Oracle FAQ Your Portal to the Oracle Knowledge Grid

Home -> Community -> Mailing Lists -> Oracle-L -> Re: Oracle vs. Microsoft security (David Litchfield)

Re: Oracle vs. Microsoft security (David Litchfield)

From: Jared Still <>
Date: Tue, 21 Nov 2006 07:22:40 -0800
Message-ID: <>

On 11/21/06, William B Ferguson <> wrote:
> Isn't the security (ID and password, groups or rolles) of SQL Server tied
> into the OS, whether running as workgroup or under Active Directory, so if
> an OS id gets hacked (with database rights), the hacker can go straight into
> the database?

Now this can be accomplished with Oracle as well, IF the DBA has allowed
> OPS$ logins or IF the id that gets hacked is part of the sysdba group. Am I
> right on this part, I don't know.

Just as with Oracle, a database account can be OS authenticated or password authenticated.

The author also made a point in the article that his graphs only represent
> publicly reported and fixed flaws. Both companies aren't really known for
> being forthcoming, so it's left to the readers imagination which company may
> be hiding more.

Another thing to consider: how many top-notch security folks are seeking out flaws in SQL Server?

Oracle has Alex Kornbrust and David Litchfield constantly searching for security holes.
Does SQL Server have an equivalent?

Just because you can't see that hole in your yard on a moonless cloudy night does not mean it isn't there.

The author also seems to make a big point about the Oracle results only
> reflecting the listener and the RDBMS and not Application Server or any
> other Oracle products, but he doesn't make the same qualifications about
> Microsoft and IIS, though he does say MDAC problems weren't included, since
> that's OS stuff.

I haven't yet read the article, so my comment is just on your comment: It's kind of hard to compare apples to oranges. The RDBMS itself is pretty clearcut. You know what it is and what it does.

Get outside the db and things change. By the same logic that would say that MDAC is part of the OS, SQLNet could also be considered outside the database.

Never mind that apps written for SQLServer may not function without MDAC, and Oracle becomes rather limited without SQLNet.

Jared Still
Certifiable Oracle DBA and Part Time Perl Evangelist

Received on Tue Nov 21 2006 - 09:22:40 CST

Original text of this message