Solution Beacon, LLC
 

Solution Beacon Security Best Practice #13 - Properly Secure Default Database Accounts

One of the most common ways to “hack” a database is to utilize a default database account that has the default password.  Unfortunately, Oracle provides many, many default accounts (in addition to SYS and SYSTEM) when a database is installed (depending on the installation options).  The E-Business Suite adds another 200+ accounts to this default account list. 

Product feature accounts (e.g. CTXSYS), as well as other administrative and application accounts all should have the passwords changed immediately upon installation.  Of course, these passwords should also be changed on a regular basis.  

Demonstration accounts (e.g. QS_xyz), should be dropped (recommended).  Other accounts (e.g. system/product accounts) should be locked and expired. 

      alter user OUTLN identified by gr#8w1n3s account lock password expire;

The following table shows the database schemas that are shipped with a fresh install of the 11i E-Business suite.  The second column defines if the account password should be changed, and the third column defines if FNDCPASS should be used to change the password instead of just changing the password at the database level.

Database Schemas Shipped with E-Business Suite

Schema

Change?

FNDCPASS?

Description

SYS

Y

N

Initial schema in any Oracle database. Owns the data dictionary.

SYSTEM

Y

N

Initial DBA User.

DBSNMP

Y

N

Used for database status monitoring.

SCOTT

Y

N

Demo account delivered with RDBMS.

SSOSDK

Y

N

Single Sign On SDK.

JUNK_PS, MDSYS, ODM_MTR, OLAPSYS, ORDPLUGINS, ORDSYS, OUTLN, OWAPUB

Y

N

Miscellaneous

PORTAL30_DEMO, PORTAL30_PUBLIC,

PORTAL30_PS, PORTAL30_SSO_PUBLIC

Y

N

Oracle Portal and Portal Single Sign On, v3.0.9

PORTAL30, PORTAL30_SSO

Y

Y

Oracle Portal and Portal Single Sign On, v3.0.9

CTXSYS

Y

Y

InterMedia schema used by Online Help and CRM service products for indexing knowledge base data.

EDWREP

Y

Y

Embedded Data Warehouse Metadata Repository

ODM

Y

Y

Oracle Data Manager

APPLSYSPUB

N

Y

Initial, pre-authentication user with minimal privi­leges to assist with APPS (FND) user authentica­tion.

APPLSYS

Y

Y

Contains shared APPS foundation objects. Need to run Autoconfig after changing this password.

APPS

Y

Y

Runtime user for E-Business Suite. Owns all of the applications code. Need to run Autoconfig after changing this password.

APPS_mrc

Y

Y

Optional, additional APPS schemas for the (now obsolete) Multiple Reporting Currencies feature. Defaults to APPS_MRC, but country code suffixes may be used, e.g. APPS_UK, APPS_JP.  Need to run Autoconfig after changing this password.

AD_MONITOR

Y

N

Used by Oracle Applications Manager (OAM) to monitor patching.

ABM, AHL, AHM, … AP, AR…GL, … ZX

Y

Y

These schemas belong to individual EBS base products. By default the password is the same as the SCHEMA name. Changing the password for these schemas does not affect any configuration files.

The following tables show for each version of the database the default accounts that are possible, and the default status upon installation.  Note that these passwords need to be checked regularly, as patches and other DBA actions will often reset them back to their default value!  Demonstration accounts (e.g. SCOTT, QS_*), as well as any other unneeded accounts, should be dropped from the database if not utilized.

Oracle 10g (R1 and R2) EE – Default Accounts and Status

Username 

Account Status 

ANONYMOUS

EXPIRED & LOCKED

CTXSYS

EXPIRED & LOCKED

DBSNMP

EXPIRED & LOCKED

DIP 

EXPIRED & LOCKED

DMSYS

EXPIRED & LOCKED

EXFSYS

EXPIRED & LOCKED

HR

EXPIRED & LOCKED

LBACSYS

EXPIRED & LOCKED

MDDATA

EXPIRED & LOCKED

MDSYS

EXPIRED & LOCKED

MGMT_VIEW

EXPIRED & LOCKED

ODM

EXPIRED & LOCKED

ODM_MTR

EXPIRED & LOCKED

OE

EXPIRED & LOCKED

OLAPSYS

EXPIRED & LOCKED

ORDPLUGINS

EXPIRED & LOCKED

ORDSYS

EXPIRED & LOCKED

OUTLN

EXPIRED & LOCKED

PM

EXPIRED & LOCKED

QS

EXPIRED & LOCKED

QS_ADM

EXPIRED & LOCKED

QS_CB

EXPIRED & LOCKED

QS_CBADM

EXPIRED & LOCKED

QS_CS

EXPIRED & LOCKED

QS_ES

EXPIRED & LOCKED

QS_OS

EXPIRED & LOCKED

QS_WS

EXPIRED & LOCKED

RMAN

EXPIRED & LOCKED

SCOTT

EXPIRED & LOCKED

SH

EXPIRED & LOCKED

SI_INFORMTN_SCHEMA

EXPIRED & LOCKED

SYS

OPEN

SYSMAN

EXPIRED & LOCKED

SYSTEM

OPEN

TSMSYS (New in 10g R2)

EXPIRED & LOCKED

WK_TEST

EXPIRED & LOCKED

WKPROXY

EXPIRED & LOCKED

WKSYS

EXPIRED & LOCKED

WMSYS

EXPIRED & LOCKED

XDB

EXPIRED & LOCKED

 

Oracle 9i R2 EE - Default Accounts and Status

Username

Account Status

ADAMS

EXPIRED & LOCKED

CTXSYS

EXPIRED & LOCKED

DBSNMP

OPEN

HR

EXPIRED & LOCKED

LBACSYS

EXPIRED & LOCKED

MDSYS

EXPIRED & LOCKED

ODM

EXPIRED & LOCKED

ODM_MTR

EXPIRED & LOCKED

ORDPLUGINS

EXPIRED & LOCKED

ORDSYS

EXPIRED & LOCKED

OUTLN

EXPIRED & LOCKED

PM

EXPIRED & LOCKED

QS

EXPIRED & LOCKED

QS_ADM

EXPIRED & LOCKED

QS_CB

EXPIRED & LOCKED

QS_CBADM

EXPIRED & LOCKED

QS_CS

EXPIRED & LOCKED

QS_ES

EXPIRED & LOCKED

QS_OS

EXPIRED & LOCKED

QS_WS

EXPIRED & LOCKED

SCOTT

OPEN

SH

EXPIRED & LOCKED

SYS

OPEN

SYSTEM

OPEN

WKPROXY

EXPIRED & LOCKED

WKSYS

EXPIRED & LOCKED

WMSYS

EXPIRED & LOCKED

XDB

EXPIRED & LOCKED

 

Oracle 9i R1 EE – Default Accounts and Status

Username

Account Status

ADAMS

EXPIRED & LOCKED

AURORA$JIS$UTILITY$

OPEN

AURORA$ORB$UNAUTHENTICATED

OPEN

BLAKE

EXPIRED & LOCKED

CLARK

EXPIRED & LOCKED

CTXSYS

EXPIRED & LOCKED

DBSNMP

OPEN

JONES

EXPIRED & LOCKED

OE

EXPIRED & LOCKED

HR

EXPIRED & LOCKED

LBACSYS

EXPIRED & LOCKED

MDSYS

EXPIRED & LOCKED

OLAPDBA

EXPIRED & LOCKED

OLAPSVR

EXPIRED & LOCKED

OLAPSYS

EXPIRED & LOCKED

ORDPLUGINS

EXPIRED & LOCKED

ORDSYS

EXPIRED & LOCKED

OSE$HTTP$ADMIN

OPEN

OUTLN

OPEN

PM

EXPIRED & LOCKED

QS

EXPIRED & LOCKED

QS_ADM

EXPIRED & LOCKED

QS_CB

EXPIRED & LOCKED

QS_CBADM

EXPIRED & LOCKED

QS_CS

EXPIRED & LOCKED

QS_ES

EXPIRED & LOCKED

QS_OS

EXPIRED & LOCKED

QS_WS

EXPIRED & LOCKED

SCOTT

OPEN

SH

EXPIRED & LOCKED

SYS

OPEN

SYSTEM

OPEN



> back to list