4

Ok I know this is a stupid question but our one and only DBA get into a mess with our manager and rage quit today.

As a small company, I (IT support guy who knows nothing about DB) was told to change "password" to protect the database from sabotage.

We have this remote PC as a server with Allround PL/SQL developer on it and not much software else.

The question is : I just changed the login password of the server, is our database now safe from unwanted access? Should I change the password of the database user as well? (I googled how to do it, but it seems to involve some command line operation which I rather not perform is it is unneccesary)

Peterjohn David
  • 41
  • 1
  • 6
    I would change any password that your ex-DBA would have known. Whether it's difficult to do or not. It'll be a lot easier to change the passwords then it will be to recover from sabotage. It'd only take him a few seconds to log in to the db through whatever client he wants and run `DROP SCHEMA ;` –  Apr 13 '17 at 13:24
  • 1
    Have you checked that there is only one user account on the server? If there are multiple and you have only changed the password on one account then you are still vulnerable. –  Apr 13 '17 at 13:53
  • @JNevill Thanks for the advice. Generally what are the passwords that needs to be change to avoid this situation (sorry again for the newbie question)? "Right now all I has is the oracle sessions login password is that enough? –  Apr 13 '17 at 14:25
  • Whenever you think that you need to change a password you do. – AstroDan Apr 13 '17 at 15:17

2 Answers2

2

Do you have to change the password?

To access the database with its old credentials the DBA has to be able to reach the db server. If this is only possible from the local network and he does not have access to something like a VPN it is unlikely that he will be able to do any damage. It may very well be that the login you changed prevented him from logging in remotely.

Should you change the password

Totally yes! It shouldn't be that big of a deal and you will regret not doing it when something worse happens. In fact, think to what other accounts the DBA could know the password and change these as well.

Martin
  • 535
  • 3
  • 11
1

Your DB is probably accessible from the entire internal network. Changing only password for that one machine will not stop anyone with a laptop (don't need to be Domain Joined) and Oracle Client installed on it to connect to your database if he/she knows the password.

Question is, do you know SYS password for the database or not?

If you do know the SYS password, you need to connect to the database as SYSDBA and change it. Also, you will need to change any user schema passwords your ex DBA knew and that probably means all of them. If you have PL/SQL Developer, you could probably use it to do it with an interface without the need to use command line. I'm not that familiar with it but this might help. Take a look at screenshot in one of the answers.

If you don't know the SYS password you will need admin access to the machine where your DB is hosted and change orapwd file. This and this might help. You will need to use command line tools here but once you manage to reset the password you will be able to connect as sys remotely with PL/SQL Developer and change the rest of the passwords in an UI.

Community
  • 1
Marko Vodopija
  • 1,062
  • 1
  • 8
  • 19
  • Things gone really wrong I need help. After I change the sys and the main user password through ALTER USER command. I'm not able to log in to oracle!!!! The first time (after changing the password) the login is fine, but after that I'm not able to log in again!!!! And I'm not able to login the website (which the database is used for). – Peterjohn David – Peterjohn David Apr 15 '17 at 03:58
  • 1
    You will need to find configuration for the website and update the password there to reflect the new password. After you changed passwords, you cant connect with either of the users? This really is strange to me. Are you sure you are trying to connect with the new password. Also, try to connect with sys directly from host. Oracle user (if it is on linux) should be able to connect without sys password. – Marko Vodopija Apr 15 '17 at 07:30