And as we can see you are not using spfile. --> Yes. I am still using PFILEs [even for 9iRAC] I suppose, in different organization there are can be different security requirements. . Hemant, I can bet your listener, are listening on deferent port then 1521 --> Most databases, unfortunately, have defaulted to 1521. But the critical ones -- Financials (ERP) are NOT on 1521 but on non-standard ports. and protected by password (many sites haven't this). --> Yes. All listeners have passwords. Have you considered to run Oracle software under different Unix account then oracle (lets say under user with name zona262db) and dba group rename to cra213 for security propose? --> The account is "oracle" or "ora817" or "ora920". Only on the 9iRAC cluster did I set up a non-dba group, though. That was to seperate the Production from the Test databases as I have only 1 cluster [ouch !] but want to be able to run both databases on it. There also recommendation to lock Oracle Software owner account and switch to it from another one. --> IT Security has been after me for this. The "oracle" account should have nologin / noshell and I must login as myself "hemant" and "su" to "oracle". Can't say that I have done this yet. . I just would say, there are different sites as well as different requirements. . If you have height security requirements I would recommend to order "Oracle Security Step-by-Step" by Pete Finnigan. http://www.amazon.com/exec/obidos/tg/detail/-/0974372749/qid=1089648916/sr=1-1/ref=sr_1_1/002-7956793-2529636?v=glance&s=books There are quite interesting ideas how to secure your Oracle env. by maximum. Jurijs 9268222 --> I take Security only to a certain level, only till it doesn't become a burden for me. Patches for vulnerabilities are applied but not all databases are updated/upgraded just for patches [e.g if the patch is released on 8.1.7.4 but my DB is still 8.1.7.2, tough-luck !] ============================================ http://otn.oracle.com/ocm/jvelikanovs.html Hemant K Chitale <hkchital@xxxxxxxxxxxxxx> Sent by: oracle-l-bounce@xxxxxxxxxxxxx 12.07.2004 18:10 Please respond to oracle-l To: oracle-l@xxxxxxxxxxxxx cc: Subject: re SYSDBA As a rule, I prefer "REMOTE_LOGIN_PASSWORDFILE=NONE " Thus, only a local account in the "dba" group can login as SYSDBA, preventing logins over remote connections. I even had an auditor point to my Plumtree database {where Plumtree's init.ora used a REMOTE_LOGIN_PASSWORDFILE=EXCLUSIVE} and ask me to disable it. Hemant Hemant K Chitale Oracle 9i Database Administrator Certified Professional http://web.singnet.com.sg/~hkchital "A man's reputation is what other people think of him; his character is what he really is." -- Miner, Jack ---------------------------------------------------------------- Please see the official ORACLE-L FAQ: http://www.orafaq.com ---------------------------------------------------------------- To unsubscribe send email to: oracle-l-request@xxxxxxxxxxxxx put 'unsubscribe' in the subject line. -- Archives are at //www.freelists.org/archives/oracle-l/ FAQ is at //www.freelists.org/help/fom-serve/cache/1.html -----------------------------------------------------------------