Hi Ricardo. I did it but the problem persist, I believe that remove the public select on all_users just prevent already logged users to enumerate accounts, but not remote unauthenticated attackers. Give a try ora-userenum.exe. Anyone have any other solution? Thank you On Wed, Apr 7, 2010 at 11:41 AM, Ricardo Limeira Batista < ricardo.batista@xxxxxxxxxxxxxxxxxxxx> wrote: > Hi Richards. > > > > We usually revoke the PUBLIC SELECT on ALL_USERS, considering that no user > has privileges on DBA_USERS tables or SELECT_CATALOG_ROLE. > > Revoking privileges on ALL_USERS will invalidate sobre objects, but it is > easy to solve giving permission directly to the ALL_USERS. > > > > Regards > > > > > Ricardo Limeira Batista > Analista de Segurança de Banco de Dados / Database Security Analyst > Microsoft Certified Technology Specialist SQL Server 2005 > > *Proteus Information Security Services** > * > ricardo.batista@xxxxxxxxxxxxxxxxxxxx > www.proteus.com.br > > > ------------------------------ > > *From:* dbsec-bounce@xxxxxxxxxxxxx [mailto:dbsec-bounce@xxxxxxxxxxxxx] *On > Behalf Of *Richard Miles > *Sent:* quarta-feira, 7 de abril de 2010 11:54 > *To:* dbsec@xxxxxxxxxxxxx > *Subject:* [dbsec] prevent remote user enumeration? > > > > > Hi there! > > Recently we discovered some of our students enumerating existent accounts > in our Oracle database, further search pointed to ora-userenum.exe and it > really works against our oracle 110 and 11g release. > > There is a way to prevent oracle users enumeration? How? > > Thank you >