[dbsec] Re: prevent remote user enumeration?
- From: Richard Miles <richard.k.miles@xxxxxxxxxxxxxx>
- To: dbsec@xxxxxxxxxxxxx
- Date: Wed, 7 Apr 2010 14:33:54 -0500
Hi Ricardo.
I did it but the problem persist, I believe that remove the public select on
all_users just prevent already logged users to enumerate accounts, but not
remote unauthenticated attackers. Give a try ora-userenum.exe.
Anyone have any other solution?
Thank you
On Wed, Apr 7, 2010 at 11:41 AM, Ricardo Limeira Batista <
ricardo.batista@xxxxxxxxxxxxxxxxxxxx> wrote:
> Hi Richards.
>
>
>
> We usually revoke the PUBLIC SELECT on ALL_USERS, considering that no user
> has privileges on DBA_USERS tables or SELECT_CATALOG_ROLE.
>
> Revoking privileges on ALL_USERS will invalidate sobre objects, but it is
> easy to solve giving permission directly to the ALL_USERS.
>
>
>
> Regards
>
>
>
>
> Ricardo Limeira Batista
> Analista de Segurança de Banco de Dados / Database Security Analyst
> Microsoft Certified Technology Specialist SQL Server 2005
>
> *Proteus Information Security Services**
> *
> ricardo.batista@xxxxxxxxxxxxxxxxxxxx
> www.proteus.com.br
>
>
> ------------------------------
>
> *From:* dbsec-bounce@xxxxxxxxxxxxx [mailto:dbsec-bounce@xxxxxxxxxxxxx] *On
> Behalf Of *Richard Miles
> *Sent:* quarta-feira, 7 de abril de 2010 11:54
> *To:* dbsec@xxxxxxxxxxxxx
> *Subject:* [dbsec] prevent remote user enumeration?
>
>
>
>
> Hi there!
>
> Recently we discovered some of our students enumerating existent accounts
> in our Oracle database, further search pointed to ora-userenum.exe and it
> really works against our oracle 110 and 11g release.
>
> There is a way to prevent oracle users enumeration? How?
>
> Thank you
>
Other related posts:
