Hi Richards. We usually revoke the PUBLIC SELECT on ALL_USERS, considering that no user has privileges on DBA_USERS tables or SELECT_CATALOG_ROLE. Revoking privileges on ALL_USERS will invalidate sobre objects, but it is easy to solve giving permission directly to the ALL_USERS. Regards Ricardo Limeira Batista Analista de Segurança de Banco de Dados / Database Security Analyst Microsoft Certified Technology Specialist SQL Server 2005 Proteus Information Security Services ricardo.batista@xxxxxxxxxxxxxxxxxxxx<mailto:ricardo.batista@xxxxxxxxxxxxxxxxxxxx> www.proteus.com.br<http://www.proteus.com.br> _____ From: dbsec-bounce@xxxxxxxxxxxxx [mailto:dbsec-bounce@xxxxxxxxxxxxx] On Behalf Of Richard Miles Sent: quarta-feira, 7 de abril de 2010 11:54 To: dbsec@xxxxxxxxxxxxx Subject: [dbsec] prevent remote user enumeration? Hi there! Recently we discovered some of our students enumerating existent accounts in our Oracle database, further search pointed to ora-userenum.exe and it really works against our oracle 110 and 11g release. There is a way to prevent oracle users enumeration? How? Thank you