A Guide to Securing MySQL on Windows

Transcription

1 A Guide to Securing MySQL on Windows A MySQL White Paper January 2010 Copyright 2010, Sun Microsystems 1

2 Table of Contents Executive Summary... 3 Why MySQL on Microsoft Windows?... 3 Scope of this Guide... 3 Understanding the MySQL Security Model... 3 Post-Installation Tasks... 6 Account Management... 7 Password Management... 8 Encryption... 9 Data Communication Database Replication Securing MySQL with MySQL Enterprise MySQL on Windows Case Studies Conclusion Resources About MySQL Copyright 2010, Sun Microsystems 2

3 Executive Summary For many years, Microsoft Windows has been the most popular development platform and second most popular production platform for MySQL applications. In early 2009 we conducted our annual survey and what we found is that 66% percent of those surveyed used Windows for development and 48% ultimately deployed on Windows. Given that so many users deploy MySQL on Windows, it makes sense to recap some of the best practices for securing MySQL on Windows. Why MySQL on Microsoft Windows? First, MySQL on Windows remains strong due to the fact that MySQL delivers: Lower TCO Ease of use Reliability Performance A fully featured database with no functional limitations of lite database versions For more information on why MySQL is an excellent choice on Windows, please visit: Scope of this Guide This document contains information regarding the best practices one should employ to secure a Windows-based installation of MySQL 5.1. This guide will walk you through the following security-related aspects of MySQL: Understanding the MySQL Security Model Post-Installation Tasks User Acounts Password Management Encryption Data Communication Database Replication Understanding the MySQL Security Model In this section we will cover several key concepts for understanding how the MySQL Server and Client security model works. At a high-level, MySQL s security model is based on Access Control Lists (ACLs) for all connections, queries, and other operations that users can attempt to perform. We should note that there is also support for SSL-encrypted connections between MySQL clients and servers. Copyright 2010, Sun Microsystems 3

4 The MySQL Privilege System The primary function of the MySQL privilege system is to authenticate users who connect from hosts and in turn associate them with privileges on a database such as SELECT, INSERT, UPDATE, and DELETE. Some additional functionality in this regard also includes the ability to have anonymous, privileges for MySQL-specific functions such as LOAD DATA INFILE, replication, object-level privileges and the ability to perform administrative operations. Information concerning account privileges is stored in the following tables located in the mysql database: user db host tables_priv columns_priv procs_priv For example, the USER table contains the host to which the user name is associated with, the user name, the user s password (in an encrypted format) and various privileges. Because of the information contained within the USER table, it is recommended that only the MySQL root user have access to this table. Information about account privileges is also located in several tables of the INFORMATION_SCHEMA database. Tables of note in this regard include: column_privileges schema_privileges Copyright 2010, Sun Microsystems 4

5 table_privileges user_privileges These access-control decisions are based on the in-memory copies of the GRANT tables. The MySQL server loads the contents of these tables into memory when it starts up and re-reads them under the certain circumstances. For a listing of these circumstances please refer to: As a best practice, whenever you issue a data control statement, you should also have the GRANT tables re-read into memory so that the modification is immediately applied to the server. This means that you should always issue a FLUSH PRIVILEGES command with your DCL statement. For example: GRANT SELECT ON database.* TO user@ hostname IDENTIFIED BY password ; FLUSH PRIVILEGES; GRANT and REVOKE statements are the key enablers and disablers of privileges. A complete list of those privileges can be found at: Connecting to MySQL MySQL client programs generally expect you to specify certain connection parameters when you want to access a MySQL server, these include: The name of the host where the MySQL server is running Your username Your password For example, the mysql client can be started as follows from a command-line prompt: mysql -hhostname -uusername -p If you use a -p or --password option but do not specify a password, the client program prompts you to enter the password. The password is not displayed as you enter it. This is more secure than giving the password on the command line. Any user on your system may be able to see a password specified on the command line by reviewing any history that may be kept at the command line. MySQL client programs use default values for any connection parameter option that you do not specify: The default hostname is localhost. The default username is your Windows login name No default value is supplied for the password variable The password is never transmitted in clear text over the connection. All other information is transferred as text, and can be read by anyone who is able to watch the connection. If the connection between the client and the server goes through an un-trusted network, such as the internet, you can use the compressed protocol to make traffic much more difficult to decipher. Better yet, you should consider using MySQL s built-in Secure Sockets Layer (SSL) support to make the connection even more secure. Alternatively, you can employ Secure Shell (SSH) to get an encrypted TCP/IP connection between a MySQL server and a Copyright 2010, Sun Microsystems 5

6 MySQL client. Post-Installation Tasks Immediately after you have installed MySQL, it is strongly recommended you perform several tasks to harden the server if you have not already done so when prompted if you chose to use the installation GUI. Delete the test database The default TEST database has very permissive grants and should be dropped. DROP DATABASE test; Secure the root account By default when MySQL is installed on Windows, several accounts are created with blank passwords. MySQL creates an account with the username of root with a blank password. The root user is a super user account that can do anything on the MySQL server. This root account is for connections from the local host only. There is also a second root user which is created that can connect from remote machines. If you used the GUI-based MySQL installation you may have also chosen to create a root account which can connect from remote machines by explicitly selecting the option Enable root access from machines. Below is the procedure to set the password for the root account if you have chosen to retain it. SET PASSWORD FOR root@localhost=password('password ); FLUSH PRIVILEGES; Delete the anonymous accounts By default two anonymous user accounts are also created, each with an empty username and no passwords. One of these anonymous accounts is for connecting from the local host. The other anonymous account can connect from any host and has privileges for the test database and any other databases which start with the name test. It is strongly recommended to drop these accounts. This can be accomplished by issuing the following command against the mysql database: DELETE FROM user WHERE user = ; FLUSH PRIVILEGES; The mysql_secure_installation script Copyright 2010, Sun Microsystems 6

7 The previously described steps can also be automated by using the interactive mysql_secure_installation script which you will find in the scripts directory if you opted to use the.zip installation. Running this script will set the root password, remove remote root access, remove the anonymous accounts and delete the default test database. As previously mentioned, many of these tasks are addressed in the MySQL GUI installer for Windows. Running the MySQL Server Securely To use client programs, the MySQL process, mysqld, must be running. On Windows, users will likely choose to run MySQL as a service. (This option can easily be configured using the MySQL GUI installer for Windows.) Because clients gain access to databases by connecting to the server, mysqld is the main program that does the work. Depending on the installation package you chose, the server is accompanied by several related scripts that perform setup operations when you install MySQL or that assist you in starting and stopping the server. mysqld can (and should) be run as an ordinary, unprivileged user. Account Management Similar to other database management systems, the GRANT and REVOKE statements are used for controlling access to MySQL. As a best practice, do not grant more privileges than necessary. Never grant privileges to all hosts. For example: Try mysql -u root at the command line. If you are able to connect successfully to the server without being asked for a password, anyone can connect to your MySQL server as the MySQL root user with full privileges. Use the SHOW GRANTS statement to check which accounts have access to what. Then use the REVOKE statement to remove those privileges that are not necessary. Do not grant the PROCESS or SUPER privilege to non-administrative users. The output of SHOW PROCESSLIST shows the text of any statements currently being executed, so any user who is allowed to see the server process list might be able to see statements issued by other users such as: UPDATE user SET password=password('some_password') The mysqld process reserves an extra connection for users who have the SUPER privilege, so that a MySQL root user can always log in and check server activity even if all available connections are in use. The SUPER privilege can be used to terminate client connections, change server operation by changing the value of system variables, and control replication servers. Never grant this privilege unless absolutely necessary, as the potential for negatively affecting the server, either intentionally or unintentionally is possible. Do not grant the FILE privilege to non-administrative users. Any user that has this privilege can write a file anywhere in the file system with the privileges of the mysqld process. To make this a bit safer, files generated with SELECT... INTO OUTFILE do not overwrite existing files and are write-able by everyone. Copyright 2010, Sun Microsystems 7

8 Failed Logins The max_connect_errors system variable determines if there are more than this number of interrupted connections from a host before that host is blocked from further connections. You can unblock a blocked host with the FLUSH HOSTS statement. By default, the MySQL server blocks a host after 10 connection errors. Limiting Account Resources MySQL does also offer the ability to limit the number of connections and queries that can be issued from a client during a specified period of time. One means of limiting the use of MySQL server resources is to set the max_user_connections system variable to a non-zero value. However, this method is strictly global, and does not allow for management of individual accounts. In addition, it limits only the number of simultaneous connections made using a single account, and not what a client can do once connected. As of version 5.5, you can limit the following server resources for individual accounts: The number of queries that an account can issue per hour The number of updates that an account can issue per hour The number of times an account can connect to the server per hour The number of simultaneous connections to the server an account can have You can enable these limits with a GRANT statement, for example: GRANT USAGE ON *.* TO localhost WITH MAX QUERIES PER HOUR 50 MAX UPDATES PER HOUR 25 MAX CONNECTIONS PER HOUR 10 MAX_USER_CONNECTIONS 5; Password Management MySQL users and passwords have nothing to do with users and passwords on Windows. Below are some tips for managing passwords: Never give anyone (except MySQL root accounts) access to the user table in the mysql database. The encrypted password is the real password in MySQL. Anyone who knows the password that is listed in the user table and has access to the host listed for the account can easily log in as that user. Do not store any plain-text passwords for your application in the database. If your computer becomes compromised, the intruder can take the full list of passwords and use them. Instead, use MD5(), SHA1(), or some other one-way hashing function and store the hash value. Always choose a strong password which includes letters, numbers and special characters. There are many readily available programs which through brute force can eventually guess the password to your server. Copyright 2010, Sun Microsystems 8

9 Encrypted Passwords MySQL encrypts passwords using its own algorithm. User accounts are listed in the user table of the mysql database. Each account is assigned a password. The password column of the user table is not the plaintext version of the password, but a hash value computed from it. Password hash values are computed by the PASSWORD() function. The server uses hash values during authentication when a client first attempts to connect. The server generates hash values if a connected client invokes the PASSWORD() function or uses a GRANT or SET PASSWORD statement to set or change a password. Password Uniqueness and Complexity If end users use the mysql client application to connect to a database application, then they are also allowed to change their own password. There is currently no real-time enforcement of the complexity of passwords, their length or age. For users with a subscription to MySQL Enterprise, the Knowledge Base offers some articles and scripts to use in which you can check for: Password complexity against a dictionary file Length Case sensitivity Character sensitivity Same login and password Encryption MySQL provides built-in functions to encrypt and decrypt data values. AES functions allow encryption and decryption of data using the official Advanced Encryption Standard algorithm, previously known as Rijndael Encoding is done with a 128-bit key length is used, but you can extend it up to 256 bits by modifying the source code. DES functions allow for encryption and decryption using the Triple-DES algorithm. MD5 functions calculate a 128-bit checksum for a string. SHA1 calculates a 160-bit checksum for the string, however SHA-1 algorithms have become known and you should strongly consider using one of the other encryption functions. Below is a list of some of the common encryption functions used with MySQL: AES_ENCRYPT() AES_DECRYPT() DES_ENCRYPT() DES_DECRYPT() MD5() SHA1() Copyright 2010, Sun Microsystems 9

10 An example of how to use the AES functions is illustrated below: INSERT INTO table.col1 VALUES (AES_ENCRYPT( , my_password )); and SELECT AES_DECRYPT(col1, my_password ) col1 FROM table1; Data Communication It is best not to transmit plain (unencrypted) data over the Internet. This information is accessible to everyone who has the time and ability to intercept it and use it for their own purposes. Instead, use an encrypted protocol such as SSL or SSH. Another technique is to use SSH port-forwarding to create an encrypted (and compressed) tunnel for the communication. The standard configuration of MySQL is intended to be as fast as possible, so encrypted connections are not used by default. Doing so would make the client/server protocol much slower. Encrypting data is a CPU-intensive operation that requires the computer to do additional work and can delay other MySQL tasks. For applications that require the security provided by encrypted connections, the extra computation is warranted. MySQL allows encryption to be enabled on a per-connection basis. You can choose a normal unencrypted connection or a secure encrypted SSL connection according the requirements of individual applications. Secure connections are based on the OpenSSL API and are available through the MySQL C API. It should be noted that MySQL Replication uses the C API, so secure connections can be used between master and slave servers. For instructions on how to configure MySQL with SSL please visit: Another way to connect securely is from within an SSH connection to the MySQL server host. For instructions on how to configure this option, see: In general it is better to use IP numbers rather than hostnames in the grant tables whenever possible. In any case, you should be very careful about creating grant table entries using hostname values that contain wildcards. Database Replication It is best to set up an exclusive account on the master server that the slave server can use to connect. This account must be given the REPLICATION SLAVE privilege. If this account is used only for replication (which is recommended), you don't need to grant any additional privileges. For example: GRANT REPLICATION SLAVE ON *.* Copyright 2010, Sun Microsystems 10

11 TO IDENTIFIED BY 'password'; If you plan to use the LOAD TABLE FROM MASTER or LOAD DATA FROM MASTER statements from the slave host, you must grant this account additional privileges: Grant the account the SUPER and RELOAD global privileges. (Recall that the SUPER privilege is comparable to root) Grant the SELECT privilege for all tables that you want to load. Any master tables from which the account cannot SELECT will be ignored by LOAD DATA FROM MASTER. Securing MySQL with MySQL Enterprise For production deployments of MySQL, we recommended that a company subscribe to MySQL Enterprise. MySQL Enterprise contains the software and services necessary to support MySQL in mission-critical environments where a business is relying on their database-driven systems to drive their key applications. The MySQL Enterprise subscription is comprised of the following three components: The MySQL Enterprise Server is the most reliable, secure and up-to-date version of MySQL. MySQL Enterprise provides the added value of the update services wrapped around the MySQL Enterprise server in the form of: Monthly Rapid Updates Quarterly Service Packs Hot Fix Build Program Extended End-of-Life Program The MySQL Enterprise Monitor with Query Analyzer is a distributed web application that you deploy within the safety of your corporate firewall. The Monitor continually monitors all of your MySQL servers and proactively alerts you to potential problems and tuning opportunities before they become costly outages. It also provides you with MySQL expert advice on the issues it has found so you know where to spend your time in optimizing your MySQL systems. Copyright 2010, Sun Microsystems 11

12 The security related features of Enterprise Monitor include the ability to monitor: Unplanned security changes users with global privileges Appropriate passwords/usage Inappropriate user privileges Root user issues Others MySQL Production Support Services MySQL Enterprise includes 24 X 7 X 365 production support for your MySQL servers to help ensure your business critical applications are continuously available and running at their peak. MySQL Production Support Services include: Online Self-Help Support The knowledge base is a self-help tool that provides you with access to 2,000+ technical articles on MySQL specific topics that help quickly answer questions and solve problems. Problem Resolution Support Allows you to work directly with the MySQL Production Support team via phone, or an online for quick resolution of technical problems. Consultative Support Allows you to work with MySQL Engineers on the proper installation, configuration and deployment of MySQL and its advanced feature set and on best practices around the design and tuning of schemas, queries and application specific code. Advanced Support for MySQL High Availability and Scalability Solutions MySQL Enterprise includes full production support for additional advanced MySQL features and third-party solutions to scale the availability and performance of your online applications. MySQL on Windows Case Studies Below are some examples of MySQL customers realizing lower TCO by running MySQL on Windows. Adobe Relies on MySQL to Make Creative Professionals More Productive Adobe Systems is one of the largest software companies and is the leading provider of creative tools for print, web, interactive, mobile, video and film. Adobe embeds MySQL into several Adobe Creative Suite 3 components, including Adobe Acrobat CS3, Adobe Bridge CS3, and Adobe Version Cue CS3 so that workgroups can work more efficiently on complex projects. For more information please visit: NetQoS Delivers Distributed Network Management Solution with Embedded MySQL NetQoS delivers products and services that enable some of the world s most demanding enterprises to improve network performance. American Express, Barclays, Boeing, Chevron, Cisco, Citrix, DuPont, Sara Lee, and Schlumberger are among the corporations that rely on NetQoS performance management solutions to ensure consistent delivery of business critical applications, monitor application service levels, troubleshoot problems quickly, contain infrastructure costs, and manage user expectations. To find the right embedded database solution to fit its innovative product architecture, NetQoS evaluated everything from flat-files to proprietary databases. NetQoS found that MySQL provided the ideal combination of performance, reliability, and ease of administration on Windows. For more information please visit: Copyright 2010, Sun Microsystems 12

13 For a complete list of case studies and other resources concerning organizations making use of MySQL on Windows, please visit: Conclusion In this paper we presented a recap of many of the post-installation tasks required to secure an installation of the MySQL server on Windows. We covered topics related to account and password management, encryption and network access. Because MySQL continues to be a very popular choice on Windows, we strongly encourage you to review these guidelines and implement then into your standard operating procedures. Resources White Papers Case Studies Press Releases, News and Events Live Webinars Webinars on Demand About MySQL MySQL is the most popular open source database software in the world. Many of the world's largest and fastest-growing organizations use MySQL to save time and money powering their high-volume Web sites, critical business systems and packaged software -- including industry leaders such as Yahoo!, Alcatel- Lucent, Google, Nokia, YouTube and Zappos.com. At Sun provides corporate users with commercial subscriptions and services, and actively supports the large MySQL open source developer community. To discover how Sun s offerings can help you harness the power of next-generation Web capabilities, please visit Copyright 2010, Sun Microsystems 13