Database security best practices

Network security is a number one priority for all IT departments.

On the database side:

  • Create a database user that has the least amount of access needed to accomplish database tasks.
  • Work with your IT department to secure (harden) the computer on which the relational database is installed.
  • Change your database configuration to permit connections that use the latest TLS version protocols.
     IMPORTANT: For security reasons, each database connection must support the latest TLS connection protocol. TLS 1.0 and TLS 1.1 connection protocols no longer meet our security standards. Coordinate with your database administrator to make sure that your database supports the latest TLS version. 

    The following table gives an overview of TLS versions supported by different databases and provide information about the client side setup:

    DB type Supported TLS versions Connection property (if any) Client-side configuration information
    MySQL TLSv1, TLSv1.1, TLSv1.2, TLSv1.3 enabledTLSProtocols

    For Connector/J 8.0.26 and later: TLSv1 and TLSv1.1 were deprecated in Connector/J 8.0.26 and removed in release 8.0.28; Connector/J 8.0.26 or earlier must be used if TLSv1 or TLSv1.1 is required.

    For more information, see MySQL Connector/J 8.0 Developer Guide > Connector/J Reference > Connecting Securely Using SSL.

    Oracle undetermined | 1.0 |1.1 | 1.2

    oracle.net.ssl_version or SSL_VERSION in sqlnet.ora/listener.ora

    For information about how to configure the version of SSL to be used, see Oracle Database Security Guide at https://docs.oracle.com and choose C Kerberos, SSL, and RADIUS Authentication Parameters > Secure Sockets Layer Version Parameters.
    MS SQL Server TLSv1, TLSv1.1, TLSv1.2, TLSv1.3  

    For more information about how to enable TLS 1.2 support for SQL Server 2017 on Windows, SQL Server 2016, SQL Server 2008, SQL Server 2008 R2, SQL Server 2012, and SQL Server 2014, see Microsoft Support at https://support.microsoft.com and choose Knowledge Base Article KB3135244 TLS 1.2 support for Microsoft SQL Server.

    HSQLDB TLSv1, TLSv1.1, TLSv1.2, or TLSv1.3  

    HSQLDB is used internally only as a file system DB. For external (future use case), use the following Hsqldb TLS URL prefixes:

    • jdbc:hsqldb:hsqls://
    • jdbc:hsqldb:https://

On the Niagara side:

  • Use encrypted and authenticated connections (Refer to the Niagara Station Security Guide).
  • Do not enable the Sql Scheme Enabled property. This property is on the MySQLDatabase Property Sheet (to find, expand Config > Drivers > RdbmsNetwork, and double-click the MySQLDatabase node.
  • If you are a Niagara Enterprise Security user, define a strong Passkey to protect your network PIN. To configure the Passkey, expand Config > Drivers > RdbmsNetwork, expand your MySql database and double-click Rdb Security Settings.

Related Links

  • Installation and configuration (Parent Topic)