Friday, July 17, 2015

Speaking next Wednesday July 22nd, at Vermont SQL PASS group, thanks to Roman Rehak​ for the invite!

Speaking next Wednesday, Vermont SQL PASS group, thanks to Roman Rehak​ for the invite!
I'll be doing an update to Database Security Best Practices for the Vigilant DBA and Developer, with a look at SQL 2016 CTP2.1 Always Encrypted option.
UPDATE: Post presentation link to download Slide Deck

Wednesday, June 17, 2015

MySQL Database Security Best Practices for the Vigilant: The Terse Top XV

1. Strong passwords, there is no excuse, use online tools for generation of 15 alphanumeric or more.
2. Rename root account (update user set user=”NewName” where user=”root”)
3. Apply the latest MySQL DB Server patches (see 12)
4. Restrict access to Program Data and log (slow, error) folders
5. Make sure users connect only from specific ids/IPS or application servers.
6. DB users, grant privileges from most restrictive upwards, not full access then down.
7. Use Skip-Networking in Configuration file if the server is to be only used locally.
8. Configure disaster recovery with Bin Log replication to remote site if server is critical, or replicate backups at the very least and load them to a standby server.
9. Use SSL connections only if sensitive data (Set Secure_Auth ON)
10. Change the TCP port to a non-standard one (thus not 3306)
11. Restrict the access and ownership of the DataDir in the Configuration to place data in a non-default place.
12. Use Versions that were after the Oracle purchase AND post known vulnerabilties, thus 5.6.26 and up, since (update) August 2015, new vulnerabilities were published for 5.6.24 and below (ouch).
13. Ensure root has not been granted to remote access (SHOW GRANTS)
14. Ensure there are no empty passwords
15. Groom your user lists frequently and disable/drop unused accounts

PS while on the subject, here's some a
wesome MySQL training

Sunday, January 04, 2015

Improve Your Wifi Connection Speed with the Use of a Simple 6’/2m USB Cable Extension

For years now we have dropped using Cat6 at home for Wifi, since the Cat5e cables in the house we moved into four years ago were damaged by construction and renovations. Even though we've purchased high end routers that claim amazing speeds, and even the other year a new Cisco router with AC capabilities, the main thing that has really improved connectivity has been the use of a high quality shielded USB 2.0 extension cable (and once Wifi AC has thoroughly set in, a USB 3.0 cable of the same quality would follow suit).

When you are close to the router, this is not an issue since speeds of 172-225Mbps are able enough for most network traffic, but the extension really pays itself off when you are far from your router where interference from your body in the way makes a difference!  Even though our router is placed close to the ceiling of the basement, well above the ground, and slightly higher than the cement foundation of the house, when we connect two floors up in the home office from the desk in the side of the house, Wifi speeds drop to down to 30Mbps.  At this point, we’re barely higher than the maximum download speeds and if you are on an encrypted connection to your servers at work, the connection speed is subject to frequent interruptions or unbearably slow. That’s when I looked at the pile of USB extension cables I had lying around from a recent machine rebuild, and the Wifi USB adapter that was collecting dust since purchase of the router (included in the Cisco Router bundle).  As most users of a laptop, I had pre-determined that the internal Wifi adapter was presumably good enough – indeed I was most incorrect.  

After adding the USB cable extension with the idle USB Wifi adapter to my laptop, and extending in the direction of the router across the desk and dangling down to the floor, connectivity speeds increased to between 72-98Mbps (at least two and half times the speed). At this point, the flaky VPN connectivity to servers went away.  I also made sure to extend the cable away from anything that would cause interference – and I would suggest moving around the final location of the UBS adapter at the end of the extension to find your respective sweet spot for the communication to the router.