After installing MySQL Server, it’s critical to perform a few post-installation tasks before putting the database into production. By default, MySQL ships with several settings intended to simplify testing and development — including anonymous accounts, a test database, and open authentication options. While convenient, these defaults can expose serious security risks if left unchanged.
Running the mysql_secure_installation utility helps close these gaps by guiding you through essential hardening steps such as setting a strong root password, removing anonymous users, disabling remote root logins, and cleaning up test databases. This process ensures your server starts from a secure baseline and reduces the risk of unauthorized access or privilege misuse.
Prerequisites:
How to Set Up MySQL Server on Windows Server for Production Environments
Running mysql_secure_installation
On the MySQL server open PowerShell as Administrator and navigate to the following path “C:\Program Files\MySQL\{versionNo}\bin” in this example its “C:\Program Files\MySQL\MySQL Server 8.4\bin“.
Next run the program
CMD: .\mysql_secure_installation.exe
VALIDATE PASSWORD COMPONENT
This component enforces password complexity rules in MySQL. It helps ensure that weak or easily guessed passwords can’t be set for database users — particularly the root account.
What Each Option Means
Option Description
Press y/Y for Yes Enables the password validation plugin. This makes MySQL check password strength whenever a password is set or changed.
Press any other key for No Skips installing the component. MySQL won’t check password strength (not recommended for production).
Password Strength Policies
When you press Y, you’re prompted to choose a level:
| Level | Policy Name | Requirements |
|---|---|---|
0 |
LOW | Minimum length 8 characters. |
1 |
MEDIUM | At least 8 characters, and must include numbers, uppercase/lowercase letters, and special characters. |
2 |
STRONG | All of the above plus dictionary checks (ensures passwords aren’t based on common words). |
Password Strength Score
After choosing a policy, MySQL calculates an estimated password strength score (0–100).
In this example: Estimated strength of the password: 100
means the root password already meets the strongest requirements.
Change Password Prompt
Change the password for root? (Press y|Y for Yes, any other key for No)
If you’re happy with your existing password, press N
Remove Anonymous Users
Prompt:
Remove anonymous users? (Press y|Y for Yes, any other key for No): Y
What it does:
- Deletes any MySQL accounts without a username (i.e., ”@’localhost’ or ”@’host’).
- These accounts allow someone to connect to MySQL without credentials — a serious security risk.
✅ Best practice: Always remove anonymous users on production systems.
Disallow Remote Root Login
Prompt:
Disallow root login remotely? (Press y|Y for Yes, any other key for No): Y
What it does:
- Ensures the root account can only log in from localhost.
- Prevents remote brute-force attempts against the root account.
- If remote admin access is required, best practice is to create a separate administrative user with limited privileges.
✅ Best practice: Always disable remote root access — manage remotely via SSH or a VPN tunnel if needed.
Remove Test Database and Reload Privileges
Prompt:
Remove test database and access to it? (Press y|Y for Yes, any other key for No): Y
What it does:
- MySQL ships with a default test database that anyone can access without restrictions.
- This database is meant for experimentation, not production, and could allow unauthorized users to store or view data.
- Selecting Y drops the test database and removes related privileges.
✅ Best practice: Always remove the default test database in production environments.
Prompt:
Reload privilege tables now? (Press y|Y for Yes, any other key for No): Y
What it does:
- Reloads all privilege tables in memory so the changes made (password updates, user removals, restrictions) take effect immediately without needing to restart MySQL.
✅ Best practice: Always reload privilege tables after making user or permission changes.
🧩 Summary
Completing the mysql_secure_installation process ensures your MySQL Server starts from a hardened baseline. By removing anonymous accounts, disabling remote root logins, deleting the default test database, and enforcing strong password rules, you’ve eliminated some of the most common attack vectors that affect default installations.
With these security foundations in place, your server is now ready for production use — or for further configuration such as database creation, user privilege management, and SSL/TLS encryption. Always remember that database security is an ongoing process: regular patching, backups, and monitoring are just as important as the initial setup.