Jared - I have doubts about denying anything to an administrator that is really determined. How about the DBAs being the only administrators on the box? When a sys admin task needed to be done that you can't do, then you could let them do it under your supervision. Just a thought. Dennis Williams DBA Lifetouch, Inc. dwilliams@xxxxxxxxxxxxx -----Original Message----- From: oracle-l-bounce@xxxxxxxxxxxxx [mailto:oracle-l-bounce@xxxxxxxxxxxxx]On Behalf Of Jared.Still@xxxxxxxxxxx Sent: Tuesday, March 16, 2004 4:37 PM To: oracle-l@xxxxxxxxxxxxx Subject: Database security List, Here in the midst of Sarbanes Oxley, I've been pondering methods that might be used to prevent a system administrator from connecting to any databases running on that box. I know that it is possible to setup Oracle on Windows so that without a password, you cannot logon to the database as sysdba. eg. sqlplus "/ as sysdba" will require a password. The caveat to this is that the SA can simply: * stop the Oracle service * change the init.ora parm remote_login_passwordfile to 'none' * start up the database * create a dba account * shutdown the database * re-enable the password file * restart the database That won't get you SYSDBA, but it will get you DBA, which is probably enough for any nefarious activities. On *nix it is a bit different of course. Anyone with root can simply su to oracle. I have been perusing Pete Finnigan's "Oracle Security Step-by-Step" but have not yet found information pertaining to this particular topic, other than revoking privs from the DBA account. That action is not applicable here, as the team of DBA's consists of me by myself. And TIA Mladen, but I already know how it works on unix, and that MS is the dark side of the force, but is unfortunately what I have to live with. Jared ---------------------------------------------------------------- Please see the official ORACLE-L FAQ: http://www.orafaq.com ---------------------------------------------------------------- To unsubscribe send email to: oracle-l-request@xxxxxxxxxxxxx put 'unsubscribe' in the subject line. -- Archives are at //www.freelists.org/archives/oracle-l/ FAQ is at //www.freelists.org/help/fom-serve/cache/1.html -----------------------------------------------------------------