rule_id: codeguard-0-data-storage

Database Security Guidelines

This rule advises on securely configuring SQL and NoSQL databases to protect against data breaches and unauthorized access:

• Backend Database Protection

  • Isolate database servers from other systems and limit host connections.
  • Disable network (TCP) access when possible; use local socket files or named pipes.
  • Configure database to bind only on localhost when appropriate.
  • Restrict network port access to specific hosts with firewall rules.
  • Place database server in separate DMZ isolated from application server.
  • Never allow direct connections from thick clients to backend database.

• Transport Layer Security

  • Configure database to only allow encrypted connections.
  • Install trusted digital certificates on database servers.
  • Use TLSv1.2+ with modern ciphers (AES-GCM, ChaCha20) for client connections.
  • Verify digital certificate validity in client applications.
  • Ensure all database traffic is encrypted, not just initial authentication.

• Secure Authentication Configuration

  • Always require authentication, including from local server connections.
  • Protect accounts with strong, unique passwords.
  • Use dedicated accounts per application or service.
  • Configure minimum required permissions only.
  • Regularly review accounts and permissions.
  • Remove accounts when applications are decommissioned.
  • Change passwords when staff leave or compromise is suspected.

• Database Credential Storage

  • Never store credentials in application source code.
  • Store credentials in configuration files outside web root.
  • Set appropriate file permissions for credential access.
  • Never check credential files into source code repositories.
  • Encrypt credential storage using built-in functionality when available.
  • Use environment variables or secrets management solutions.

• Secure Permission Management

  • Apply principle of least privilege to all database accounts.
  • Do not use built-in root, sa, or SYS accounts.
  • Do not grant administrative rights to application accounts.
  • Restrict account connections to allowed hosts only.
  • Use separate databases and accounts for Development, UAT, and Production.
  • Grant only required permissions (SELECT, UPDATE, DELETE as needed).
  • Avoid making accounts database owners to prevent privilege escalation.
  • Implement table-level, column-level, and row-level permissions when needed.

• Database Configuration and Hardening

  • Install required security updates and patches regularly.
  • Run database services under low-privileged user accounts.
  • Remove default accounts and sample databases.
  • Store transaction logs on separate disk from main database files.
  • Configure regular encrypted database backups with proper permissions.
  • Disable unnecessary stored procedures and dangerous features.
  • Implement database activity monitoring and alerting.

• Platform-Specific Hardening

  • SQL Server: Disable xp_cmdshell, CLR execution, SQL Browser service, Mixed Mode Authentication (unless required).
  • MySQL/MariaDB: Run mysql_secure_installation, disable FILE privilege for users.
  • PostgreSQL: Follow PostgreSQL security documentation guidelines.
  • MongoDB: Implement MongoDB security checklist requirements.
  • Redis: Follow Redis security guide recommendations.

Summary:
Isolate database systems, enforce encrypted connections, implement strong authentication, store credentials securely using secrets management, apply least privilege permissions, harden database configurations, and maintain regular security updates and monitoring.