Adding Security to a Mongo instance on Windows Server

We’re moving our server infrastructure to a new host, and as part of the new configuration the Mongo instance will have its own server, as opposed as living on the same server of the SQL database. I took this as an opportunity to set up proper security for it.

IP restriction

The first thing to do was instructing Mongo to only accept connections from either the localhost, or the network it shares with the other server. In order to achieve this, it is necessary to stop the MongoDB service, then edit the configuation file (mongod.cfg in our case) and add the following section:

net:
    bindIp: 127.0.0.1,<your IP address>
    port: 27017

And restart the Mongo service.

Bear in mind that the IP to specify here must be the IP of the network adapter of the Mongo server, not the IP of the machines where the connection(s) will be coming from.

Secure access

Creating user accounts is a tad more laborious. One must first open the command prompt and navigate to the /bin folder of the mongo installation directory, and then access the mongo shell:

mongo --port 27017

An administrator user must first be created with the following command:

use admin
db.createUser(
  {
    user: "myUserAdmin",
    pwd: "<password>",
    roles: [ { role: "userAdminAnyDatabase", db: "admin" }, "readWriteAnyDatabase" ]
  }
)

If you want to add additional users it is wise do so now, as creating users requires the instance to be started without authentication.

If you already have an instance configured as a Windows service, it is now necessary to remove the existing service and create a new one with the –auth┬áparameter added to it:

mongod --remove

will take care of that. It is now necessary to create a new service that will take advantage of the security layer:

mongod.exe --journal --config <path to your mongod.cfg file> --dbath <path to your mongo /data folder> <strong>--auth</strong> --install

This will create the service again, which will now have to be started from the Services interface.

Leave Comment

Your email address will not be published. Required fields are marked *