Re: Oracle versus Sqlserver

"Niall Litchfield" <n-litchfield_at_audit-commission.gov.uk> wrote in message news:<3c518780$0$8506$ed9e5944_at_reading.news.pipex.net>...
> "kc" <kc_news2000_at_yahoo.com> wrote in message
> news:a20fe1ab.0201250737.61d608a8_at_posting.google.com...
> > It is harder to crack an Oracle box because of the general
> > background of Oracle DBAs. I have encountered many SQL server machines
> > that do not have a password for "SA" account (Is that part of the
> > MCDBA training?? It always amazes me when I find this.). I have never
> > encountered an Oracle box that did not have a password for the "SYS"
> > or "SYSTEM" account.
>
> Of course change_on_install & manager respectively.
>
>
> > Oracle on something other than Windows is a very
> > good bet for security.
>
> I'm interested as to why you suggest Oracle on Windows is inherently
> insecure. is this a configuration or platform issue.
>
>
> --
> Niall Litchfield
> Oracle DBA
> Audit Commission UK
> *****************************************
> Please include version and platform
> and SQL where applicable
> It makes life easier and increases the
> likelihood of a good answer
>
> ******************************************

My opinion is a platform issue and configuration issue with Windows, not Oracle. Oracle is pretty similar across multiple platforms. Microsoft has to issue patches for security problems at a dizzying rate. I'll let you speculate why this is so. But the fact is Microsoft has many problems with security on their products. The Oracle database may be configured fine and get derailed by a vulnerability in Windows.

Here is an example. A W2k webserver with IIS and Oracle is not patched for Nimda. The webserver is behind a properly configured Cisco Pix server. Nimda does its thing and installs the infamous root.exe on the server. The firewall didn't help because it doesn't protect against operating system problems, only ports and TCP/IP traffic. We'll say that the Cisco blocks everything except port 80.

A script kiddie discovers the root.exe on the server through scanning. Because IIS runs as the "SYSTEM" Windows user the hacker now has administrator privileges on command line through the web browser. Now the server is controlled by an intruder. Right now the hacker does not have the Oracle passwords. But since they have remote control they remotely install a keylogger and backdoor and wait. Or if they are craftier they just start opening the asp pages and examine the ODBC connection in their web browser. The inexperienced administrator doesn't catch the problem just like he missed the patch from Microsoft. Or more likely this happens late at night. Now the hacker has the passwords and plunders the information. The cause was a vulnerability and misconfiguration in Windows, not Oracle. But the net effect is a complete removal of security from the Oracle database. And the DBA had no idea because the problem started with the operating system.

The same thing could happen on Unix. A vulnerability in the operating system allows an outsider access to the file system. In my experience this does not happen near as frequently as it does in Windows. There are substantially less opportunites for vulnerability exposure on Unix. And since most Unix Sysadmins are experienced (and consequently more expensive) they usually take greater notice of patches and problems. A vulnerability on Apache leads to the "nobody" account, not root. I believe the last patch for Apache was 1997. Anyway, we are dealing with Oracle, not Apache. As I said Oracle could be configured perfectly and still fall victim to the vulnerability of the month with Microsoft products. Take a look at the Microsoft site for security patches in the last two months. Or take a deep breath and look at the last year. This is not a track record of success.

KC Received on Fri Jan 25 2002 - 17:27:43 CST