Pau Lo
asked on
external passwords vs microsoft SQL Server windows authentication
I have seen a few articles mention that external passwords associated with oracle database accounts are a risk (as if someone compromised that OS account they dont need to supply a password to access the database), but how is it any different to Microsoft SQL Servers windows authentication which is recommended, whereby again you dont need to enter SQL authentication password to access the database?
These are linux servers which house the oracle databases, if that affects it in anyway.
These are linux servers which house the oracle databases, if that affects it in anyway.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Not sure about oracle. But from MSSQL end, OS authenticated users are more secured as SQL authenticated ones.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Can you elaborate on this: ''Auditors only know that the accounts are OS authenticated and they will stop you right there.''
If your database is subject to audit, auditors are looking for accounts that are externally identified. If you have them, you will fail that audit control and you will be required to remediate it.
ASKER
I just don't really get why though? And if mssql has ''windows authentication'' which by the looks of it is the same concept, I'm struggling to see where the risk is?
>>and you will be required to remediate it.
Or explain how the risk is mitigated. I have successfully won debates over security audits. I've also lost some... It just depends on if you have the energy to battle and the facts to back it up.
For us some things are just flagged as a 'risk' by the auditors and as long as Management signs off on the risk, it is allowed. That is until the risk is exploited and Management has to explain it higher up the food chain. ;)
Or explain how the risk is mitigated. I have successfully won debates over security audits. I've also lost some... It just depends on if you have the energy to battle and the facts to back it up.
For us some things are just flagged as a 'risk' by the auditors and as long as Management signs off on the risk, it is allowed. That is until the risk is exploited and Management has to explain it higher up the food chain. ;)
>>And if mssql has ''windows authentication''
Both "have it".
The difference is one seems to "recommend" using it.
Different companies.... different philosophies.
MSoft is big on integrating ALL their products together.
Single Sign-on is also a big push.
>>I'm struggling to see where the risk is?
The risk is what we've mentioned above: Compromised OS account, very likely an automatic compromised database.
Both "have it".
The difference is one seems to "recommend" using it.
Different companies.... different philosophies.
MSoft is big on integrating ALL their products together.
Single Sign-on is also a big push.
>>I'm struggling to see where the risk is?
The risk is what we've mentioned above: Compromised OS account, very likely an automatic compromised database.
It all depends on the type of audit, the auditor and the company they work for. I too have won some battles and lost some battles. Because of the type of audit that was being done (we did so many different kinds because of what we did, I don't know which one was the biggest restriction), OS authenticated accounts were listed as failures and not risks. There was no option to argue them.
The "why" is because I can compromise one password and get access to the database. Or, if someone gets up from their desk and doesn't lock their desktop, I can sit down at their desk and get their database access. If I staked out an admin, then I have full access. If I staked out someone with elevated privileges, I can certainly do quite a bit of damage and depending on their privileges, I could probably get any privileges they didn't already have.
The "why" is because I can compromise one password and get access to the database. Or, if someone gets up from their desk and doesn't lock their desktop, I can sit down at their desk and get their database access. If I staked out an admin, then I have full access. If I staked out someone with elevated privileges, I can certainly do quite a bit of damage and depending on their privileges, I could probably get any privileges they didn't already have.
ASKER