Oracle's security problems are often not database related. A default = 9.2 install will install an HTTP listener and an ftp service. Both of = these are prime targets for attackers and both have had exploits written = against them. These prolems were addressed in a patchset, but it is = quite possible different holes will be found in them. Oracle's desire to be much more than a database, to make things easier = to accomplish, ameans the DBA has to understand much more than the = database.=20 Oracle's willingness to allow potential customers to download the = product and take it for a test spin is great. Suppose however, someone = installs Oracle on his desktop. The installation will not be maintained, = it will not be patched. The possibiliy for compromise is signifiicant. = The person who only wanted to learn Oracle and discovers someone has = taken over his machine. Ian MacGregor Stanford Linear Accelerator Center ian@xxxxxxxxxxxxxxxxx -----Original Message----- From: oracle-l-bounce@xxxxxxxxxxxxx = [mailto:oracle-l-bounce@xxxxxxxxxxxxx] On Behalf Of Jared Still Sent: Tuesday, April 12, 2005 8:01 AM To: niall.litchfield@xxxxxxxxx Cc: stephenbooth.uk@xxxxxxxxx; wisernet100@xxxxxxxxx; = oracle-l@xxxxxxxxxxxxx Subject: Re: Security audit of Oracle databases On 4/12/05, Niall Litchfield <niall.litchfield@xxxxxxxxx> wrote: >=20 > On windows of course you can always run any executable under different > credentials, if you are an administrator, but then to be blunt it = makes > sense for dbas to be admins on windows boxes anyway. >=20 >=20 I would modify that to state that a DBA on a windows box must have admin access to do that job.=20 If not given initially, the SA's will tire of the DBA pestering them and grant it anyway. :) --=20 Jared Still Certifiable Oracle DBA and Part Time Perl Evangelist -- //www.freelists.org/webpage/oracle-l -- //www.freelists.org/webpage/oracle-l