Vikas Rajput's Weblog

MySQL security is based on the Access Control List for all connections, queries and other operations that a user performs. Some of the features that MySQL provides as security measures
* Every user created in MySQL is characterized by its Username, Password and the value of Host from which it would establish connection. Though wildcards are allowed, it can be used to restrict access to specific users from specific hosts, thus disallowing unauthorized access.
* MySQL encrypts passwords using its own algorithm. It is a one-way operation, and no means are provided to decrypt an encrypted password
* MySQL supports SSL encrypted connection between a server and a client
* MySQL provides a very flexible Privilege system, using which each user can be granted only specific privileges that are required for its operation, thus limiting each user’s access to data to within its scope. These are implemented using the GRANT and REVOKE commands. Privileges can be granted at the Global level, database level, table level, column level or even at the routine level (Functions & Procedures)
* MySQL provides a script for secure installation (in Linux), which provides options for setting up of root password, removing anonymous accounts and test database, and removing root accounts accessible from outside
* Certain parameters provided by MySQL can be used to put some level of restrictions on Client connections. For example,
    max_user_connections -> max no. of simultaneous connections by a user

User security consists of 5 access levels that incrementally refine the privileges on user account.
* user        ->    level 1
* db           ->    level 2
* tables    ->    level 3
* columns    ->    level 4
* procs     ->    level 5           
Privileges can be granted at these levels to control the level of access to databases for users.

For example, a global access privilege can allow a user to create users, lock table, view processes or even shutdown a MySQL server, whereas, if that user’s privileges are restricted to selection of records from tables of a particular database, the user can do no more than run select queries on those particular tables from those particular databases.

There aren’t less people who count MS among Evils out there. No one would ever know the truth. But hey, why is that Evil and Good are said to be always co-existing !

True to that, MSVR (Microsoft Vulnerability Research Team) doing some good work out there. Identifying vulnerabilities in even third party apps and software. Read the full story here.