How to Lock SYS and SYSTEM Accounts in Oracle

oracleSecurity

In the interest of keeping the database as secure as possible, I'd like to lock the SYS and SYSTEM accounts so that no one can login with them.

Assuming that:

  1. There are no OS scripts/cron jobs logging in as SYS or SYSTEM
  2. There aren't any applications or outside utilities using either of these accounts
  3. I can always login "/ as sysdba" with the proper OS account

Will locking these two accounts have any adverse effects? Has anyone done this before who can comment on whether or not it's a good idea?

Best Answer

SYSTEM can be locked without any difficulties.

SYS is different though. You can't lock it, even if you can, you can't.

SQL> show user
USER is "SYS"
SQL> alter user sys account lock;

User altered.

SQL> select account_status from dba_users where username = 'SYS';

ACCOUNT_STATUS
--------------------------------
LOCKED

SQL> conn / as sysdba
Connected.
SQL> show user
USER is "SYS"

SQL> connect sys@ORCL as sysdba
Enter password:
Connected.

SQL> show user
USER is "SYS"
SQL> select account_status from dba_users where username = 'SYS';

ACCOUNT_STATUS
--------------------------------
LOCKED

You can disable remote SYS logins by setting remote_login_passwordfile to none, so only local logins are allowed. This will prevent using Data Guard though for example.

You can also prevent '/ as sysdba' by setting SQLNET.AUTHENTICATION_SERVICES=(none) in sqlnet.ora.

Finally, you can completely lock yourself out by combining the above with deleting the password file from $ORACLE_HOME/dbs. This way you will not be able to log in as SYSDBA or SYSOPER at all. But even still, SYS user will not be really locked, its just that you can not be authenticated. If you recreate the passwordfile, you will be able to get in again.

Related Question