Securing the Database Installation and Configuration

2 Securing the Database Installation and Configuration

You should secure the Oracle Database installation, the network it users, and database user accounts.

Topics:

About Securing the Database Installation and Configuration
After you install Oracle Database, you should secure the database installation and configuration.
Securing Access to the Oracle Database Installation
Oracle Database provides default security settings and initialization parameters to secure your installation.
Security for the Network
Oracle Database provides ways that to protect client connections and encrypt data that travels through the network between the client and the server.
Securing User Accounts
You can secure user accounts by creating secure passwords, changing default passwords, and using special parameters to further secure user accounts.

2.1 About Securing the Database Installation and Configuration

After you install Oracle Database, you should secure the database installation and configuration.

Oracle provides commonly used ways to do secure the database installation and configuration, all of which involve restricting permissions to specific areas of the database files.

Oracle Database is available on several operating systems. Consult the following guides for detailed platform-specific information about Oracle Database:

Oracle Database Platform Guide for Microsoft Windows
Oracle Database Administrator's Reference for Linux and UNIX-Based Operating Systems
Oracle Database Installation Guide for your platform

2.2 Securing Access to the Oracle Database Installation

Oracle Database provides default security settings and initialization parameters to secure your installation.

Topics:

Default Security Settings
When you create a new database, Oracle Database provides a set of default security settings.
Security for the Oracle Data Dictionary
The data dictionary is a set of database tables that provide information about the database, such as schema definitions or default values.
Initialization Parameters Used for Installation and Configuration Security
Oracle Database provides initialization parameters to control installation and configuration security.
Modifying the Value of an Initialization Parameter
You can use Enterprise Manager to modify the value of an initialization parameter.

2.2.1 Default Security Settings

When you create a new database, Oracle Database provides a set of default security settings.

These default security settings are as follows:

Enables default auditing settings. See Oracle Database Security Guide for detailed information.
Creates stronger enforcements for new or changed passwords. Requirements for Creating Passwords describes the new password requirements.
Removes the CREATE EXTERNAL JOB privilege from the PUBLIC role. For greater security, grant the CREATE EXTERNAL JOB privilege only to SYS, database administrators, and those trusted users who need it.

Sets security-related initialization and profile parameter settings. Table 2-1 lists the default parameter settings.

Table 2-1 Default Security Settings for Initialization and Profile Parameters

Setting	Default
`O7_DICTIONARY_ACCESSIBILITY`	`FALSE`
`PASSWORD_GRACE_TIME`	`7`
`PASSWORD_LOCK_TIME`	`1`
`FAILED_LOGIN_ATTEMPTS`	`10`
`PASSWORD_LIFE_TIME`	`180`
`PASSWORD_REUSE_MAX`	`UNLIMITED`
`PASSWORD_REUSE_TIME`	`UNLIMITED`
`REMOTE_OS_ROLES`	`FALSE`

2.2.2 Security for the Oracle Data Dictionary

The data dictionary is a set of database tables that provide information about the database, such as schema definitions or default values.

Topics:

About the Oracle Data Dictionary
The Oracle data dictionary contains information such as the names and privileges of Oracle Database users.
Enabling Data Dictionary Protection
Setting the O7_DICTIONARY_ACCESSIBILITY initialization parameter to FALSE protects the data dictionary.

2.2.2.1 About the Oracle Data Dictionary

The Oracle data dictionary contains information such as the names and privileges of Oracle Database users.

The data dictionary has the following contents:

The names of Oracle Database users
Privileges and roles granted to each user
The definitions of all schema objects in the database (tables, views, indexes, clusters, synonyms, sequences, procedures, functions, packages, triggers, and so on)
The amount of space allocated for, and is currently used by, the schema objects
Default values for columns
Integrity constraint information
Auditing information, such as who has accessed or updated various schema objects
Other general database information

The data dictionary tables and views for a given database are stored in the SYSTEM tablespace for that database. All the data dictionary tables and views for a given database are owned by the user SYS. Connecting to the database with the SYSDBA administrative privilege gives full access to the data dictionary. Oracle strongly recommends limiting access to the SYSDBA administrative privilege to only those operations necessary such as patching and other administrative operations. The data dictionary is central to every Oracle database.

You can view the contents of the data dictionary by querying data dictionary views, which are described in Oracle Database Reference. Be aware that not all objects in the data dictionary are exposed to users. A subset of data dictionary objects, such as those beginning with USER_ are exposed as read only to all database users.

Example 2-1 shows how you can find a list of database views specific to the data dictionary by querying the DICTIONARY view.

Example 2-1 Finding Views That Pertain to the Data Dictionary

sqlplus system
Enter password: password

SQL> SELECT TABLE_NAME FROM DICTIONARY;

2.2.2.2 Enabling Data Dictionary Protection

Setting the O7_DICTIONARY_ACCESSIBILITY initialization parameter to FALSE protects the data dictionary.

The O7_DICTIONARY_ACCESSIBILITY parameter prevents users who have the ANY system privilege from using those privileges on the data dictionary, that is, on objects in the SYS schema.

Oracle Database provides highly granular privileges. One such privilege, commonly referred to as the ANY privilege, should typically be granted to only application owners and individual database administrators. For example, you could grant the DROP ANY TABLE privilege to an application owner. You can protect the Oracle data dictionary from accidental or malicious use of the ANY privilege by turning on or off the O7_DICTIONARY_ACCESSIBILITY initialization parameter.

To enable data dictionary protection:

Access the Database home page.

See Oracle Database 2 Day DBA for more information.
From the Administration menu, select Initialization Parameters.

If the Database Login page appears, then log in as SYS with the SYSDBA role selected.
In the Initialization Parameters page, from the list, search for O7_DICTIONARY_ACCESSIBILITY.

In the Name field, enter O7_ (the letter O), and then click Go. You can enter the first few characters of a parameter name. In this case, O7_ displays the O7_DICTIONARY_ACCESSIBILTY parameter.
Set the value for O7_DICTIONARY_ACCESSIBILTY to FALSE.
Click Apply.

Restart the Oracle Database instance.

sqlplus sys as sysdba
Enter password: password

SQL> SHUTDOWN IMMEDIATE
SQL> STARTUP

Note:

In a default installation, the O7_DICTIONARY_ACCESSIBILITY parameter is set to FALSE.
The SELECT ANY DICTIONARY privilege is not included in the GRANT ALL PRIVILEGES statement, but you can grant it through a role. Roles are described in When to Grant Roles to Users and Oracle Database Security Guide.

2.2.3 Initialization Parameters Used for Installation and Configuration Security

Oracle Database provides initialization parameters to control installation and configuration security.

Table 2-2 lists these initialization parameters.

Table 2-2 Initialization Parameters Used for Installation and Configuration Security

Initialization Parameter Default Description

Initialization Parameter	Default	Description
`SEC_RETURN_SERVER_RELEASE_BANNER`	`FALSE`	Controls the display of the product version information, such as the release number, in a client connection. An intruder could use the database release number to find information about security vulnerabilities that may be present in the database software. You can enable or disable the detailed product version display by setting this parameter. See Oracle Database Security Guide for more information about this and similar parameters. Oracle Database Reference describes this parameter in detail.
`O7_DICTIONARY_ACCESSIBILITY`	`FALSE`	Controls restrictions on `SYSTEM` privileges. See Enabling Data Dictionary Protection for more information about this parameter. Oracle Database Reference describes this parameter in detail.

SEC_RETURN_SERVER_RELEASE_BANNER

FALSE

Controls the display of the product version information, such as the release number, in a client connection. An intruder could use the database release number to find information about security vulnerabilities that may be present in the database software. You can enable or disable the detailed product version display by setting this parameter.

See Oracle Database Security Guide for more information about this and similar parameters. Oracle Database Reference describes this parameter in detail.

O7_DICTIONARY_ACCESSIBILITY

FALSE

Controls restrictions on SYSTEM privileges. See Enabling Data Dictionary Protection for more information about this parameter. Oracle Database Reference describes this parameter in detail.

2.2.4 Modifying the Value of an Initialization Parameter

You can use Enterprise Manager to modify the value of an initialization parameter.

To modify the value of an initialization parameter:

Access the Database home page.

See Oracle Database 2 Day DBA for more information.
From the Administration menu, select Initialization Parameters.

If the Database Login page appears, then log in as SYS with the SYSDBA role selected.
In the Initialization Parameters page, in the Name field, enter the name of the parameter to change, and then click Go.

You can enter the first few letters of the parameter, for example, SEC_RETURN if you are searching for the SEC_RETURN_SERVER_RELEASE_NUMBER parameter. Alternatively, you can scroll down the list of parameters to find the parameter you want to change. The text is not case sensitive.
In the Value field, either enter the new value or if a list is presented, select from the list.
Click Apply.
If the parameter is static, then restart the Oracle Database instance.
```
sqlplus sys as sysdba
Enter password: password

SQL> SHUTDOWN IMMEDIATE
SQL> STARTUP 
```
To find out if an initialization parameter is static, check its description in Oracle Database Reference. If the Modifiable setting in its summary table shows No, then you must restart the database instance.

2.3 Security for the Network

Oracle Database provides ways that to protect client connections and encrypt data that travels through the network between the client and the server.

Topics:

About Securing the Network
When you encrypt data as it travels through the network, you should follow guidelines to secure the network connections for Oracle Database.
Protecting Data on the Network by Using Network Encryption
In addition to protecting information by encrypting it at the database level, you must protect it as it travels across the network.
Initialization Parameters Used for Network Security
Oracle Database provides initialization parameters to configure network security.

2.3.1 About Securing the Network

When you encrypt data as it travels through the network, you should follow guidelines to secure the network connections for Oracle Database.

You can configure the client connection to your Oracle Database installation by following the procedures to configure the network environment in Oracle Database 2 Day DBA and the Oracle Database Installation Guide for your platform.

Related Topics

2.3.2 Protecting Data on the Network by Using Network Encryption

In addition to protecting information by encrypting it at the database level, you must protect it as it travels across the network.

Topics:

About Network Encryption
Network encryption refers to encrypting data as it travels across the network between the client and server.
Configuring Network Encryption
You can configure network encryption by using either Oracle Net Manager or by editing the sqlnet.ora file.

2.3.2.1 About Network Encryption

Network encryption refers to encrypting data as it travels across the network between the client and server.

The reason that you should encrypt data at the network level, and not just the database level, is because data can be exposed on the network level. For example, an intruder can use a network packet sniffer to capture information as it travels on the network, and then spool it to a file for malicious use. Encrypting data on the network prevents this sort of activity.

To encrypt data on the network, you must have the following components:

An encryption seed. The encryption seed is a random string of up to 256 characters. It generates the cryptographic keys that encrypts data as it travels across the network.
An encryption algorithm. You can specify any of the supported algorithm types: AES, RC4, DES, or 3DES.
Whether the settings apply to a client or server. You must configure the server and each client to which it connects.
How the client or server should processes the encrypted data. The settings you select (you have four options) must complement both server and client.
A mechanism for configuring the encryption. You can use Oracle Net Manager to configure the encryption. Alternatively, you can edit the sqlnet.ora configuration file. Both Oracle Net Manager and the sqlnet.ora file are available in a default Oracle Database installation.

2.3.2.2 Configuring Network Encryption

You can configure network encryption by using either Oracle Net Manager or by editing the sqlnet.ora file.

To configure network encryption:

On the server computer, start Oracle Net Manager.
- UNIX: From $ORACLE_HOME/bin, enter the following at the command line:
```
netmgr
```
- Windows: From the Start menu, click All Programs. Then, click Oracle - HOME_NAME, Configuration and Migration Tools, and then Net Manager
From the Oracle Net Configuration navigation tree, expand Local, and then select Profile.

Description of the illustration netmgr_profile.gif
From the list, select Network Security.

Description of the illustration netmgr_adv_sec.gif
Under Network Security, select the Encryption tab.

The Encryption settings pane appears.

Description of the illustration netmgr_encrypt.gif
Enter the following settings:
- Encryption: From the list, select SERVER to configure the network encryption for the server. (For the client computer, you select CLIENT.)
- Encryption Type: Select from the following values to specify the actions of the server (or client) when negotiating encryption and integrity:
  - accepted: Service will be active if the other side of the connection specifies either required or requested, and there is a compatible algorithm available on the receiving database; it will otherwise be inactive.
  - rejected: Service must not be active, and the connection will fail if the other side requires any of the methods in this list.
  - requested: Service will be active if the other side of the connection specifies either accepted, required, or requested, and there is a compatible algorithm available on the other side. Otherwise, the service is inactive.
  - required: Service must be active, and the connection will fail if the other side specifies rejected, or if there is no compatible algorithm on the other side.
- Encryption Seed: Enter a random string of up to 256 characters. Oracle Database uses the encryption seed to generate cryptographic keys. This is required when either encryption or integrity is enabled.
  
  If you choose to use special characters such as a comma [,] or a right parenthesis [)] as a part of the Encryption Seed parameter, enclose the value within single quotation marks.
- Available Methods: Select one or more of the following algorithms, and use the move button (>) to move them to the Selected Methods list. The order in which they appear in the Selected Methods list determines the preferred order for negotiation. That is, the first algorithm listed is selected first, and so on.
  - AES256: Advanced Encryption Standard (AES). AES was approved by the National Institute of Standards and Technology (NIST) to replace Data Encryption Standard (DES). AES256 enables you to encrypt a block size of 256 bits.
  - RC4_256: Rivest Cipher 4 (RC4), which is the most commonly used stream cipher that protects protocols such as Secure Sockets Layer (SSL). RC4_256 enables you to encrypt up to 256 bits of data.
  - AES192: Enables you to use AES to encrypt a block size of 192 bits.
  - 3DES168: Triple Data Encryption Standard (TDES) with a three-key option. 3DES168 enables you to encrypt up to 168 bits of data.
  - AES128: Enables you to use AES to encrypt a block size of 128 bits.
  - RC4_128: Enables you to use RC4 to encrypt up to 128 bits of data.
  - 3DES112: Enables you to use Triple DES with a two-key (112 bit) option.
  - DES: Data Encryption Standard (DES) 56-bit key. Note that National Institute of Standards and Technology (NIST) no longer recommends DES.
  - RC4_40: Enables you to use RC4 to encrypt up to 40 bits of data. (Not recommended.)
  - DES40: Enables you to use DES to encrypt up to 40 bits of data. (Not recommended.)
From the File menu, select Save Network Configuration, and then select Exit to exit Oracle Net Manager.
Repeat these steps for each client computer that connects to the server.

2.3.3 Initialization Parameters Used for Network Security

Oracle Database provides initialization parameters to configure network security.

Table 2-3 lists initialization parameters that you can set to better secure user accounts.

Table 2-3 Initialization Parameters Used for Network Security

Initialization Parameter	Default	Description
`OS_AUTHENT_PREFIX`	`OPS$`	Specifies a prefix that Oracle Database uses to identify users attempting to connect to the database. Oracle Database concatenates the value of this parameter to the beginning of the user operating system account name and password. When a user attempts a connection request, Oracle Database compares the prefixed username with user names in the database.
`REMOTE_LISTENER`	No default setting	Specifies a network name that resolves to an address or address list of Oracle Net remote listeners (that is, listeners that are not running on the same computer as this instance). The address or address list is specified in the `tnsnames.ora` file or other address repository as configured for your system.
`REMOTE_OS_AUTHENT`	`FALSE`	Specifies whether remote clients will be authenticated with the value of the `OS_AUTHENT_PREFIX` parameter.
`REMOTE_OS_ROLES`	`FALSE`	Specifies whether operating system roles are allowed for remote clients. The default value, `FALSE`, causes Oracle Database to identify and manage roles for remote clients.
`SEC_PROTOCOL_ERROR_TRACE_ACTION`	`TRACE`	Specifies the action that the database should take when bad packets are received from a possibly malicious client.
`SEC_PROTOCOL_ERROR_FURTHER_ACTION`	`DROP,3`	Specifies the action that the database should take when bad packets are received from a possibly malicious client.

To modify an initialization parameter, see Modifying the Value of an Initialization Parameter. For detailed information about initialization parameters, see Oracle Database Reference.

2.4 Securing User Accounts

You can secure user accounts by creating secure passwords, changing default passwords, and using special parameters to further secure user accounts.

Topics:

About Securing Oracle Database User Accounts
You can use many methods to secure both common and local database user accounts.
Predefined User Accounts Provided by Oracle Database
The Oracle Database installation process creates predefined administrative, non-administrative, and sample schema user accounts in the database.
Expiring and Locking Database Accounts
When you expire the password of a user, that password no longer exists.
Requirements for Creating Passwords
Oracle provides password-creation requirements that help you create more secure passwords.
Finding and Changing Default Passwords
You can find and change default passwords that may have come from earlier releases of Oracle Database.
Parameters Used to Secure User Accounts
Oracle Database provides parameters to secure user accounts, such as setting the maximum failed login attempts.

2.4.1 About Securing Oracle Database User Accounts

You can use many methods to secure both common and local database user accounts.

For example, Oracle Database has a set of built-in protections for passwords. You can safeguard default database accounts and passwords, and use various ways to manage database accounts.

Oracle Database 2 Day DBA describes the fundamentals of creating and administering user accounts, including how to manage user roles, what the administrative accounts are, and how to use profiles to establish a password policy.

After you create user accounts, you can use the procedures in this section to further secure these accounts by following these methods:

Safeguarding predefined database accounts. When you install Oracle Database, it creates a set of predefined accounts. You should secure these accounts as soon as possible by changing their passwords. You can use the same method to change all passwords, whether they are with regular user accounts, administrative accounts, or predefined accounts. This guide also provides guidelines on how to create the most secure passwords.
Managing database accounts. You can expire and lock database accounts.
Managing passwords. You can manage and protect passwords by setting initialization parameters. Oracle Database Reference describes the initialization parameters in detail.

2.4.2 Predefined User Accounts Provided by Oracle Database

The Oracle Database installation process creates predefined administrative, non-administrative, and sample schema user accounts in the database.

Topics:

Predefined Administrative Accounts
A default Oracle Database installation provides predefined administrative accounts to manage commonly used features, such as auditing.
Predefined Non-Administrative User Accounts
A default Oracle Database installation provides non-administrative user accounts to manage features such as Oracle Spatial.
Predefined Sample Schema User Accounts
Oracle Database creates a set of sample user accounts if you install the sample schemas.

2.4.2.1 Predefined Administrative Accounts

A default Oracle Database installation provides predefined administrative accounts to manage commonly used features, such as auditing.

These are accounts that have special privileges required to administer areas of the database, such as the CREATE ANY TABLE or ALTER SESSION privilege, or EXECUTE privileges on packages owned by the SYS schema. The default tablespace for administrative accounts is either SYSTEM or SYSAUX. In a multitenant environment, the predefined administrative accounts reside in the root database.

To protect these accounts from unauthorized access, the installation process expires and locks most of these accounts, except where noted in Table 2-4. As the database administrator, you are responsible for unlocking and resetting these accounts, as described in Expiring and Locking Database Accounts.

Table 2-4 lists the predefined administrative user accounts, which Oracle Database automatically creates when you run standard scripts (such as the various cat*.sql scripts). You can find user accounts that are created and maintained by Oracle by querying the USERNAME and ORACLE_MAINTAINED columns of the ALL_USERS data dictionary view. If the output for ORACLE_MAINTAINED is Y, then you must not modify the user account except by running the script that was used to create it.

Table 2-4 Predefined Oracle Database Administrative User Accounts

User Account	Description	Status After Installation
`ANONYMOUS`	An account that allows HTTP access to Oracle XML DB. It is used in place of the `APEX_PUBLIC_USER` account when the Embedded PL/SQL Gateway (EPG) is installed in the database. EPG is a Web server that can be used with Oracle Database. It provides the necessary infrastructure to create dynamic applications.	Expired and locked
`AUDSYS`	The internal account used by the unified audit feature to store unified audit trail records. See Oracle Database Security Guide.	Expired and locked
`CTXSYS`	The account used to administer Oracle Text. Oracle Text enables you to build text query applications and document classification applications. It provides indexing, word and theme searching, and viewing capabilities for text. See Oracle Text Application Developer's Guide.	Expired and locked
`DBSNMP`	The account used by the Management Agent component of Oracle Enterprise Manager to monitor and manage the database. See Enterprise Manager Cloud Control Administrator's Guide.	Open Password is created at installation or database creation time.
`LBACSYS`	The account used to administer Oracle Label Security (OLS). It is created only when you install the Label Security custom option. See Enforcing Row-Level Security with Oracle Label Security, and Oracle Label Security Administrator’s Guide.	Expired and locked
`MDSYS`	The Oracle Spatial and Oracle Multimedia Locator administrator account. See Oracle Spatial and Graph Developer's Guide.	Expired and locked
`OLAPSYS`	The account that owns the OLAP Catalog (CWMLite). This account has been deprecated, but is retained for backward compatibility.	Expired and locked
`ORDDATA`	This account contains the Oracle Multimedia DICOM data model. See Oracle Multimedia DICOM Developer's Guide for more information.	Expired and locked
`ORDPLUGINS`	The Oracle Multimedia user. Plug-ins supplied by Oracle and third-party, format plug-ins are installed in this schema. Oracle Multimedia enables Oracle Database to store, manage, and retrieve images, audio, video, DICOM format medical images and other objects, or other heterogeneous media data integrated with other enterprise information. See Oracle Multimedia User's Guide.	Expired and locked
`ORDSYS`	The Oracle Multimedia administrator account. See Oracle Multimedia User's Guide.	Expired and locked
`SI_INFORMTN_SCHEMA`	The account that stores the information views for the SQL/MM Still Image Standard. See Oracle Multimedia User's Guide. Note: The `SI_INFORMTN_SCHEMA` account is deprecated in Oracle Database 12c release 2 (12.2).	Expired and locked
`SYS`	An account used to perform database administration tasks. See Oracle Database 2 Day DBA.	Open Password is created at installation or database creation time.
`SYSBACKUP`	The account used to perform Oracle Recovery Manager recovery and backup operations. See Oracle Database Backup and Recovery User’s Guide.	Expired and locked
`SYSDG`	The account used to perform Oracle Data Guard operations. See Oracle Data Guard Concepts and Administration.	Expired and locked
`SYSKM`	The account used to manage Transparent Data Encryption. See Oracle Database Advanced Security Guide.	Expired and locked
`SYSRAC`	The account used to manage Oracle Real Application Clusters. See Oracle Real Application Clusters Administration and Deployment Guide.	Expired and locked
`SYSTEM`	A default generic database administrator account for Oracle databases. For production systems, Oracle recommends creating individual database administrator accounts and not using the generic `SYSTEM` account for database administration operations. See Oracle Database 2 Day DBA.	Open Password is created at installation or database creation time.
`WMSYS`	The account used to store the metadata information for Oracle Workspace Manager. See Oracle Database Workspace Manager Developer's Guide.	Expired and locked
`XDB`	The account used for storing Oracle XML DB data and metadata. For better security, never unlock the `XDB` user account. Oracle XML DB provides high-performance XML storage and retrieval for Oracle Database data. See Oracle XML DB Developer’s Guide.	Expired and locked

Note:

If you create an Oracle Automatic Storage Management (Oracle ASM) instance, then the ASMSNMP account is created. Oracle Enterprise Manager uses this account to monitor ASM instances to retrieve data from ASM-related data dictionary views. The ASMSNMP account status is set to OPEN upon creation, and it is granted the SYSDBA administrative privilege. For more information, see Oracle Automatic Storage Management Administrator's Guide.

2.4.2.2 Predefined Non-Administrative User Accounts

A default Oracle Database installation provides non-administrative user accounts to manage features such as Oracle Spatial.

Table 2-5 lists the predefined non-administrative user accounts that Oracle Database automatically creates when you run standard scripts (such as the various cat*.sql scripts). You can find user accounts that are created and maintained by Oracle by querying the USERNAME and ORACLE_MAINTAINED columns of the ALL_USERS data dictionary view. If the output for ORACLE_MAINTAINED is Y, then you must not modify the user account except by running the script that was used to create it.

Non-administrative user accounts only have the minimum privileges needed to perform their jobs. Their default tablespace is USERS. In a multitenant environment, the predefined non-administrative accounts reside in the root database

To protect these accounts from unauthorized access, the installation process locks and expires these accounts immediately after installation, except where noted in Table 2-5. As the database administrator, you are responsible for unlocking and resetting these accounts, as described in Expiring and Locking Database Accounts.

Table 2-5 Predefined Oracle Database Non-Administrative User Accounts

User Account	Description	Status After Installation
`DIP`	The Oracle Directory Integration and Provisioning (DIP) account that is installed with Oracle Label Security. This profile is created automatically as part of the installation process for Oracle Internet Directory-enabled Oracle Label Security. See Oracle Label Security Administrator’s Guide.	Expired and locked
`MDDATA`	The schema used by Oracle Spatial for storing Geocoder and router data. Oracle Spatial provides a SQL schema and functions that enable you to store, retrieve, update, and query collections of spatial features in an Oracle database. See Oracle Spatial and Graph Developer's Guide.	Expired and locked
`ORACLE_OCM`	The account used with Oracle Configuration Manager. This feature enables you to associate the configuration information for the current Oracle Database instance with My Oracle Support. Then when you log a service request, it is associated with the database instance configuration information. See Oracle Database Installation Guide for your platform.	Expired and locked
`SPATIAL_CSW_ADMIN_USR`	The Catalog Services for the Web (CSW) account. It is used by Oracle Spatial CSW Cache Manager to load all record-type metadata and record instances from the database into the main memory for the record types that are cached. See Oracle Spatial and Graph Developer's Guide.	Expired and locked
`SPATIAL_WFS_ADMIN_USR`	The Web Feature Service (WFS) account. It is used by Oracle Spatial WFS Cache Manager to load all feature type metadata and feature instances from the database into main memory for the feature types that are cached. See Oracle Spatial and Graph Developer's Guide.	Expired and locked
`XS$NULL`	An internal account that represents the absence of database user in a session and the actual session user is an application user supported by Oracle Real Application Security. `XS$NULL` has no privileges and does not own any database object. No one can authenticate as `XS$NULL`, nor can authentication credentials ever be assigned to `XS$NULL`.	Expired and locked

2.4.2.3 Predefined Sample Schema User Accounts

Oracle Database creates a set of sample user accounts if you install the sample schemas.

The sample schema user accounts are all non-administrative accounts, and their tablespace is USERS.

To protect these accounts from unauthorized access, the installation process locks and expires these accounts immediately after installation. As the database administrator, you are responsible for unlocking and resetting these accounts, as described in Expiring and Locking Database Accounts. For more information about the sample schema accounts, see Oracle Database Sample Schemas.

Table 2-6 lists the sample schema user accounts, which represent different divisions of a fictional company that manufactures various products. You can find the status of these accounts by querying the DBA_USERS data dictionary view. Because the ORACLE_MAINTAINED column output for these accounts is N, you can modify these accounts without re-running the scripts that were used to create them.

Table 2-6 Default Sample Schema User Accounts

User Account	Description	Status After Installation
`HR`	The account used to manage the `HR` (Human Resources) schema. This schema stores information about the employees and the facilities of the company.	Expired and locked
`OE`	The account used to manage the `OE` (Order Entry) schema. This schema stores product inventories and sales of the company's products through various channels.	Expired and locked
`PM`	The account used to manage the `PM` (Product Media) schema. This schema contains descriptions and detailed information about each product sold by the company.	Expired and locked
`IX`	The account used to manage the `IX` (Information Exchange) schema. This schema manages shipping through business-to-business (B2B) applications.	Expired and locked
`SH`	The account used to manage the `SH` (Sales) schema. This schema stores business statistics to facilitate business decisions.	Expired and locked

In addition to the sample schema accounts, Oracle Database provides another sample schema account, SCOTT. The SCOTT schema contains the tables EMP, DEPT, SALGRADE, and BONUS. The SCOTT account is used in examples throughout the Oracle Database documentation set. When you install Oracle Database, the SCOTT account is locked and expired.

2.4.3 Expiring and Locking Database Accounts

When you expire the password of a user, that password no longer exists.

Locking an account preserves the user password and other account information, but makes the account unavailable to anyone who tries to log in to the database using that account. Unlocking it makes the account available again.

Oracle Database 2 Day DBA explains how you can use Enterprise Manager to unlock database accounts. You also can use Enterprise Manager to expire or lock database accounts.

To expire and lock a database account:

Access the Database home page.

See Oracle Database 2 Day DBA for more information.
From the Administration menu, select Security, then Users.

If the Database Login page appears, then log in as an administrative user, such as SYSTEM.

The Users page lists the user accounts created for the current database instance. The Account Status column indicates whether an account is expired, locked, or open.
In the Select column, select the account you want to expire, and then click Edit.
In the Edit User page, do one of the following:
- To expire a password, click Expire Password now.
  
  To unexpire the password, enter a new password in the Enter Password and Confirm Password fields. See Requirements for Creating Passwords for password requirements.
- To lock the account, select Locked.
Click Apply.

2.4.4 Requirements for Creating Passwords

Oracle provides password-creation requirements that help you create more secure passwords.

When you create a user account, Oracle Database assigns a default password policy for that user. The password policy defines rules for how the password should be created, such as a minimum number of characters, when it expires, and so on. You can strengthen passwords by using password policies.

For greater security, follow these guidelines when you create passwords:

Make the password between 12 and 30 characters and numbers.
Use mixed case letters and special characters in the password. (See Oracle Database Security Guide for more information.)
Use the database character set for the password characters, which can include the underscore (_), dollar ($), and number sign (#) characters.
Do not use an actual word for the entire password.

Oracle Database Security Guide describes more ways that you can further secure passwords.

2.4.5 Finding and Changing Default Passwords

You can find and change default passwords that may have come from earlier releases of Oracle Database.

Topics:

About Finding and Changing Default Passwords
After installation, the default database user accounts, including administrative accounts, are created without default passwords.
Finding and Changing Default Passwords from SQL*Plus
You can use SQL*Plus to find and change default passwords.
Finding and Changing Default Passwords from Enterprise Manager
You can use Enterprise Manager to change a user account passwords if you have administrative privileges.

2.4.5.1 About Finding and Changing Default Passwords

After installation, the default database user accounts, including administrative accounts, are created without default passwords.

Except for the administrative accounts whose passwords you create during installation (such as user SYS), the default user accounts arrive locked with their passwords expired. If you have upgraded from a previous release of Oracle Database, you may have database accounts that still have default passwords. These are default accounts that are created when you create a database, such as the HR, OE, and SCOTT accounts.

Security is most easily compromised when a default database user account still has a default password after installation. This is particularly true for the user account SCOTT, which is a well known account that may be vulnerable to intruders. Find accounts that use default passwords and then change their passwords.

2.4.5.2 Finding and Changing Default Passwords from SQL*Plus

You can use SQL*Plus to find and change default passwords.

To find and change default passwords:

Log into the database instance with administrative privileges.
```
sqlplus system
Enter password: password
```
Select from the DBA_USERS_WITH_DEFPWD data dictionary view.
```
SELECT * FROM DBA_USERS_WITH_DEFPWD;
```
The DBA_USERS_WITH_DEFPWD lists the accounts that still have user default passwords. For example:
```
USERNAME
------------
SCOTT
```
Change the password for the accounts the DBA_USERS_WITH_DEFPWD data dictionary view lists.

For example, to change the password for user SCOTT, enter the following:
```
PASSWORD SCOTT
Changing password for SCOTT
New password: password
Retype new password: password
Password changed
```
Replace password with a password that is secure, according to the guidelines listed in Requirements for Creating Passwords. For greater security, do not reuse the same password that was used in previous releases of Oracle Database.

Alternatively, you can use the ALTER USER SQL statement to change the password:
```
ALTER USER SCOTT IDENTIFIED BY password;
```

2.4.5.3 Finding and Changing Default Passwords from Enterprise Manager

You can use Enterprise Manager to change a user account passwords if you have administrative privileges.

To use Enterprise Manager to change the password of a database account:

Individual users can also use Enterprise Manager to change their own passwords.

Access the Database home page.

See Oracle Database 2 Day DBA for more information.
From the Administration menu, select Security, then Users.

If the Database Login page appears, then log in as an administrative user, such as SYS. User SYS must log in with the SYSDBA role selected.

The Users page lists the user accounts created for the current database instance. The Account Status column indicates whether an account is expired, locked, or open.
In the Select column, select the account you want to change, and then click Edit.
In the Edit User page, enter a new password in the Enter Password and Confirm Password fields.
Click Apply.

2.4.6 Parameters Used to Secure User Accounts

Oracle Database provides parameters to secure user accounts, such as setting the maximum failed login attempts.

Table 2-7 lists initialization and profile parameters that you can set to better secure user accounts.

Table 2-7 Initialization and Profile Parameters Used for User Account Security

Parameter	Default	Description
`SEC_CASE_SENSITIVE_LOGON`	`TRUE`	Controls case sensitivity in passwords. `TRUE` enables case sensitivity; `FALSE` disables it.
`SEC_MAX_FAILED_LOGIN_ATTEMPTS`	`3`	Sets the maximum number of times user authentication is allowed before an Oracle Call Interface (OCI) connection is closed.
`FAILED_LOGIN_ATTEMPTS`	`10`	Sets the maximum times a user login is allowed to fail before locking the account. Note: You also can set limits on the number of times an unauthorized user (possibly an intruder) attempts to log in to Oracle Call Interface applications by using the `SEC_MAX_FAILED_LOGIN_ATTEMPTS` initialization parameter.
`INACTIVE_ACCOUNT_TIME`	`35`	Locks the account of a database user who has not logged in to the database instance in a specified number of days.
`PASSWORD_GRACE_TIME`	No default setting	Sets the number of days that a user has to change his or her password before it expires.
`PASSWORD_LIFE_TIME`	No default setting	Sets the number of days the user can use his or her current password.
`PASSWORD_LOCK_TIME`	No default setting	Sets the number of days an account will be locked after the specified number of consecutive failed login attempts.
`PASSWORD_REUSE_MAX`	No default setting	Specifies the number of password changes required before the current password can be reused.
`PASSWORD_REUSE_TIME`	No default setting	Specifies the number of days before which a password cannot be reused.

Note:

You can use most of these parameters to create a user profile. See Oracle Database Security Guide for more information about user profile settings.

To modify an initialization parameter, see Modifying the Value of an Initialization Parameter. For detailed information about initialization parameters, see Oracle Database Reference.