[dbsec] Re: prevent remote user enumeration?

• From: Ricardo Limeira Batista <ricardo.batista@xxxxxxxxxxxxxxxxxxxx>
• To: "dbsec@xxxxxxxxxxxxx" <dbsec@xxxxxxxxxxxxx>
• Date: Wed, 7 Apr 2010 13:41:46 -0300

Hi Richards.



We usually revoke the PUBLIC SELECT on ALL_USERS, considering that no user has 
privileges on DBA_USERS tables or SELECT_CATALOG_ROLE.

Revoking privileges on ALL_USERS will invalidate sobre objects, but it is easy 
to solve giving permission directly to the ALL_USERS.



Regards




Ricardo Limeira Batista
Analista de Segurança de Banco de Dados / Database Security Analyst
Microsoft Certified Technology Specialist SQL Server 2005

Proteus Information Security Services

ricardo.batista@xxxxxxxxxxxxxxxxxxxx<mailto:ricardo.batista@xxxxxxxxxxxxxxxxxxxx>
www.proteus.com.br<http://www.proteus.com.br>



  _____

From: dbsec-bounce@xxxxxxxxxxxxx [mailto:dbsec-bounce@xxxxxxxxxxxxx] On Behalf 
Of Richard Miles
Sent: quarta-feira, 7 de abril de 2010 11:54
To: dbsec@xxxxxxxxxxxxx
Subject: [dbsec] prevent remote user enumeration?




Hi there!

Recently we discovered some of our students enumerating existent accounts in 
our Oracle database, further search pointed to ora-userenum.exe and it really 
works against our oracle 110 and 11g release.

There is a way to prevent oracle users enumeration? How?

Thank you

• Follow-Ups:
  • [dbsec] Re: prevent remote user enumeration?
    • From: Richard Miles

• References:
  • [dbsec] prevent remote user enumeration?
    • From: Richard Miles

Other related posts:

• » [dbsec] prevent remote user enumeration?- Richard Miles
• » [dbsec] Re: prevent remote user enumeration? - Ricardo Limeira Batista
• » [dbsec] Re: prevent remote user enumeration?- Richard Miles
• » [dbsec] Re: prevent remote user enumeration?- Zed Qyves
• » [dbsec] Re: prevent remote user enumeration?- Richard Miles

1. Home
2. dbsec
3. Archive
4. 04-2010

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---