3 Securing Oracle Database User Accounts

This chapter contains:

About Securing Oracle Database User Accounts
Predefined User Accounts Provided by Oracle Database
Expiring and Locking Database Accounts
Requirements for Creating Passwords
Finding and Changing Default Passwords
Guideline for Handling the Default Administrative User Passwords
Guideline for Enforcing Password Management
Parameters Used to Secure User Accounts

See Also:

Oracle Database Security Guide for detailed information about securing user accounts

About Securing Oracle Database User Accounts

You can use many methods to secure database user accounts. For example, Oracle Database has a set of built-in protections for passwords. This chapter explains how you can safeguard default database accounts and passwords, and describes ways to manage database accounts.

Oracle Database 2 Day DBA describes the fundamentals of creating and administering user accounts, including how to manage user roles, what the administrative accounts are, and how to use profiles to establish a password policy.

After you create user accounts, you can use the procedures in this section to further secure these accounts by following these methods:

Safeguarding predefined database accounts. When you install Oracle Database, it creates a set of predefined accounts. You should secure these accounts as soon as possible by changing their passwords. You can use the same method to change all passwords, whether they are with regular user accounts, administrative accounts, or predefined accounts. This guide also provides guidelines on how to create the most secure passwords.
Managing database accounts. You can expire and lock database accounts.
Managing passwords. You can manage and protect passwords by setting initialization parameters. Oracle Database Reference describes the initialization parameters in detail.

See Also:

Oracle Database Security Guide for detailed information about managing user accounts and authentication
"Predefined User Accounts Provided by Oracle Database" for a description of the predefined user accounts that are created when you install Oracle Database

Predefined User Accounts Provided by Oracle Database

When you install Oracle Database, the installation process creates a set of predefined accounts. These accounts are in the following categories:

Predefined Administrative Accounts
Predefined Non-Administrative User Accounts
Predefined Sample Schema User Accounts

Predefined Administrative Accounts

A default Oracle Database installation provides a set of predefined administrative accounts. These are accounts that have special privileges required to administer areas of the database, such as the CREATE ANY TABLE or ALTER SESSION privilege, or EXECUTE privileges on packages owned by the SYS schema. The default tablespace for administrative accounts is either SYSTEM or SYSAUX.

To protect these accounts from unauthorized access, the installation process expires and locks most of these accounts, except where noted in Table 3-1. As the database administrator, you are responsible for unlocking and resetting these accounts, as described in "Expiring and Locking Database Accounts".

Table 3-1 lists the administrative user accounts provided by Oracle Database.

Table 3-1 Predefined Oracle Database Administrative User Accounts

User Account	Description	Status After Installation
`ANONYMOUS`	Account that allows HTTP access to Oracle XML DB. It is used in place of the `APEX_PUBLIC_USER` account when the Embedded PL/SQL Gateway (EPG) is installed in the database. EPG is a Web server that can be used with Oracle Database. It provides the necessary infrastructure to create dynamic applications.	Expired and locked
`CTXSYS`	The account used to administer Oracle Text. Oracle Text enables you to build text query applications and document classification applications. It provides indexing, word and theme searching, and viewing capabilities for text. See Oracle Text Application Developer's Guide.	Expired and locked
`DBSNMP`	The account used by the Management Agent component of Oracle Enterprise Manager to monitor and manage the database. See Oracle Enterprise Manager Grid Control Installation and Basic Configuration.	Open Password is created at installation or database creation time.
`EXFSYS`	The account used internally to access the `EXFSYS` schema, which is associated with the Rules Manager and Expression Filter feature. This feature enables you to build complex PL/SQL rules and expressions. The `EXFSYS` schema contains the Rules Manager and Expression Filter DDL, DML, and associated metadata. See Oracle Database Rules Manager and Expression Filter Developer's Guide.	Expired and locked
`LBACSYS`	The account used to administer Oracle Label Security (OLS). It is created only when you install the Label Security custom option. See "Enforcing Row-Level Security with Oracle Label Security" and Oracle Label Security Administrator's Guide.	Expired and locked
`MDSYS`	The Oracle Spatial and Oracle Multimedia Locator administrator account. See Oracle Spatial Developer's Guide.	Expired and locked
`MGMT_VIEW`	An account used by Oracle Enterprise Manager Database Control.	Open Password is randomly generated at installation or database creation time. Users do not need to know this password.
`OLAPSYS`	The account that owns the OLAP Catalog (CWMLite). This account has been deprecated, but is retained for backward compatibility.	Expired and locked
`ORDDATA`	This account contains the Oracle Multimedia DICOM data model. See Oracle Multimedia DICOM Developer's Guide for more information.	Expired and locked
`OWBSYS`	The account for administrating the Oracle Warehouse Builder repository. Access this account during the installation process to define the base language of the repository and to define Warehouse Builder workspaces and users. A data warehouse is a relational or multidimensional database that is designed for query and analysis. See Oracle Warehouse Builder Installation and Administration Guide.	Expired and locked
`ORDPLUGINS`	The Oracle Multimedia user. Plug-ins supplied by Oracle and third-party, format plug-ins are installed in this schema. Oracle Multimedia enables Oracle Database to store, manage, and retrieve images, audio, video, DICOM format medical images and other objects, or other heterogeneous media data integrated with other enterprise information. See Oracle Multimedia User's Guide and Oracle Multimedia Reference.	Expired and locked
`ORDSYS`	The Oracle Multimedia administrator account. See Oracle Multimedia User's Guide, Oracle Multimedia Reference, and Oracle Multimedia DICOM Developer's Guide.	Expired and locked
`OUTLN`	The account that supports plan stability. Plan stability prevents certain database environment changes from affecting the performance characteristics of applications by preserving execution plans in stored outlines. `OUTLN` acts as a role to centrally manage metadata associated with stored outlines. See Oracle Database Performance Tuning Guide.	Expired and locked
`SI_INFORMTN_SCHEMA`	The account that stores the information views for the SQL/MM Still Image Standard. See Oracle Multimedia User's Guide and Oracle Multimedia Reference.	Expired and locked
`SYS`	An account used to perform database administration tasks. See Oracle Database 2 Day DBA.	Open Password is created at installation or database creation time.
`SYSMAN`	The account used to perform Oracle Enterprise Manager database administration tasks. The `SYS` and `SYSTEM` accounts can also perform these tasks. See Oracle Enterprise Manager Grid Control Installation and Basic Configuration.	Open Password is created at installation or database creation time.
`SYSTEM`	A default generic database administrator account for Oracle databases. For production systems, Oracle recommends creating individual database administrator accounts and not using the generic `SYSTEM` account for database administration operations. See Oracle Database 2 Day DBA.	Open Password is created at installation or database creation time.
`WK_TEST`	The instance administrator for the default instance, `WK_INST`. After you unlock this account and assign this user a password, then you must also update the cached schema password using the administration tool Edit Instance Page. Ultra Search provides uniform search-and-location capabilities over multiple repositories, such as Oracle databases, other ODBC compliant databases, IMAP mail servers, HTML documents managed by a Web server, files on disk, and more. See Oracle Ultra Search Administrator's Guide.	Expired and locked
`WKSYS`	An Ultra Search database super-user. `WKSYS` can grant super-user privileges to other users, such as `WK_TEST`. All Oracle Ultra Search database objects are installed in the `WKSYS` schema. See Oracle Ultra Search Administrator's Guide.	Expired and locked
`WKPROXY`	An administrative account of Oracle9i Application Server Ultra Search. See Oracle Ultra Search Administrator's Guide.	Expired and locked
`WMSYS`	The account used to store the metadata information for Oracle Workspace Manager. See Oracle Database Workspace Manager Developer's Guide.	Expired and locked
`XDB`	The account used for storing Oracle XML DB data and metadata. Oracle XML DB provides high-performance XML storage and retrieval for Oracle Database data. See Oracle XML DB Developer's Guide.	Expired and locked

Note:

If you create an Oracle Automatic Storage Management (Oracle ASM) instance, then the ASMSNMP account is created. Oracle Enterprise Manager uses this account to monitor ASM instances to retrieve data from ASM-related data dictionary views. The ASMSNMP account status is set to OPEN upon creation, and it is granted the SYSDBA privilege. For more information, see Oracle Automatic Storage Management Administrator's Guide.

Predefined Non-Administrative User Accounts

Table 3-2 lists default non-administrative user accounts that are created when you install Oracle Database. Non-administrative user accounts only have the minimum privileges needed to perform their jobs. Their default tablespace is USERS.

To protect these accounts from unauthorized access, the installation process locks and expires these accounts immediately after installation, except where noted in Table 3-2. As the database administrator, you are responsible for unlocking and resetting these accounts, as described in "Expiring and Locking Database Accounts".

Table 3-2 Predefined Oracle Database Non-Administrative User Accounts

User Account	Description	Status After Installation
`APEX_PUBLIC_USER`	The Oracle Database Application Express account. Use this account to specify the Oracle schema used to connect to the database through the database access descriptor (DAD). Oracle Application Express is a rapid, Web application development tool for Oracle Database. See Oracle Application Express Application Builder User's Guide.	Expired and locked
`DIP`	The Oracle Directory Integration and Provisioning (DIP) account that is installed with Oracle Label Security. This profile is created automatically as part of the installation process for Oracle Internet Directory-enabled Oracle Label Security. See Oracle Label Security Administrator's Guide.	Expired and locked
`FLOWS_30000`	The account that owns most of the database objects created during the installation of Oracle Database Application Express. These objects include tables, views, triggers, indexes, packages, and so on. See Oracle Application Express Application Builder User's Guide.	Expired and locked
`FLOWS_FILES`	The account that owns the database objects created during the installation of Oracle Database Application Express related to modplsql document conveyance, for example, file uploads and downloads. These objects include tables, views, triggers, indexes, packages, and so on. See Oracle Application Express Application Builder User's Guide.	Expired and locked
`MDDATA`	The schema used by Oracle Spatial for storing Geocoder and router data. Oracle Spatial provides a SQL schema and functions that enable you to store, retrieve, update, and query collections of spatial features in an Oracle database. See Oracle Spatial Developer's Guide.	Expired and locked
`ORACLE_OCM`	The account used with Oracle Configuration Manager. This feature enables you to associate the configuration information for the current Oracle Database instance with My Oracle Support. Then when you log a service request, it is associated with the database instance configuration information. See Oracle Database Installation Guide for your platform.	Expired and locked
`SPATIAL_CSW_ADMIN_USR`	The Catalog Services for the Web (CSW) account. It is used by Oracle Spatial CSW Cache Manager to load all record-type metadata and record instances from the database into the main memory for the record types that are cached. See Oracle Spatial Developer's Guide.	Expired and locked
`SPATIAL_WFS_ADMIN_USR`	The Web Feature Service (WFS) account. It is used by Oracle Spatial WFS Cache Manager to load all feature type metadata and feature instances from the database into main memory for the feature types that are cached. See Oracle Spatial Developer's Guide.	Expired and locked
`XS$NULL`	An internal account that represents the absence of a user in a session. Because `XS$NULL` is not a user, this account can only be accessed by the Oracle Database instance. `XS$NULL` has no privileges and no one can authenticate as `XS$NULL`, nor can authentication credentials ever be assigned to `XS$NULL`.	Expired and locked

Predefined Sample Schema User Accounts

If you install the sample schemas, which you must do to complete the examples in this guide, Oracle Database creates a set of sample user accounts. The sample schema user accounts are all non-administrative accounts, and their tablespace is USERS.

To protect these accounts from unauthorized access, the installation process locks and expires these accounts immediately after installation. As the database administrator, you are responsible for unlocking and resetting these accounts, as described in "Expiring and Locking Database Accounts". For more information about the sample schema accounts, see Oracle Database Sample Schemas.

Table 3-3 lists the sample schema user accounts, which represent different divisions of a fictional company that manufactures various products.

Table 3-3 Default Sample Schema User Accounts

User Account	Description	Status After Installation
`BI`	The account that owns the `BI` (Business Intelligence) schema included in the Oracle Sample Schemas. See also Oracle Warehouse Builder Sources and Targets Guide.	Expired and locked
`HR`	The account used to manage the `HR` (Human Resources) schema. This schema stores information about the employees and the facilities of the company.	Expired and locked
`OE`	The account used to manage the `OE` (Order Entry) schema. This schema stores product inventories and sales of the company's products through various channels.	Expired and locked
`PM`	The account used to manage the `PM` (Product Media) schema. This schema contains descriptions and detailed information about each product sold by the company.	Expired and locked
`IX`	The account used to manage the `IX` (Information Exchange) schema. This schema manages shipping through business-to-business (B2B) applications.	Expired and locked
`SH`	The account used to manage the `SH` (Sales) schema. This schema stores business statistics to facilitate business decisions.	Expired and locked

In addition to the sample schema accounts, Oracle Database provides another sample schema account, SCOTT. The SCOTT schema contains the tables EMP, DEPT, SALGRADE, and BONUS. The SCOTT account is used in examples throughout the Oracle Database documentation set. When you install Oracle Database, the SCOTT account is locked and expired.

Expiring and Locking Database Accounts

When you expire the password of a user, that password no longer exists. If you want to unexpire the password, you change the password of that account. Locking an account preserves the user password and other account information, but makes the account unavailable to anyone who tries to log in to the database using that account. Unlocking it makes the account available again.

Oracle Database 2 Day DBA explains how you can use Database Control to unlock database accounts. You also can use Database Control to expire or lock database accounts.

To expire and lock a database account:

Start Database Control.

See Oracle Database 2 Day DBA for instructions about how to start Database Control.
Log in with administrative privileges.

For example:

Description of the illustration login.gif

The Database Home page appears.
Click Server to display the Server subpage.
In the Security section, click Users.

The Users page lists the user accounts created for the current database instance. The Account Status column indicates whether an account is expired, locked, or open.
In the Select column, select the account you want to expire, and then click Edit.

The Edit User page appears.
Do one of the following:
- To expire a password, click Expire Password now.
  
  To unexpire the password, enter a new password in the Enter Password and Confirm Password fields. See "Requirements for Creating Passwords" for password requirements.
- To lock the account, select Locked.
Click Apply.

Requirements for Creating Passwords

When you create a user account, Oracle Database assigns a default password policy for that user. The password policy defines rules for how the password should be created, such as a minimum number of characters, when it expires, and so on. You can strengthen passwords by using password policies.

For greater security, follow these guidelines when you create passwords:

Make the password between 12 and 30 characters and numbers.
Use mixed case letters and special characters in the password. (See Oracle Database Security Guide for more information.)
Use the database character set for the password's characters, which can include the underscore (_), dollar ($), and number sign (#) characters.
Do not use an actual word for the entire password.

Oracle Database Security Guide describes more ways that you can further secure passwords.

See Also:

"Finding and Changing Default Passwords" for information about changing user passwords
"Expiring and Locking Database Accounts" for information about locking accounts and expiring passwords
"Predefined User Accounts Provided by Oracle Database" a description of the predefined user accounts that are created when you install Oracle Database
Oracle Database 2 Day DBA for an introduction to password policies
Oracle Database Security Guide for detailed information about managing passwords

Finding and Changing Default Passwords

When you install Oracle Database, the default database user accounts, including administrative accounts, are created without default passwords. Except for the administrative accounts whose passwords you create during installation (such as user SYS), the default user accounts arrive locked with their passwords expired. If you have upgraded from a previous release of Oracle Database, you may have database accounts that still have default passwords. These are default accounts that are created when you create a database, such as the HR, OE, and SCOTT accounts.

Security is most easily compromised when a default database user account still has a default password after installation. This is particularly true for the user account SCOTT, which is a well known account that may be vulnerable to intruders. Find accounts that use default passwords and then change their passwords.

To find and change default passwords:

Log into SQL*Plus with administrative privileges.
```
sqlplus system
Enter password: password
```
Select from the DBA_USERS_WITH_DEFPWD data dictionary view.
```
SELECT * FROM DBA_USERS_WITH_DEFPWD;
```
The DBA_USERS_WITH_DEFPWD lists the accounts that still have user default passwords. For example:
```
USERNAME
------------
SCOTT
```
Change the password for the accounts the DBA_USERS_WITH_DEFPWD data dictionary view lists.

For example, to change the password for user SCOTT, enter the following:
```
PASSWORD SCOTT
Changing password for SCOTT
New password: password
Retype new password: password
Password changed
```
Replace password with a password that is secure, according to the guidelines listed in "Requirements for Creating Passwords". For greater security, do not reuse the same password that was used in previous releases of Oracle Database.

Alternatively, you can use the ALTER USER SQL statement to change the password:
```
ALTER USER SCOTT IDENTIFIED BY password;
```

You can use Database Control to change a user account passwords (not just the default user account passwords) if you have administrative privileges. Individual users can also use Database Control to change their own passwords.

To use Database Control to change the password of a database account:

Start Database Control.

See Oracle Database 2 Day DBA for instructions about how to start Database Control.
Enter an administrator user name and password (for example, SYSTEM), and then click Login.
Click Server to display the Server subpage.
In the Security section, click Users.

The Users page lists the user accounts created for the current database instance. The Account Status column indicates whether an account is expired, locked, or open.
In the Select column, select the account you want to change, and then click Edit.

The Edit User page appears.
Enter a new password in the Enter Password and Confirm Password fields.
Click Apply.

See Also:

Oracle Database Security Guide for additional methods of configuring password protection
"Predefined User Accounts Provided by Oracle Database"

Guideline for Handling the Default Administrative User Passwords

You can use the same or different passwords for the SYS, SYSTEM, SYSMAN, and DBSNMP administrative accounts. Oracle recommends that you use different passwords for each. In any Oracle Database environment (production or test), assign strong, secure, and distinct passwords to these administrative accounts. If you use Database Configuration Assistant to create a new database, then it requires you to create passwords for the SYS and SYSTEM accounts.

Do not use default passwords for any administrative accounts, including SYSMAN and DBSNMP. Oracle Database 11g Release 2 (11.2) and later does not install these accounts with default passwords, but if you have upgraded from an earlier release of Oracle Database, you may still have accounts that use default passwords. You should find and change these accounts by using the procedures in "Finding and Changing Default Passwords".

At the end of database creation, Database Configuration Assistant displays a page that requires you to enter and confirm new passwords for the SYS and SYSTEM user accounts.

After installation, you can use Database Control to change the administrative user passwords. See "Finding and Changing Default Passwords" for more information on changing a password.

Guideline for Enforcing Password Management

Apply basic password management rules (such as password length, history, complexity, and so forth) to all user passwords. Oracle Database has password policies enabled for the default profile. "Requirements for Creating Passwords" provides guidelines for creating password policies. Table 3-4 lists initialization parameters that you can set to enforce password management.

You can find information about user accounts by querying the DBA_USERS view. The DBA_USERS view provides useful information such as the user account status, whether the account is locked, and password versions. You can query DBA_USERS as follows:

sqlplus system
Enter password: password

SQL> SELECT * FROM DBA_USERS;

Oracle also recommends, if possible, using Oracle Advanced Security (an option to Oracle Database Enterprise Edition) with network authentication services (such as Kerberos), token cards, smart cards, or X.509 certificates. These services provide strong authentication of users, and provide better protection against unauthorized access to Oracle Database.

See Also:

Oracle Database Security Guide for more information about password management
Oracle Database Security Guide for additional views you can query to find information about users and profiles

Parameters Used to Secure User Accounts

Table 3-4 lists initialization and profile parameters that you can set to better secure user accounts.

Table 3-4 Initialization and Profile Parameters Used for User Account Security

Parameter	Default Setting	Description
`SEC_CASE_SENSITIVE_LOGON`	`TRUE`	Controls case sensitivity in passwords. `TRUE` enables case sensitivity; `FALSE` disables it.
`SEC_MAX_FAILED_LOGIN_ATTEMPTS`	No default setting	Sets the maximum number of times a user is allowed to fail when connecting to an Oracle Call Interface (OCI) application.
`FAILED_LOGIN_ATTEMPTS`	`10`	Sets the maximum times a user login is allowed to fail before locking the account. Note: You also can set limits on the number of times an unauthorized user (possibly an intruder) attempts to log in to Oracle Call Interface applications by using the `SEC_MAX_FAILED_LOGIN_ATTEMPTS` initialization parameter.
`PASSWORD_GRACE_TIME`	`7`	Sets the number of days that a user has to change his or her password before it expires.
`PASSWORD_LIFE_TIME`	`180`	Sets the number of days the user can use his or her current password.
`PASSWORD_LOCK_TIME`	`1`	Sets the number of days an account will be locked after the specified number of consecutive failed login attempts.
`PASSWORD_REUSE_MAX`	`UNLIMITED`	Specifies the number of password changes required before the current password can be reused.
`PASSWORD_REUSE_TIME`	`UNLIMITED`	Specifies the number of days before which a password cannot be reused.

Note:

You can use most of these parameters to create a user profile. See Oracle Database Security Guide for more information about user profile settings.

To modify an initialization parameter, see "Modifying the Value of an Initialization Parameter". For detailed information about initialization parameters, see Oracle Database Reference andOracle Database Administrator's Guide.