MySQL without SSL

1. The data in the database, should someone steal the mysql data file - is full database encryption sufficient to deal with this?

I'm not an expert on MySQL database encryption. You might want to read the following on MySQL security: https://dev.mysql.com/doc/mysql-security-excerpt/5.7/en/security-against-attack.html

The data in transit - once our clients connect over the internet, is information transmitted in clear text between them, if we aren't using SSL?

The information not encrypted by RDM (via master password) would be sent clear text over the wire, correct.

Database login security - if we're using database logins, and someone gained access to the database and changed a login password, would we still be protected from data exfiltration by the encryption password?

Correct, with an RDM master password, the entire RDM session configuration including the passwords are encrypted in RDM before being sent to the database. Please note, many (less critical) RDM fields/values/tables are not encrypted.

Is there any complication migrating from MS SQL to another data source - would we lose private vaults, for example?

Each user will need to export their own private vaults. Since they are private, there is no way for an admin to export them.

There are other options, Azure or AWS with MySQL or SQL Server, where you would be able to use SSL.

Best regards,

Hi

Just wanted to say thanks for your response. I know it's been some time but I did read it and it was helpful. Some of what you said, I think I was already aware but you confirmed for me, other aspects I wasn't aware of.

So just to update everyone, in our case it would not have been possible to implement mysql SSL on our shared hosting system, so I opted for AzureSQL instead, since we already use office365 so the logins link in to AzureAD.

I was pleased with the MFA integration, although setting up the initial logins wasn't the easiest, with the Azure integration setup, but I did get through it ok in the end.

I was disappointed to learn the integrated azure AD login doesn't work on the mobile app, the same as it doesn't for on premise AD - I guess it makes sense that you use the same 3rd party module but it's pretty poor that the answer for more than 2 years has pretty much been 'not our problem'. As a workaround I know we can use database login for the mobile users, but then there's no way to link the private vault to an AD integrated user. This at least would provide a more complete workaround.

I am also unsure about the AzureSQL access security, whether we have an appropriate level of security enough to allow connections from the whole internet, or whether we should remain cautious and restrict connections to our static IP. If azureAD with MFA integrated logins worked from mobile I think I'd be happier to open up connections from the world - I'm interested to hear anyone elses views on this.

As of right now I have an empty RDM database on Azure, waiting for us to tidy up RDM a bit and to reconfigure our workstations ready for an export/import, so I'm happy we have a path to move forward.

Thanks again. Please fix the mobile AD integration ;)

Hello,
I understand that it would be amazing to have this on mobile. I just want to clarify a small thing. The Azure MFA lib we use is not really a third party, it's more a first party created by Microsoft. If Microsoft does not provide a lib for mobile, it's nearly impossible that we would be able to do that or be able to maintain our own library.

You were asking for a workaround and we have one. You can try Devolutions Password Server. It works well with mobile and it support Azure AD 2FA.

Regards

Hi David
Possibly a misunderstanding here.

What I am saying is - originally the mobile app was able to authenticate against an on-premise SQL database using integrated AD username, e.g. domain\username. Now, whilst this option is still available to select, it is known not to work.

My understanding was that a 3rd party module you use to connect to SQL was updated, and no longer correctly supports Integrated AD authentication; hence why the advice to use the older v4.3 applies because this was before the module was updated.

Please see here:
https://forum.devolutions.net/topics/30256/please-add-azure-ad-authentication-to-the-mobile-app
and here:
https://forum.devolutions.net/topics/30287/mobile-app--integrated-security-as-authentication-method
There was another thread some time ago relating to the same, but I can't find it just now.

I appreciate the suggestion of Password Server but I should have all the functionality I need in RDM - I just need it to work. Of course, if Integrated authentication can be shown to work but not with MFA, well that is another matter...

Thanks
Jon

Yes and the third party is Microsoft. That's the problem even them does not support it. They dropped the support on mobile since they were using a dirty/unsafe hack and never implemented it correctly after that.

Regards

Jon,

What I am saying is - originally the mobile app was able to authenticate against an on-premise SQL database using integrated AD username, e.g. domain\username. Now, whilst this option is still available to select, it is known not to work.

You are correct, SQL + AD was supported at one point. The reason it is no longer supported is beyond our control. Let me explain. You see this was supported via the Xamarin (3rd party) framework that we use it for our Android, iOS & Mac platforms. How they got it working is a mystery, my guess is it worked but really wasn't secure. Microsoft, over the years, in all of their frameworks or tools never allowed to log in to SQL Server by supplying the AD credentials (username/password) of a user. You had to use the context (aka token) of the logged on user. This leads to having to do things like the "runas" command which, of course, is not available on Mac/iOS/Android. As for this being "fixed" in the future release? I highly doubt it, Microsoft bought Xamarin in 2016 (now it's no longer a 3rd party) and the feature request to "fix" this has never been implemented.

That being said, Microsoft is putting time and effort in Azure AD authentication across all platforms. We will investigate what is currently available here for Android & iOS, my understanding is Mac is not yet supported.

Of course, if Integrated authentication can be shown to work but not with MFA, well that is another matter...

Can you elaborate, I'm not sure I understand your statement.

Best regards,

OK my apologies if this is the case, I understood it was some other 3rd Party. I have the name 'mondo' in my the back of my mind but maybe I am not remembering correctly from the original thread where it was mentioned. Stefane your explanation is much more helpful to understand the position.

My comment about integrated but without MFA, I just meant that if the original functionality could be returned but new functionality (i.e. MFA), then I'd have less to complain about. With your explanation about how it should never have worked, this makes more sense now.

I would like to think, as you suggest, that with the push to Azure and MFA that Microsoft are more likely to have more options for developers doing this sort of thing. I find it crazy that most on-premise MSSQL-based databases I see our customers using have a single SQL login (often 'sa') which all workstations use to connect with, and then use their own 'users' table to authenticate logins via an initial form - rather than using the MS integrated password auth, whether that be via NTLM or SSO, I'm not sure I know enough about it to make a sensible evaluation. But then I see companies like Devolutions doing things in what I perceive to be the 'right' way - using the existing AD authentication mechanism - and I see it is possible and wonder why other companies don't make the effort.

You were most likely thinking of Mono. Xamarin is the tool/platform that uses Mono to make cross platform magic work. So, for this conversation they are practically interchangeable.

As for authentication & authorization strategies, there are many ways to go about doing it. Having your custom authentication has some challenges, we actually support it via our "custom users" but in most cases you are better off using proven technologies like SSO or OAuth. As a developer, this isn't always easy and you need the skill set to do it. Here at Devolutions we have an internal cyber security team that helps us strive towards best practices. One would hope every development company would take cyber security seriously but it may not always the case.

Related comic: https://sysadminotaur.devolutions.net/70-the-new-foe

I will keep you posted once we make progress on this.

Best regards,