Security Tips

Navigation: Appendix >

Appendix A: Security Tips

This chapter contains useful tips on how to secure a MySQL installation.

Changing the Service User Account

By default the MySQL service runs as the LocalSystem account which might a security problem if your database server is connected to non-trusted network. We recommend changing the service to run under a different user account.

1.	Create a new user account, for example MySQL and give this user account no special permissions.

2.	In the services control panel (Administrative Tools) double-click the MySQL service and select the Log On tab. Click on This account and select the user account you just created, then click OK.

servicelogon

3.	Restart the service to make the changes effective

Adjusting Access Rights on the Data File directory

We also need to change the access permissions on the directory where the data files are stored, C:\MySQL InnoDB Datafiles\ by default. This directory gives everybody full permissions by default.

This directory should really only be accessible to Administrators and the MySQL user account we just created. Configure the access rights as shown below, giving both MySQL and Administrators FULL ACCESS to the folder.

securityproperties

Changing the default TCP port 3306

It is sometimes a good idea to change the default port MySQL is listening on for remote connections. This can be done by adding the line

port = 9754

to the my.ini file in the [mysqld] section. The my.ini file is usually located in the installation folder of your MySQL installation. You will need to restart the service for this change to become effective. You will also need to make sure that connections from untrusted networks, such as the Internet, are sufficiently protected with a firewall or similar device.

Staying Up To Date

You need to apply patches and software updates as soon as they become available to avoid security problems and worm infections. To stay informed subscribe to the low volume MySQL Announcement mailing list.