A GUIDE TO SECURING MYSQL ON WINDOWS - A MYSQL WHITE PAPER

Page created by Ivan Leonard
 
CONTINUE READING
A GUIDE TO SECURING MYSQL ON WINDOWS - A MYSQL WHITE PAPER
A Guide to Securing
                         MySQL on Windows

                                         A MySQL White Paper
                                                  January 2010

Copyright © 2010, Sun Microsystems                          1
A GUIDE TO SECURING MYSQL ON WINDOWS - A MYSQL WHITE PAPER
Table of Contents

Executive Summary .................................................................................................. 3

Why MySQL on Microsoft Windows? ...................................................................... 3

Scope of this Guide ................................................................................................... 3

Understanding the MySQL Security Model ............................................................. 3

Post-Installation Tasks.............................................................................................. 6

Account Management ............................................................................................... 7

Password Management............................................................................................. 8

Encryption.................................................................................................................. 9

Data Communication............................................................................................... 10

Database Replication .............................................................................................. 10

Securing MySQL with MySQL Enterprise............................................................. 11

MySQL on Windows Case Studies......................................................................... 12

Conclusion ............................................................................................................... 13

Resources ................................................................................................................ 13

About MySQL .......................................................................................................... 13

Copyright © 2010, Sun Microsystems                                                                                         2
Executive Summary
For many years, Microsoft Windows has been the most popular development platform and second most
popular production platform for MySQL applications. In early 2009 we conducted our annual survey and
what we found is that 66% percent of those surveyed used Windows for development and 48% ultimately
deployed on Windows. Given that so many users deploy MySQL on Windows, it makes sense to recap
some of the best practices for securing MySQL on Windows.

Why MySQL on Microsoft Windows?
First, MySQL on Windows remains strong due to the fact that MySQL delivers:

    •   Lower TCO
    •   Ease of use
    •   Reliability
    •   Performance
    •   A fully featured database with no functional limitations of “lite” database versions

For more information on why MySQL is an excellent choice on Windows, please visit:

http://dev.mysql.com/doc/refman/5.1/en/windows-and-ssh.html

Scope of this Guide
This document contains information regarding the best practices one should employ to secure a
Windows-based installation of MySQL 5.1. This guide will walk you through the following security-related
aspects of MySQL:

    •   Understanding the MySQL Security Model
    •   Post-Installation Tasks
    •   User Acounts
    •   Password Management
    •   Encryption
    •   Data Communication
    •   Database Replication

Understanding the MySQL Security Model

In this section we will cover several key concepts for understanding how the MySQL Server and Client
security model works.

At a high-level, MySQL’s security model is based on Access Control Lists (ACLs) for all connections,
queries, and other operations that users can attempt to perform. We should note that there is also support
for SSL-encrypted connections between MySQL clients and servers.

 Copyright © 2010, Sun Microsystems                                                                    3
The MySQL Privilege System

The primary function of the MySQL privilege system is to authenticate users who connect from hosts and
in turn associate them with privileges on a database such as SELECT, INSERT, UPDATE, and DELETE.

Some additional functionality in this regard also includes the ability to have anonymous, privileges for
MySQL-specific functions such as LOAD DATA INFILE, replication, object-level privileges and the ability
to perform administrative operations.

Information concerning account privileges is stored in the following tables located in the mysql database:

    •   user
    •   db
    •   host
    •   tables_priv
    •   columns_priv
    •   procs_priv

For example, the USER table contains the host to which the user name is associated with, the user
name, the user’s password (in an encrypted format) and various privileges. Because of the information
contained within the USER table, it is recommended that only the MySQL root user have access to this
table.

Information about account privileges is also located in several tables of the INFORMATION_SCHEMA
database. Tables of note in this regard include:

    •   column_privileges
    •   schema_privileges

Copyright © 2010, Sun Microsystems                                                                     4
•   table_privileges
    •   user_privileges

These access-control decisions are based on the in-memory copies of the GRANT tables. The MySQL
server loads the contents of these tables into memory when it starts up and re-reads them under the
certain circumstances. For a listing of these circumstances please refer to:

http://dev.mysql.com/doc/refman/5.1/en/privilege-changes.html

As a best practice, whenever you issue a data control statement, you should also have the GRANT tables
re-read into memory so that the modification is immediately applied to the server. This means that you
should always issue a FLUSH PRIVILEGES command with your DCL statement.

For example:

GRANT SELECT ON database.* TO user@’hostname’ IDENTIFIED BY ‘password’;
FLUSH PRIVILEGES;

GRANT and REVOKE statements are the key enablers and disablers of privileges. A complete list of
those privileges can be found at:

http://dev.mysql.com/doc/refman/5.1/en/privileges-provided.html

Connecting to MySQL

MySQL client programs generally expect you to specify certain connection parameters when you want to
access a MySQL server, these include:

    •   The name of the host where the MySQL server is running
    •   Your username
    •   Your password

For example, the mysql client can be started as follows from a command-line prompt:

mysql -hhostname -uusername -p

If you use a -p or --password option but do not specify a password, the client program prompts you to
enter the password. The password is not displayed as you enter it. This is more secure than giving the
password on the command line. Any user on your system may be able to see a password specified on
the command line by reviewing any history that may be kept at the command line.

MySQL client programs use default values for any connection parameter option that you do not specify:

    •   The default hostname is localhost.
    •   The default username is your Windows login name
    •   No default value is supplied for the password variable

The password is never transmitted in clear text over the connection. All other information is transferred as
text, and can be read by anyone who is able to watch the connection. If the connection between the client
and the server goes through an un-trusted network, such as the internet, you can use the compressed
protocol to make traffic much more difficult to decipher. Better yet, you should consider using MySQL’s
built-in Secure Sockets Layer (SSL) support to make the connection even more secure. Alternatively, you
can employ Secure Shell (SSH) to get an encrypted TCP/IP connection between a MySQL server and a

Copyright © 2010, Sun Microsystems                                                                     5
MySQL client.

Post-Installation Tasks
Immediately after you have installed MySQL, it is strongly recommended you perform several tasks to
harden the server if you have not already done so when prompted if you chose to use the installation
GUI.

Delete the ‘test’ database

The default TEST database has very permissive grants and should be dropped.

DROP DATABASE test;

Secure the ‘root’ account

By default when MySQL is installed on Windows, several accounts are created with blank passwords.
MySQL creates an account with the username of root with a blank password. The root user is a super
user account that can do anything on the MySQL server. This root account is for connections from the
local host only.

There is also a second root user which is created that can connect from remote machines. If you used the
GUI-based MySQL installation you may have also chosen to create a root account which can connect
from remote machines by explicitly selecting the option “Enable root access from machines.” Below is the
procedure to set the password for the root account if you have chosen to retain it.

SET PASSWORD FOR root@localhost=PASSWORD('password’);
FLUSH PRIVILEGES;

Delete the ‘anonymous’ accounts

By default two anonymous user accounts are also created, each with an empty username and no
passwords. One of these anonymous accounts is for connecting from the local host. The other
anonymous account can connect from any host and has privileges for the test database and any other
databases which start with the name test.

It is strongly recommended to drop these accounts. This can be accomplished by issuing the following
command against the mysql database:

DELETE FROM user WHERE user = ‘’;
FLUSH PRIVILEGES;

The ‘mysql_secure_installation’ script

Copyright © 2010, Sun Microsystems                                                                 6
The previously described steps can also be automated by using the interactive mysql_secure_installation
script which you will find in the scripts directory if you opted to use the .zip installation.

Running this script will set the root password, remove remote root access, remove the anonymous
accounts and delete the default test database.

As previously mentioned, many of these tasks are addressed in the MySQL GUI installer for Windows.

Running the MySQL Server Securely

To use client programs, the MySQL process, mysqld, must be running. On Windows, users will likely
choose to run MySQL as a service. (This option can easily be configured using the MySQL GUI installer
for Windows.) Because clients gain access to databases by connecting to the server, mysqld is the main
program that does the work. Depending on the installation package you chose, the server is accompanied
by several related scripts that perform setup operations when you install MySQL or that assist you in
starting and stopping the server. mysqld can (and should) be run as an ordinary, unprivileged user.

Account Management

Similar to other database management systems, the GRANT and REVOKE statements are used for
controlling access to MySQL. As a best practice, do not grant more privileges than necessary. Never
grant privileges to all hosts.

For example:

    •   Try mysql -u root at the command line. If you are able to connect successfully to the server
        without being asked for a password, anyone can connect to your MySQL server as the MySQL
        root user with full privileges.

    •   Use the SHOW GRANTS statement to check which accounts have access to what. Then use the
        REVOKE statement to remove those privileges that are not necessary.

Do not grant the PROCESS or SUPER privilege to non-administrative users. The output of SHOW
PROCESSLIST shows the text of any statements currently being executed, so any user who is allowed to
see the server process list might be able to see statements issued by other users such as:

UPDATE user SET password=PASSWORD('some_password')

The mysqld process reserves an extra connection for users who have the SUPER privilege, so that a
MySQL root user can always log in and check server activity even if all available connections are in use.

The SUPER privilege can be used to terminate client connections, change server operation by changing
the value of system variables, and control replication servers. Never grant this privilege unless absolutely
necessary, as the potential for negatively affecting the server, either intentionally or unintentionally is
possible.

Do not grant the FILE privilege to non-administrative users. Any user that has this privilege can write a file
anywhere in the file system with the privileges of the mysqld process. To make this a bit safer, files
generated with SELECT ... INTO OUTFILE do not overwrite existing files and are write-able by everyone.

Copyright © 2010, Sun Microsystems                                                                       7
Failed Logins

  The max_connect_errors system variable determines if there are more than this number of interrupted
  connections from a host before that host is blocked from further connections. You can unblock a blocked
  host with the FLUSH HOSTS statement. By default, the MySQL server blocks a host after 10 connection
  errors.

  Limiting Account Resources

  MySQL does also offer the ability to limit the number of connections and queries that can be issued from
  a client during a specified period of time. One means of limiting the use of MySQL server resources is to
  set the max_user_connections system variable to a non-zero value. However, this method is strictly
  global, and does not allow for management of individual accounts. In addition, it limits only the number of
  simultaneous connections made using a single account, and not what a client can do once connected.

  As of version 5.5, you can limit the following server resources for individual accounts:

      •   The number of queries that an account can issue per hour
      •   The number of updates that an account can issue per hour
      •   The number of times an account can connect to the server per hour
      •   The number of simultaneous connections to the server an account can have

You can enable these limits with a GRANT statement, for example:

GRANT USAGE ON *.* TO ‘user’@’localhost’
  WITH MAX QUERIES PER HOUR 50
            MAX UPDATES PER HOUR 25
            MAX CONNECTIONS PER HOUR 10
            MAX_USER_CONNECTIONS 5;

  Password Management

  MySQL users and passwords have nothing to do with users and passwords on Windows. Below are
  some tips for managing passwords:

      •   Never give anyone (except MySQL root accounts) access to the user table in the mysql
          database. The encrypted password is the real password in MySQL. Anyone who knows the
          password that is listed in the user table and has access to the host listed for the account can
          easily log in as that user.

      •   Do not store any plain-text passwords for your application in the database. If your computer
          becomes compromised, the intruder can take the full list of passwords and use them. Instead,
          use MD5(), SHA1(), or some other one-way hashing function and store the hash value.

      •   Always choose a strong password which includes letters, numbers and special characters. There
          are many readily available programs which through “brute force” can eventually guess the
          password to your server.

  Copyright © 2010, Sun Microsystems                                                                    8
Encrypted Passwords

MySQL encrypts passwords using its own algorithm. User accounts are listed in the user table of the
mysql database. Each account is assigned a password. The password column of the user table is not the
plaintext version of the password, but a hash value computed from it. Password hash values are
computed by the PASSWORD() function. The server uses hash values during authentication when a
client first attempts to connect. The server generates hash values if a connected client invokes the
PASSWORD() function or uses a GRANT or SET PASSWORD statement to set or change a password.

Password Uniqueness and Complexity

If end users use the mysql client application to connect to a database application, then they are also
allowed to change their own password. There is currently no real-time enforcement of the complexity of
passwords, their length or age. For users with a subscription to MySQL Enterprise, the Knowledge Base
offers some articles and scripts to use in which you can check for:

    •   Password complexity against a dictionary file
    •   Length
    •   Case sensitivity
    •   Character sensitivity
    •   Same login and password

Encryption

MySQL provides built-in functions to encrypt and decrypt data values.

    •   AES functions allow encryption and decryption of data using the official Advanced Encryption
        Standard algorithm, previously known as “Rijndael” Encoding is done with a 128-bit key length is
        used, but you can extend it up to 256 bits by modifying the source code.

    •   DES functions allow for encryption and decryption using the Triple-DES algorithm.

    •   MD5 functions calculate a 128-bit checksum for a string.

    •   SHA1 calculates a 160-bit checksum for the string, however SHA-1 algorithms have become
        known and you should strongly consider using one of the other encryption functions.

Below is a list of some of the common encryption functions used with MySQL:

    •   AES_ENCRYPT()
    •   AES_DECRYPT()
    •   DES_ENCRYPT()
    •   DES_DECRYPT()
    •   MD5()
    •   SHA1()

Copyright © 2010, Sun Microsystems                                                                 9
An example of how to use the AES functions is illustrated below:

INSERT INTO table.col1 VALUES (AES_ENCRYPT(‘456-89-7654’, ‘my_password’));

and

SELECT AES_DECRYPT(col1, ‘my_password’) col1 FROM table1;

Data Communication

It is best not to transmit plain (unencrypted) data over the Internet. This information is accessible to
everyone who has the time and ability to intercept it and use it for their own purposes. Instead, use an
encrypted protocol such as SSL or SSH. Another technique is to use SSH port-forwarding to create an
encrypted (and compressed) tunnel for the communication.

The standard configuration of MySQL is intended to be as fast as possible, so encrypted connections are
not used by default. Doing so would make the client/server protocol much slower. Encrypting data is a
CPU-intensive operation that requires the computer to do additional work and can delay other MySQL
tasks. For applications that require the security provided by encrypted connections, the extra computation
is warranted.

MySQL allows encryption to be enabled on a per-connection basis. You can choose a normal
unencrypted connection or a secure encrypted SSL connection according the requirements of individual
applications.

Secure connections are based on the OpenSSL API and are available through the MySQL C API. It
should be noted that MySQL Replication uses the C API, so secure connections can be used between
master and slave servers.

For instructions on how to configure MySQL with SSL please visit:

http://dev.mysql.com/doc/refman/5.1/en/secure-using-ssl.html

Another way to connect securely is from within an SSH connection to the MySQL server host. For
instructions on how to configure this option, see:

http://dev.mysql.com/doc/refman/5.1/en/windows-and-ssh.html

In general it is better to use IP numbers rather than hostnames in the grant tables whenever possible. In
any case, you should be very careful about creating grant table entries using hostname values that
contain wildcards.

Database Replication

It is best to set up an exclusive account on the master server that the slave server can use to connect.
This account must be given the REPLICATION SLAVE privilege. If this account is used only for
replication (which is recommended), you don't need to grant any additional privileges. For example:

GRANT REPLICATION SLAVE ON *.*

Copyright © 2010, Sun Microsystems                                                                   10
TO 'replication_user'@'replication_server_ip' IDENTIFIED BY 'password';

If you plan to use the LOAD TABLE FROM MASTER or LOAD DATA FROM MASTER statements from
the slave host, you must grant this account additional privileges:

Grant the account the SUPER and RELOAD global privileges. (Recall that the SUPER privilege is
comparable to root) Grant the SELECT privilege for all tables that you want to load. Any master tables
from which the account cannot SELECT will be ignored by LOAD DATA FROM MASTER.

Securing MySQL with MySQL Enterprise
For production deployments of MySQL, we recommended that a company subscribe to MySQL
Enterprise. MySQL Enterprise contains the software and services necessary to support MySQL in
mission-critical environments where a business is relying on their database-driven systems to drive their
key applications. The MySQL Enterprise subscription is comprised of the following three components:

The MySQL Enterprise Server – is the most reliable, secure and up-to-date version of MySQL. MySQL
Enterprise provides the added value of the update services wrapped around the MySQL Enterprise server
in the form of:

    •   Monthly Rapid Updates
    •   Quarterly Service Packs
    •   Hot Fix Build Program
    •   Extended End-of-Life Program

The MySQL Enterprise Monitor with Query Analyzer – is a distributed web application that you deploy
within the safety of your corporate firewall. The Monitor continually monitors all of your MySQL servers
and proactively alerts you to potential problems and tuning opportunities before they become costly
outages. It also provides you with MySQL expert advice on the issues it has found so you know where to
spend your time in optimizing your MySQL systems.

Copyright © 2010, Sun Microsystems                                                                  11
The security related features of Enterprise Monitor include the ability to monitor:

    •   Unplanned security changes
    •   users with global privileges
    •   Appropriate passwords/usage
    •   Inappropriate user privileges
    •   Root user issues
    •   Others…

MySQL Production Support Services – MySQL Enterprise includes 24 X 7 X 365 production support for
your MySQL servers to help ensure your business critical applications are continuously available and
running at their peak. MySQL Production Support Services include:

    • Online Self-Help Support – The knowledge base is a self-help tool that provides you with access
       to 2,000+ technical articles on MySQL specific topics that help quickly answer questions and
       solve problems.
    • Problem Resolution Support – Allows you to work directly with the MySQL Production Support
       team via phone, email or an online for quick resolution of technical problems.
    • Consultative Support – Allows you to work with MySQL Engineers on the proper installation,
       configuration and deployment of MySQL and its advanced feature set and on best practices
       around the design and tuning of schemas, queries and application specific code.
    • Advanced Support for MySQL High Availability and Scalability Solutions – MySQL Enterprise
       includes full production support for additional advanced MySQL features and third-party solutions
       to scale the availability and performance of your online applications.

MySQL on Windows Case Studies
Below are some examples of MySQL customers realizing lower TCO by running MySQL on Windows.

Adobe Relies on MySQL to Make Creative Professionals More Productive

Adobe Systems is one of the largest software companies and is the leading provider of creative tools for
print, web, interactive, mobile, video and film. Adobe embeds MySQL into several Adobe Creative Suite 3
components, including Adobe Acrobat CS3, Adobe® Bridge CS3, and Adobe® Version Cue® CS3 so that
workgroups can work more efficiently on complex projects. For more information please visit:

http://www.mysql.com/why-mysql/case-studies/MySQL_CaseStudy_Adobe.pdf

NetQoS Delivers Distributed Network Management Solution with Embedded
MySQL

NetQoS delivers products and services that enable some of the world’s most demanding enterprises to
improve network performance. American Express, Barclays, Boeing, Chevron, Cisco, Citrix, DuPont, Sara
Lee, and Schlumberger are among the corporations that rely on NetQoS performance management
solutions to ensure consistent delivery of business critical applications, monitor application service levels,
troubleshoot problems quickly, contain infrastructure costs, and manage user expectations. To find the
right embedded database solution to fit its innovative product architecture, NetQoS evaluated everything
from flat-files to proprietary databases. NetQoS found that MySQL provided the ideal combination of
performance, reliability, and ease of administration on Windows. For more information please visit:

http://www.mysql.com/why-mysql/case-studies/mysql-netqos-casestudy.pdf

Copyright © 2010, Sun Microsystems                                                                       12
For a complete list of case studies and other resources concerning organizations making use of MySQL
on Windows, please visit:

http://www.mysql.com/customers/operatingsystem/?id=109

Conclusion
In this paper we presented a recap of many of the post-installation tasks required to secure an installation
of the MySQL server on Windows. We covered topics related to account and password management,
encryption and network access. Because MySQL continues to be a very popular choice on Windows, we
strongly encourage you to review these guidelines and implement then into your standard operating
procedures.

Resources

White Papers

http://www.mysql.com/why-mysql/white-papers/

Case Studies

http://www.mysql.com/why-mysql/case-studies/

Press Releases, News and Events

http://www.mysql.com/news-and-events/

Live Webinars

http://www.mysql.com/news-and-events/web-seminars/

Webinars on Demand
http://www.mysql.com/news-and-events/on-demand-webinars/

About MySQL
MySQL is the most popular open source database software in the world. Many of the world's largest and
fastest-growing organizations use MySQL to save time and money powering their high-volume Web sites,
critical business systems and packaged software -- including industry leaders such as Yahoo!, Alcatel-
Lucent, Google, Nokia, YouTube and Zappos.com. At http://www.mysql.com, Sun provides corporate
users with commercial subscriptions and services, and actively supports the large MySQL open source
developer community.

To discover how Sun’s offerings can help you harness the power of next-generation Web capabilities,
please visit http://www.sun.com/web.

Copyright © 2010, Sun Microsystems                                                                     13
You can also read