On 11/21/06, William B Ferguson <wbfergus@xxxxxxxx> wrote:
Isn't the security (ID and password, groups or rolles) of SQL Server tied into the OS, whether running as workgroup or under Active Directory, so if an OS id gets hacked (with database rights), the hacker can go straight into the database?
Now this can be accomplished with Oracle as well, IF the DBA has allowed
OPS$ logins or IF the id that gets hacked is part of the sysdba group. Am I right on this part, I don't know.
Just as with Oracle, a database account can be OS authenticated or password authenticated. The author also made a point in the article that his graphs only represent
publicly reported and fixed flaws. Both companies aren't really known for being forthcoming, so it's left to the readers imagination which company may be hiding more.
Another thing to consider: how many top-notch security folks are seeking out flaws in SQL Server? Oracle has Alex Kornbrust and David Litchfield constantly searching for security holes. Does SQL Server have an equivalent? Just because you can't see that hole in your yard on a moonless cloudy night does not mean it isn't there. The author also seems to make a big point about the Oracle results only
reflecting the listener and the RDBMS and not Application Server or any other Oracle products, but he doesn't make the same qualifications about Microsoft and IIS, though he does say MDAC problems weren't included, since that's OS stuff.
I haven't yet read the article, so my comment is just on your comment: It's kind of hard to compare apples to oranges. The RDBMS itself is pretty clearcut. You know what it is and what it does. Get outside the db and things change. By the same logic that would say that MDAC is part of the OS, SQLNet could also be considered outside the database. Never mind that apps written for SQLServer may not function without MDAC, and Oracle becomes rather limited without SQLNet. -- Jared Still Certifiable Oracle DBA and Part Time Perl Evangelist