Re: Oracle vs. Microsoft security (David Litchfield)
- From: "Jared Still" <jkstill@xxxxxxxxx>
- To: wbfergus@xxxxxxxx
- Date: Tue, 21 Nov 2006 07:22:40 -0800
On 11/21/06, William B Ferguson <wbfergus@xxxxxxxx> wrote:
Isn't the security (ID and password, groups or rolles) of SQL Server tied
into the OS, whether running as workgroup or under Active Directory, so if
an OS id gets hacked (with database rights), the hacker can go straight into
the database?
Now this can be accomplished with Oracle as well, IF the DBA has allowed
OPS$ logins or IF the id that gets hacked is part of the sysdba group. Am I
right on this part, I don't know.
Just as with Oracle, a database account can be OS authenticated or password
authenticated.
The author also made a point in the article that his graphs only represent
publicly reported and fixed flaws. Both companies aren't really known for
being forthcoming, so it's left to the readers imagination which company may
be hiding more.
Another thing to consider: how many top-notch security folks are seeking out
flaws in SQL Server?
Oracle has Alex Kornbrust and David Litchfield constantly searching for
security holes.
Does SQL Server have an equivalent?
Just because you can't see that hole in your yard on a moonless cloudy night
does not mean it isn't there.
The author also seems to make a big point about the Oracle results only
reflecting the listener and the RDBMS and not Application Server or any
other Oracle products, but he doesn't make the same qualifications about
Microsoft and IIS, though he does say MDAC problems weren't included, since
that's OS stuff.
I haven't yet read the article, so my comment is just on your comment:
It's kind of hard to compare apples to oranges. The RDBMS itself is
pretty clearcut. You know what it is and what it does.
Get outside the db and things change. By the same logic that would say
that MDAC is part of the OS, SQLNet could also be considered outside the
database.
Never mind that apps written for SQLServer may not function without MDAC,
and Oracle becomes rather limited without SQLNet.
--
Jared Still
Certifiable Oracle DBA and Part Time Perl Evangelist
- References:
- Re: Oracle vs. Microsoft security (David Litchfield)
- From: Norman Dunbar
- Re: Oracle vs. Microsoft security (David Litchfield)
- From: William B Ferguson
Other related posts:
- » Oracle vs. Microsoft security (David Litchfield)
- » Re: Oracle vs. Microsoft security (David Litchfield)
- » Re: Oracle vs. Microsoft security (David Litchfield)
- » Re: Oracle vs. Microsoft security (David Litchfield)
Isn't the security (ID and password, groups or rolles) of SQL Server tied into the OS, whether running as workgroup or under Active Directory, so if an OS id gets hacked (with database rights), the hacker can go straight into the database?
OPS$ logins or IF the id that gets hacked is part of the sysdba group. Am I right on this part, I don't know.
publicly reported and fixed flaws. Both companies aren't really known for being forthcoming, so it's left to the readers imagination which company may be hiding more.
reflecting the listener and the RDBMS and not Application Server or any other Oracle products, but he doesn't make the same qualifications about Microsoft and IIS, though he does say MDAC problems weren't included, since that's OS stuff.
- Re: Oracle vs. Microsoft security (David Litchfield)
- From: Norman Dunbar
- Re: Oracle vs. Microsoft security (David Litchfield)
- From: William B Ferguson