Roles and Privileges

Always try to follow the principle of least privilege by granting only the minimum privileges required for a user to perform their job. Avoid the use of the default roles CONNECT and RESOURCE, as they tend to grant privileges that are not needed by most users. For example, the CONNECT role gives users the CREATE DATABASE LINK privilege, which is not needed by most users, but could be abused by an attacker. Instead, create your own roles. For users that simply need access to the database, grant only the CREATE SESSION privilege.

If you use Enterprise Manager to create accounts, be aware that it automatically grants the CONNECT role, even if you use the "create like" function with an account that doesn't have CONNECT. Be sure to revoke it.

Keep track of the privileges that have been granted to PUBLIC.

SQL> select table_name, owner from dba_tab_privs where grantee = 'PUBLIC';

Revoke unnecessary privileges from PUBLIC. In particular, revoke privileges that are easily abused, inluding UTL_SMTP, UTL_TCP, UTL_HTTP, UTL_FILE and DBMS_RANDOM. Create a special role for these privileges, and grant it only to users with a documented requirement.

Assign a password to highly privileged roles, like DBA.

SQL> alter role DBA identified by yxk3-mprt;

The BC Praetoriate Web site has some good advice for examining privileges.
Visit BC Praetoriate Web site