> ...it seems to say what Michael is saying but with a lot of variables
> depending on OS. Most of the important stuff can be read without
> scrolling. Scrolling down to 'Anonymous Account Removal' it explains how
> this is a security improvement -on Windows-.
>

Norm, good find. Honestly, I had never seen this document before as I
tend to just follow a "Deny all, allow exceptions" rule. But I'm
curious as to why this would be an improvement on only Windows. The
anonymous accounts on Unix are limited only to localhost, according to
this document. Removing this access is only an improvement, regardless
of operating system, as it limits who can access the database for any
reason. Since some encryptions used are based on system time, being
able to determine the exact time of the server can be considered a
security problem.

There are instructions for removing the anonymous accounts (Which is
the step I always go with, both on an operating system level, as well
as any installed servers, clients, etc). The one part that really
catches my attention is:

" As noted, none of the initial accounts have passwords. This means
that your MySQL installation is unprotected until you do something
about it:
* If you want to prevent clients from connecting as anonymous
users without a password, you should either assign a password to each
anonymous account or else remove the accounts. "

So by this document, it sounds to me like MySQL's standpoint is "Turn
the anonymous account into a user account which has no name by setting
a password, or just delete the account."

To clarify, all the tests I did earlier were on an Ubuntu
distribution. The only involvement of Windows was a MySQL connection
from a system in my network.

These are the discussions I really enjoy. Hopefully we can keep a
friendly one going and share our points of view. To that, I apologize
to you, Jerry, if I came off as being rude. I certainly respect your
point of view and am interested in hearing anything you're willing to
bring to this security, configuration, and usage discussion.. even if
we ended up hi-hacking a completed thread.

Regards,
Michael Martinek

On 27 Nov, 13:03, Michael Martinek <michael.marti...@gmail.com> wrote:
> Norm, good find. Honestly, I had never seen this document before

It is the MySQL Reference Manual for heavens sake. You have really
never come across the Reference Manual!!!!

The reference manual is where I start with any application.

Michael Martinek wrote:
> On Nov 27, 4:09 am, Jerry Stuckle <jstuck...@attglobal.net> wrote:
>> And no, CISP certification does not require you to disable anonymous
>> accounts. It requires you limit their actions.
>>
>
> Applicable CISP/PCI requirements (headers from the PCI doc, off VISA's
> site, https://www.pcisecuritystandards.org...dss_v1-1.pdf):
>
> Requirement 1: Install and maintain a firewall configuration to
> protect cardholder data
> Requirement 2: Do not use vendor-supplied defaults for system
> passwords and other security parameters
> Requirement 8: Assign a unique ID to each person with computer access
>

And if the anonymous account has no access, these requirements are
satisfied.

> Anonymous accounts allowing access without a user name and/or password
> meets the criteria for a vendor-supplied default. It would also allow
> users to connect to the database without identifying themselves.
>

But they have no access. So there is no problem. You really should
understand the specifications you are quoting.

> My databases store credit card information and other extremely
> sensitive information. Of course, not the ones I changed the hosts
> on.. but after working with MSPs, and having been an employee a
> leading payment gateway for a couple years. I'm familiar with what is
> being looked for in PCI compliance.. and also being familiar with
> cryptography and digital forensics, what damage you can actually do
> just by having basic anonymous access to a database server. Even if
> you're only able to determine system time, server version, etc., which
> are basic privileges on built-in methods.
>

That's fine. I am also familiar with these specifications, also. And if
there is no access to any data, the requirements are satisfied.

> In my opinion, the best route to go is to rid of the anonymous
> account. In absolutely any situation. There's no reason to set up a
> default and anonymous account and continue to use it.. if you need
> monitoring, you should set up a user login and password just for that
> purpose. By leaving a blank username, an attacker would only need to
> figure out the password. A username and password combination makes it
> so much more difficult to attack the server; if they bypass the
> firewall and ACL with the running service.
>

You go ahead and do it on your system. The rest of the world will do it
correctly.

Or better yet, go with a database like Oracle, SQL Server or DB2.

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attglobal.net
==================