[dbsec] Re: prevent remote user enumeration?

  • From: Ricardo Limeira Batista <ricardo.batista@xxxxxxxxxxxxxxxxxxxx>
  • To: "dbsec@xxxxxxxxxxxxx" <dbsec@xxxxxxxxxxxxx>
  • Date: Wed, 7 Apr 2010 13:41:46 -0300

Hi Richards.

We usually revoke the PUBLIC SELECT on ALL_USERS, considering that no user has 
privileges on DBA_USERS tables or SELECT_CATALOG_ROLE.

Revoking privileges on ALL_USERS will invalidate sobre objects, but it is easy 
to solve giving permission directly to the ALL_USERS.


Ricardo Limeira Batista
Analista de Segurança de Banco de Dados / Database Security Analyst
Microsoft Certified Technology Specialist SQL Server 2005

Proteus Information Security Services



From: dbsec-bounce@xxxxxxxxxxxxx [mailto:dbsec-bounce@xxxxxxxxxxxxx] On Behalf 
Of Richard Miles
Sent: quarta-feira, 7 de abril de 2010 11:54
To: dbsec@xxxxxxxxxxxxx
Subject: [dbsec] prevent remote user enumeration?

Hi there!

Recently we discovered some of our students enumerating existent accounts in 
our Oracle database, further search pointed to ora-userenum.exe and it really 
works against our oracle 110 and 11g release.

There is a way to prevent oracle users enumeration? How?

Thank you

Other related posts: