Security analysis of MSSQL and MySQL

"Guide" large Web sites generally use Oracle or DB2, while the majority of small and medium-sized Web sites use a more flexible and compact MSSQL database or MySQL database. So, under the same conditions, Microsoft's MSSQL and free MySQL which is more secure?

Databases are the basis of E-commerce, finance, and ERP systems, and often hold important business partners and customer information. Most of the electronic data of enterprises, organizations and government departments are kept in various databases, they use these databases to keep some personal data and have sensitive financial data. But databases are often not as secure as the operating system and the network. Data is the lifeblood of an organization, so it is critical to choose a secure database.

I'm on my machine. Using the Admin account defaults to install MSSQL and MySQL to test their security in the same situation. My system is configured as follows: The operating system Microsoft Windows Version5.0, the Sp4,ftp service and the IIS service are installed, and ASP and PHP are supported. The system has only one administrator account Admin,guest account is not disabled.

I. Internal security analysis of the system

1.mysql Database Permission Control problem

MySQL permissions control is based on the MySQL database, called authorization form, including six table Columns_priv,db,func,host,tables_priv and user. First use the DESC user command to view the structure of the very important user table to query for content, and now you can view his permission settings.

Use the command select Host,user,password,delete_priv,update_priv,drop_priv from user; This command looks at several more dangerous permissions and displays the following results:

mysql> select host,user,password,delete_priv,update_priv,drop_priv from user;
+-----------+------+------------------+-------------+-------------+-----------+
| host | user | password | delete_priv | update_priv | drop_priv |
+-----------+------+------------------+-------------+-------------+-----------+
| localhost | root |0e4941f53f6fa106 | Y | Y | Y |
| % | root | | Y | Y | Y |
| localhost | | | Y | Y | Y |
| % | | | N | N | N |
+-----------+------+------------------+-------------+-------------+-----------+

4 rows in Set (0.00 sec) The first means to log in using the root password, with delete records, modify records, delete tables and other permissions, good, this is safe. The second means that in any host use root without password login, with delete records, modify records, delete tables and other permissions. The third means that anonymous landing on this machine, with delete records, modify records, delete tables and other permissions. The last bar indicates that any host can log on anonymously, but without any permissions. Obviously, the second, three, four are unsafe! The second article, needless to say, in terms of the third, even if you are local guest permissions, but you can log into the MySQL database, and have full permissions. This way, you can do whatever you want with the database.

WORKAROUND: If you do not need remote maintenance, delete the second delete from user where host= "%" and user= "root", or add a strong password to it. Delete the third article, delete from user where host= "localhost" and user= "";

2.mysql Installation directory Permissions issue

MySQL defaults to install to C:\mysql, but the C disk defaults to everyone Full control, due to the inheritance of permissions, C:\mysql to everyone is also fully controlled, obviously this is not safe. Because a malicious user can delete an important data file.

WORKAROUND: Reset the access rights to the MySQL directory. Or install MySQL to another directory, if you move MySQL distribution to D:\mysql, you must use D:\mysql\bin\mysqld--basedir D:\mysql to start mysqld, or even modify its configuration file.

3.mssql Database Permission Control problem

MSSQL database permissions control is based on the Master Library syslogins table, with all the permissions of the account is SA, and other Sysadmin,db_owner and other permissions account. However, the default password for the highest privilege account SA for the MSSQL database is empty, so that if not noticed during installation, the data will be a devastating disaster. Malicious attackers can modify, delete all data, and more importantly, the MSSQL account can use the extension to execute system commands.

WORKAROUND: Check all login accounts periodically to see if there are any passwords that do not meet the requirements. Use master Select Name,password the from syslogins where Password the is null command to check for the existence of a null password account. Remove storage extensions as much as possible to prevent local users from using storage extensions to execute malicious commands. Use the Master sp_dropextendedproc xp_cmdshell command to remove the xp_cmdshell extension.

4.mssql Installation directory Permissions issue

Like MySQL, MSSQL is installed to everyone Full Control C disk, due to access control issues, it is best to install to D disk and other non-system disk to carry out strict permissions control. Furthermore, because the MSSQL database is tightly integrated with the system, the system administrator can also manipulate the database by selecting Windows Authentication without a database password. Therefore, it is possible for ordinary users to improve their privileges through system vulnerabilities and destroy the database.

Workaround: In addition to strict access restrictions, periodically check the SQL Server logs for suspicious logon events or use the DOS command findstr/c: "Log on" D:\Microsoft SQL Server\mssql\log\*.*.

The security of MSSQL is closely linked to the security of Windows systems, and any vulnerability that can be compromised is another security threat.

Summary, in the system internal security, MySQL and MSSQL have not reached satisfactory degree, account security, access rights are not controlled very well. But the MSSQL has detailed log can check the landing situation, than MySQL to be higher than a chip. If you make a reasonable setup, MySQL will be more secure, because for MSSQL, as long as the system permissions can have database permissions.