The sans folks seem to think that having a handle on the default role pws is a good idea, but I don't know what the vulnerability is, note it is sev 1: http://www.sans.org/score/oraclechecklist.php Action Description Severity Level O/S Oracle Default level Version Install 2.2.11 Audit known default role passwords 1 ALL ALL YES The severity levels are set between 1 and 5 (1 indicating the highest level). On Tue, Jan 24, 2006 at 10:25:04AM -0500, J. Dex wrote: > > Does it matter if standard Oracle roles are NOT password protected? Does > it only need to be non-standard roles that are password protected? -- //www.freelists.org/webpage/oracle-l