Database security: securing SQL Server, MySQL and PostgreSQL

Databases are the most valuable target in any organization: customer data, financial data, password hashes, trade secrets. At the same time, databases are often poorly secured—default configurations, overly broad permissions, and a lack of encryption are the norm. This guide outlines the most important security measures for the three most common database systems.

Common Database Security Issues

Typical findings in DB security assessments:

Authentication:
  □ Root/SA account active and accessible
  □ Weak default passwords (root/root, sa/password)
  □ Passwords in plain text in config files
  □ Shared credentials: all applications use the same DB user
  □ No MFA for administrative database access

Authorization:
  □ Application users with GRANT ALL or DBA privileges
  □ No schema-level locking: Application reads tables it doesn’t need
  □ Publicly accessible DB port (3306, 5432, 1433 directly from the Internet!)

Encryption:
  □ No TLS for connections (plaintext transmission!)
  □ No encryption at rest (hard drive theft = data loss)
  □ Passwords stored as MD5 or SHA1 (unsalted!)

Logging:
  □ No audit log: who queried which data?
  □ No detection of database dumps (SELECT * FROM customers WHERE 1=1)
  □ Logs are not stored centrally (SIEM integration missing)

Patch management:
  □ Outdated database versions with known CVEs
  □ No patching process for database servers

PostgreSQL Hardening

File: postgresql.conf

# Limit connections:
listen_addresses = &#x27;127.0.0.1&#x27;    # Only localhost! No 0.0.0.0!
port = 5432
max_connections = 100

# Enforce SSL:
ssl = on
ssl_cert_file = &#x27;/etc/postgresql/server.crt&#x27;
ssl_key_file = &#x27;/etc/postgresql/server.key&#x27;
ssl_min_protocol_version = &#x27;TLSv1.2&#x27;
ssl_ciphers = &#x27;HIGH:MEDIUM:+3DES:!aNULL&#x27;

# Logging (for auditing):
log_connections = on
log_disconnections = on
log_duration = on
log_statement = &#x27;ddl&#x27;          # Log DDL statements (CREATE/DROP/ALTER)
log_min_duration_statement = 1000  # Log queries &gt; 1s (slow queries)
log_line_prefix = &#x27;%t [%p]: [%l-1] user=%u,db=%d,app=%a,client=%h &#x27;
log_destination = &#x27;csvlog&#x27;
logging_collector = on

---

File: pg_hba.conf (Client Authentication):

# Only specific hosts are allowed to connect:
# TYPE  DATABASE  USER      ADDRESS         METHOD
local   all       postgres                  peer      # Only OS user &quot;postgres&quot;
host    myapp     myappuser 10.0.1.0/24    scram-sha-256   # App server IP
host    all       all       0.0.0.0/0      reject    # All others: BLOCKED

---

Users and Permissions:

-- Revoke root access (postgres user only locally):
REVOKE CONNECT ON DATABASE myapp FROM PUBLIC;

-- Application user with minimal privileges:
CREATE USER myapp_user WITH PASSWORD &#x27;StrongPassword123!&#x27;;
GRANT CONNECT ON DATABASE myapp TO myapp_user;
GRANT USAGE ON SCHEMA public TO myapp_user;
GRANT SELECT, INSERT, UPDATE, DELETE ON ALL TABLES IN SCHEMA public TO myapp_user;
GRANT USAGE ON ALL SEQUENCES IN SCHEMA public TO myapp_user;

-- DO NOT: GRANT ALL PRIVILEGES ON DATABASE myapp TO myapp_user;
-- DO NOT: GRANT SUPERUSER TO myapp_user;

-- Read-Only User for Reporting:
CREATE USER reporting_user WITH PASSWORD &#x27;ReadOnly456!&#x27;;
GRANT CONNECT ON DATABASE myapp TO reporting_user;
GRANT USAGE ON SCHEMA public TO reporting_user;
GRANT SELECT ON ALL TABLES IN SCHEMA public TO reporting_user;

-- Row-Level Security (RLS) for multi-tenant:
ALTER TABLE customers ENABLE ROW LEVEL SECURITY;
CREATE POLICY kunden_tenant_policy ON kunden
  USING (tenant_id = current_setting(&#x27;app.tenant_id&#x27;)::INT);

---

Password Hashing in PostgreSQL:
-- WRONG: MD5 (default in older versions):
-- CREATE USER user WITH PASSWORD &#x27;pw&#x27; ENCRYPTED;  -- generates MD5!

-- CORRECT: scram-sha-256 (default since PostgreSQL 10):
ALTER SYSTEM SET password_encryption = &#x27;scram-sha-256&#x27;;
SELECT pg_reload_conf();
-- Then reset all passwords!

MySQL/MariaDB Hardening

Initial hardening with mysql_secure_installation:
  mysql_secure_installation
  → Set root password: YES
  → Remove anonymous users: YES
  → Disable remote root login: YES
  → Remove test database: YES
  → Reload privileges: YES

/etc/mysql/mysql.conf.d/mysqld.cnf:

[mysqld]
# Network:
bind-address = 127.0.0.1          # No remote access!
skip-networking = 0               # Local socket ok
port = 3306

# Security:
local-infile = 0                  # Disable LOAD DATA LOCAL INFILE
skip-symbolic-links               # Prevent symlink attacks
secure-file-priv = /var/lib/mysql-files  # Restrict file access
sql_mode = &quot;STRICT_ALL_TABLES,NO_AUTO_CREATE_USER&quot;

# SSL:
ssl-ca = /etc/mysql/ca.pem
ssl-cert = /etc/mysql/server-cert.pem
ssl-key = /etc/mysql/server-key.pem
require_secure_transport = ON    # SSL REQUIRED for all connections!

# Logging:
general_log = OFF                 # Log all queries (high I/O!)
general_log_file = /var/log/mysql/general.log
log_error = /var/log/mysql/error.log
slow_query_log = ON
slow_query_log_file = /var/log/mysql/slow.log
long_query_time = 2

---

User hardening:

-- Remove unnecessary users:
SELECT user, host FROM mysql.user;
DROP USER IF EXISTS &#x27;&#x27;@&#x27;localhost&#x27;;    -- Anonymous user
DROP USER IF EXISTS &#x27;&#x27;@&#x27;hostname&#x27;;    -- Anonymous user
DROP USER IF EXISTS &#x27;root&#x27;@&#x27;%&#x27;;       -- PROHIBIT remote root!

-- Root allowed only locally:
UPDATE mysql.user SET host=&#x27;localhost&#x27; WHERE user=&#x27;root&#x27;;
FLUSH PRIVILEGES;

-- Application user:
CREATE USER &#x27;webapp&#x27;@&#x27;10.0.1.%&#x27; IDENTIFIED BY &#x27;StrongPassword!&#x27;;
GRANT SELECT, INSERT, UPDATE, DELETE ON myapp.* TO &#x27;webapp&#x27;@&#x27;10.0.1.%&#x27;;
-- DO NOT: GRANT ALL ON *.* TO &#x27;webapp&#x27;;

-- Password policy plugin:
INSTALL PLUGIN validate_password SONAME &#x27;validate_password.so&#x27;;
SET GLOBAL validate_password_policy=STRONG;
SET GLOBAL validate_password_length=12;
SET GLOBAL validate_password_mixed_case_count=1;
SET GLOBAL validate_password_special_char_count=1;

-- Audit logging (MariaDB Audit Plugin):
INSTALL PLUGIN server_audit SONAME &#x27;server_audit&#x27;;
SET GLOBAL server_audit_logging=ON;
SET GLOBAL server_audit_events=&#x27;CONNECT,QUERY_DDL&#x27;;

Microsoft SQL Server Hardening

Basic hardening measures:

-- Disable the SA account (if Windows Authentication is used):
ALTER LOGIN sa DISABLE;
-- Or: set a strong password + rename:
ALTER LOGIN sa WITH NAME = [sqlbackup_only];
ALTER LOGIN sqlbackup_only WITH PASSWORD = &#x27;StrongLongPassword!2024&#x27;;

-- Windows Authentication only (no SQL Authentication):
-- SSMS: Server Properties → Security → Windows Authentication Mode

-- Disable xp_cmdshell (OS commands via SQL!):
EXEC sp_configure &#x27;show advanced options&#x27;, 1; RECONFIGURE;
EXEC sp_configure &#x27;xp_cmdshell&#x27;, 0; RECONFIGURE;

-- Restrict remote connections (specific IPs only):
-- SQL Server Configuration Manager → SQL Server Network Configuration
-- → TCP/IP Properties → IP Addresses → Configure Specific IPs

-- Enable Transparent Data Encryption (TDE):
-- Encrypt database files on disk:
CREATE MASTER KEY ENCRYPTION BY PASSWORD = &#x27;EncryptionPassword!&#x27;;
CREATE CERTIFICATE ServerCert WITH SUBJECT = &#x27;TDE Certificate&#x27;;
CREATE DATABASE ENCRYPTION KEY
  WITH ALGORITHM = AES_256
  ENCRYPTION BY SERVER CERTIFICATE ServerCert;
ALTER DATABASE MyDatabase SET ENCRYPTION ON;

---

Least Privilege for Application Users:
-- Create a new login:
CREATE LOGIN AppUser WITH PASSWORD = &#x27;SecurePassword123!&#x27;;

-- Access only to a specific database:
USE MyDatabase;
CREATE USER AppUser FOR LOGIN AppUser;

-- Only necessary schema permissions:
GRANT SELECT, INSERT, UPDATE, DELETE ON SCHEMA::dbo TO AppUser;
DENY EXECUTE ON xp_cmdshell TO AppUser;  -- Extra security!
-- DO NOT: GRANT CONTROL ON DATABASE TO AppUser;
-- DO NOT: Membership in db_owner!

---

SQL Server Audit:
CREATE SERVER AUDIT MyAudit
  TO FILE (FILEPATH = &#x27;C:\SQLAudit\&#x27;);

CREATE DATABASE AUDIT SPECIFICATION MyDBSpec
FOR SERVER AUDIT MyAudit
  ADD (SELECT, INSERT, UPDATE, DELETE ON SCHEMA::dbo BY public);

ALTER SERVER AUDIT MyAudit WITH (STATE = ON);
ALTER DATABASE AUDIT SPECIFICATION MyDBSpec WITH (STATE = ON);

SQL Injection Prevention - Code Level

SQL injection is the #1 database threat (OWASP A03:2021)

WRONG - String concatenation:
  # Python (insecure!):
  query = &quot;SELECT * FROM users WHERE name = &#x27;&quot; + user_input + &quot;&#x27;&quot;
  cursor.execute(query)
  # Attacker: user_input = &quot;&#x27; OR &#x27;1&#x27;=&#x27;1&quot;
  # → Query: SELECT * FROM users WHERE name = &#x27;&#x27; OR &#x27;1&#x27;=&#x27;1&#x27;
  # → All users are returned!

CORRECT - Prepared Statements:
  # Python (secure!):
  query = &quot;SELECT * FROM users WHERE name = %s&quot;
  cursor.execute(query, (user_input,))

  # Java JDBC:
  PreparedStatement stmt = conn.prepareStatement(
    &quot;SELECT * FROM users WHERE name = ?&quot;
  );
  stmt.setString(1, userName);

  # Node.js with pg (PostgreSQL):
  const result = await client.query(
    &#x27;SELECT * FROM users WHERE name = $1&#x27;,
    [userName]
  );

  # PHP PDO:
  $stmt = $pdo-&gt;prepare(&#x27;SELECT * FROM users WHERE name = :name&#x27;);
  $stmt-&gt;execute([&#x27;name&#x27; =&gt; $userName]);

ORM as additional protection:
  → Prisma, Sequelize, Hibernate, Entity Framework
  → ORMs automatically generate prepared statements
  → BUT: Raw queries in ORM can still be vulnerable!
  → Hibernate: session.createQuery(&quot;... WHERE id = :id&quot;).setParameter(&quot;id&quot;, id)

Stored Procedures (if parameterized):
  CREATE PROCEDURE GetUser @UserName NVARCHAR(50)
  AS
  BEGIN
    SELECT * FROM Users WHERE Name = @UserName;
  END;
  -- NO dynamic SQL in SP: EXEC(&#x27;SELECT... &#x27; + @param) → insecure!

Input validation as a second line of defense:
  → Type checking: is ID really a number? int(user_id)
  → Whitelist: accept only allowed characters
  → Limit length: max 255 characters for strings
  → NO blacklist! Attackers always find ways to bypass them

Database Monitoring and Audit

What needs to be monitored?

  □ All logins (successful + failed)
  □ Privileged actions (GRANT, DROP, ALTER)
  □ Data access to sensitive tables (customers, finances, passwords)
  □ Mass queries: &quot;SELECT * WHERE 1=1&quot; → potential data dump!
  □ Connections from unusual IP addresses
  □ Connections active outside business hours
  □ Schema changes (CREATE TABLE, ALTER TABLE)

SIEM integration:

  Filebeat → Elasticsearch (for MySQL logs):
  filebeat.inputs:
  - type: log
    paths:
      - /var/log/mysql/general.log
      - /var/log/mysql/error.log
    fields:
      source: mysql
      env: production

  Alert for suspicious queries (Elasticsearch KQL):
  message: *SELECT * FROM* AND message: *WHERE 1=1*
  → Possible database dump!

Database Activity Monitoring (DAM) Tools:
  → IBM Guardium: Enterprise DAM
  → Imperva Database Security: comprehensive monitoring
  → pgAudit: Open Source for PostgreSQL
  → MySQL Enterprise Audit: commercial

  DAM Features:
  → Real-time detection of SQL injection patterns
  → Behavior baseline: normal query traffic vs. anomalies
  → Automatic blocking upon detected attack (optional)
  → GDPR-compliant logging (who, what, when)

Backup security:
  □ Are backups encrypted? (mysqldump | gpg -e &gt; backup.sql.gpg)
  □ Backup server: separate from the production network
  □ Backup access: dedicated user with minimal privileges
  □ Restore test: monthly (can we actually restore data?)
  □ Backup retention: how long? (GDPR: no longer than necessary!)