |
EXPIRED
&
LOCKED |
|
QS_OS |
EXPIRED
&
LOCKED |
|
QS_WS |
EXPIRED
&
LOCKED |
|
RMAN |
EXPIRED
&
LOCKED |
|
SCOTT |
EXPIRED
&
LOCKED |
|
SH |
EXPIRED
&
LOCKED |
|
SI_INFORMTN_SCHEMA |
EXPIRED
&
LOCKED |
|
SYS |
OPEN |
|
SYSMAN |
EXPIRED
&
LOCKED |
|
SYSTEM |
OPEN |
|
TSMSYS (New in 10g R2) |
EXPIRED & LOCKED |
|
WK_TEST |
EXPIRED
&
LOCKED |
|
WKPROXY |
EXPIRED
&
LOCKED |
|
WKSYS |
EXPIRED
&
LOCKED |
|
WMSYS |
EXPIRED
&
LOCKED |
|
XDB |
EXPIRED
&
LOCKED |
Oracle 9i R2 EE - Default Accounts and Status
|
Username |
Account Status |
|
ADAMS |
EXPIRED
&
LOCKED |
|
CTXSYS |
EXPIRED
&
LOCKED |
|
DBSNMP |
OPEN |
|
HR |
EXPIRED
&
LOCKED |
|
LBACSYS |
EXPIRED
&
LOCKED |
|
MDSYS |
EXPIRED
&
LOCKED |
|
ODM |
EXPIRED
&
LOCKED |
|
ODM_MTR |
EXPIRED
&
LOCKED |
|
ORDPLUGINS |
EXPIRED
&
LOCKED |
|
ORDSYS |
EXPIRED
&
LOCKED |
|
OUTLN |
EXPIRED
&
LOCKED |
|
PM |
EXPIRED
&
LOCKED |
|
QS |
EXPIRED
&
LOCKED |
|
QS_ADM |
EXPIRED
&
LOCKED |
|
QS_CB |
EXPIRED
&
LOCKED |
|
QS_CBADM |
EXPIRED
&
LOCKED |
|
QS_CS |
EXPIRED
&
LOCKED |
|
QS_ES |
EXPIRED
&
LOCKED |
|
QS_OS |
EXPIRED
&
LOCKED |
|
QS_WS |
EXPIRED
&
LOCKED |
|
SCOTT |
OPEN |
|
SH |
EXPIRED
&
LOCKED |
|
SYS |
OPEN |
|
SYSTEM |
OPEN |
|
WKPROXY |
EXPIRED
&
LOCKED |
|
WKSYS |
EXPIRED
&
LOCKED |
|
WMSYS |
EXPIRED
&
LOCKED |
|
XDB |
EXPIRED
&
LOCKED |
Oracle 9i R1 EE – Default Accounts and Status
|
Username |
Account Status |
|
ADAMS |
EXPIRED
&
LOCKED |
|
AURORA$JIS$UTILITY$ |
OPEN |
|
AURORA$ORB$UNAUTHENTICATED |
OPEN |
|
BLAKE |
EXPIRED
&
LOCKED |
|
CLARK |
EXPIRED
&
LOCKED |
|
CTXSYS |
EXPIRED
&
LOCKED |
|
DBSNMP |
OPEN |
|
JONES |
EXPIRED
&
LOCKED |
|
OE |
EXPIRED
&
LOCKED |
|
HR |
EXPIRED
&
LOCKED |
|
LBACSYS |
EXPIRED
&
LOCKED |
|
MDSYS |
EXPIRED
&
LOCKED |
|
OLAPDBA |
EXPIRED
&
LOCKED |
|
OLAPSVR |
EXPIRED
&
LOCKED |
|
OLAPSYS |
EXPIRED
&
LOCKED |
|
ORDPLUGINS |
EXPIRED
&
LOCKED |
|
ORDSYS |
EXPIRED
&
LOCKED |
|
OSE$HTTP$ADMIN |
OPEN |
|
OUTLN |
OPEN |
|
PM |
EXPIRED
&
LOCKED |
|
QS |
EXPIRED
&
LOCKED |
|
QS_ADM |
EXPIRED
&
LOCKED |
|
QS_CB |
EXPIRED
&
LOCKED |
|
QS_CBADM |
EXPIRED
&
LOCKED |
|
QS_CS |
EXPIRED
&
LOCKED |
|
QS_ES |
EXPIRED
&
LOCKED |
|
QS_OS |
EXPIRED
&
LOCKED |
|
QS_WS |
EXPIRED
&
LOCKED |
|
SCOTT |
OPEN |
|
SH |
EXPIRED
&
LOCKED |
|
SYS |
OPEN |
|
SYSTEM |
OPEN |
^ top
<
back
|
