Framework/Configurations/SVT/Services/SQLDatabase.json
|
{
"FeatureName": "SQLDatabase", "Reference": "aka.ms/azsdkosstcp/sqlserver", "IsManintenanceMode": false, "Controls": [ { "ControlID": "Azure_SQLDatabase_AuthZ_Use_AAD_Admin", "Description": "Enable Azure AD admin for the SQL Database", "Id": "SQLDatabase120", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckSqlServerADAdmin", "Recommendation": "Run command Set-AzureRmSqlServerActiveDirectoryAdministrator -ResourceGroupName '{ResourceGroupName}' -ServerName '{ServerName}' -DisplayName '{AzureAdAdmin Display Name}' Refer: https://docs.microsoft.com/en-us/powershell/module/azurerm.sql/set-azurermsqlserveractivedirectoryadministrator?view=azurermps-3.8.0", "Tags": [ "SDL", "TCP", "Automated", "AuthZ" ], "Enabled": true, "FixControl": { "FixMethodName": "FixADAdmin", "FixControlImpact": "High", "Parameters": { "ActiveDirectoryAdminEmailId": "" } } }, { "ControlID": "Azure_SQLDatabase_DP_Enable_TDE", "Description": "Transparent data encryption (TDE) must be enabled", "Id": "SQLDatabase150", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckSqlDatabaseTDE", "Recommendation": "Run command Set-AzureRmSqlDatabaseTransparentDataEncryption -ResourceGroupName '{ResourceGroupName}' -ServerName '{ServerName}' -DatabaseName '{DatabaseName}' -State 'Enabled'. Refer: https://docs.microsoft.com/en-us/powershell/module/azurerm.sql/set-azurermsqldatabasetransparentdataencryption?view=azurermps-3.8.0 ", "Tags": [ "SDL", "TCP", "Automated", "DP", "SOX" ], "Enabled": true, "FixControl": { "FixMethodName": "FixSqlDatabaseTDE", "FixControlImpact": "Low", "Parameters": {} } }, { "ControlID": "Azure_SQLDatabase_Audit_Enable_Threat_Detection_Server", "Description": "Enable SQL Server threat detection with email admins option. Do not exclude any detection types", "Id": "SQLDatabase160", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckSqlServerThreatDetection", "Recommendation": "Run command: Set-AzureRmSqlServerThreatDetectionPolicy -ResourceGroupName '{ResourceGroupName}' -ServerName '{ServerName}' -StorageAccountName '{StorageAccountName}' -EmailAdmins '{EmailAdmins}' -ExcludedDetectionType 'None'. Refer: https://docs.microsoft.com/en-us/powershell/module/azurerm.sql/set-azurermsqlserverthreatdetectionpolicy?view=azurermps-4.2.0", "Tags": [ "SDL", "TCP", "Automated", "Audit", "SOX" ], "Enabled": true, "FixControl": { "FixMethodName": "EnableServerThreatDetection", "FixControlImpact": "Low", "Parameters": { "StorageAccountName": "", "SecurityContactEmails": "" } } }, { "ControlID": "Azure_SQLDatabase_Audit_Enable_Threat_Detection_DB", "Description": "Enable SQL Database threat detection with email admins option. Do not exclude any detection types", "Id": "SQLDatabase170", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckSqlDatabaseThreatDetection", "Recommendation": "Run command: Set-AzureRmSqlDatabaseThreatDetectionPolicy -ResourceGroupName '{ResourceGroupName}' -ServerName '{ServerName}' -DatabaseName '{DatabaseName}' -StorageAccountName '{StorageAccountName}' -EmailAdmins '{EmailAdmins}' -ExcludedDetectionType 'None'. Refer: https://docs.microsoft.com/en-us/powershell/module/azurerm.sql/set-azurermsqldatabasethreatdetectionpolicy?view=azurermps-4.2.0", "Tags": [ "SDL", "TCP", "Automated", "Audit", "SOX" ], "Enabled": true, "FixControl": { "FixMethodName": "EnableDatabaseThreatDetection", "FixControlImpact": "Low", "Parameters": { "StorageAccountName": "", "SecurityContactEmails": "" } } }, { "ControlID": "Azure_SQLDatabase_AuthZ_Enable_Firewall", "Description": "SQL Server firewall should be enabled", "Id": "SQLDatabase180", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckSqlDatabaseFirewallEnabled", "Recommendation": "Whereever feasible, restrict the SQL Server to the desired set of IP addresses/ranges. Run command: New-AzureRmSqlServerFirewallRule -FirewallRuleName '{FirewallRuleName}' -ResourceGroupName '{ResourceGroupName}' -ServerName '{ServerName}' -StartIpAddress '{StartIpAddress}' -EndIpAddress '{EndIpAddress}'. Refer: https://docs.microsoft.com/en-us/powershell/module/azurerm.sql/new-azurermsqlserverfirewallrule?view=azurermps-3.8.0", "Tags": [ "SDL", "TCP", "Automated", "AuthZ", "SOX" ], "Enabled": true }, { "ControlID": "Azure_SQLDatabase_AuthZ_Use_IP_Firewall_Rules_DB", "Description": "In a SQL Server with multiple databases, setup firewall rules also at the database level", "Id": "SQLDatabase190", "ControlSeverity": "High", "Automated": "No", "MethodName": "", "Recommendation": "Wherever feasible, restrict each SQL Database to the desired set of IP addresses/ranges for that database. Refer: https://docs.microsoft.com/en-us/azure/sql-database/sql-database-firewall-configure", "Tags": [ "SDL", "TCP", "Manual", "AuthZ" ], "Enabled": true }, { "ControlID": "Azure_SQLDatabase_AuthN_Dont_Use_SQL_AuthN", "Description": "Do not use SQL Authentication. Use AAD-authentication instead", "Id": "SQLDatabase210", "ControlSeverity": "High", "Automated": "No", "MethodName": "", "Recommendation": "Disable SQL Authentication on the DB and use AAD authentication instead. Refer: https://docs.microsoft.com/en-us/azure/sql-database/sql-database-aad-authentication", "Tags": [ "SDL", "TCP", "Manual", "AuthN" ], "Enabled": true }, { "ControlID": "Azure_SQLDatabase_DP_Use_Client_Side_Encryption", "Description": "Client-side encryption should be used where appropriate", "Id": "SQLDatabase260", "ControlSeverity": "Medium", "Automated": "No", "MethodName": "", "Recommendation": "The recommended client side encryption solution is 'Always Encrypted'. Refer: https://docs.microsoft.com/en-us/azure/sql-database/sql-database-always-encrypted", "Tags": [ "SDL", "TCP", "Manual", "DP" ], "Enabled": true }, { "ControlID": "Azure_SQLDatabase_AuthZ_Grant_Min_Access", "Description": "Access to SQL Servers and DBs must be granted in keeping with the principle of least privilege", "Id": "SQLDatabase320", "ControlSeverity": "Medium", "Automated": "No", "MethodName": "", "Recommendation": "Using SSMS Object Explorer and T-SQL to assign database roles, e.g. db_datareader, db_datawriter, db_securityadmin: Alter Role db_datareader ADD MEMBER ApplicationUser; to allow ApplicationUser to read data, Alter Role db_datawriter ADD MEMBER ApplicationUser; to allow ApplicationUser to write data. Refer: https://azure.microsoft.com/en-us/documentation/articles/sql-database-security/#authorization, http://blogs.technet.com/b/scotts-it-blog/archive/2014/09/03/adding-accounts-to-database-roles-in-sql-server-2012.aspx", "Tags": [ "SDL", "TCP", "Manual", "AuthZ" ], "Enabled": true }, { "ControlID": "Azure_SQLDatabase_AuthZ_Configure_IP_Range", "Description": "Configure only the required IP addresses on SQL firewall. Do not use Any-to-Any IP range $($this.ControlSettings.UniversalIPRange)", "Id": "SQLDatabase360", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckSqlDatabaseFirewallIPAddressRange", "Recommendation": "Do not configure Any to Any firewall IP address. Run command Remove-AzureRmSqlServerFirewallRule -FirewallRuleName '{AnyToAny FirewallRule Name}' -ResourceGroupName '{ResourceGroupName}' -ServerName '{ServerName}'. Refer: https://docs.microsoft.com/en-us/powershell/module/azurerm.sql/remove-azurermsqlserverfirewallrule?view=azurermps-3.8.0", "Tags": [ "SDL", "Best Practice", "Automated", "AuthZ", "SOX" ], "Enabled": true }, { "ControlID": "Azure_SQLDatabase_Audit_Enable_Logging_and_Monitoring_Server", "Description": "Enable SQL Server audit with selected event types and retention period of minimum $($this.ControlSettings.SqlServer.AuditRetentionPeriod_Min) days", "Id": "SQLDatabase130", "ControlSeverity": "Medium", "Automated": "Yes", "MethodName": "CheckSqlServerAuditing", "Recommendation": "Run command Set-AzureRmSqlServerAuditingPolicy -ResourceGroupName '{ResourceGroupName}' -ServerName '{ServerName}' -StorageAccountName '{StorageAccountName}' -EventType 'All' -RetentionInDays $($this.ControlSettings.SqlServer.AuditRetentionPeriod_Min) -TableIdentifier '{TableIdentifier}'. Refer: https://docs.microsoft.com/en-us/powershell/module/azurerm.sql/set-azurermsqlserverauditingpolicy?view=azurermps-3.8.0", "Tags": [ "SDL", "TCP", "Automated", "Audit", "SOX" ], "Enabled": true, "FixControl": { "FixMethodName": "EnableServerAuditingPolicy", "FixControlImpact": "Low", "Parameters": { "StorageAccountName": "" } } }, { "ControlID": "Azure_SQLDatabase_Audit_Enable_Logging_and_Monitoring_DB", "Description": "Enable SQL Database audit with selected event types and retention period of minimum $($this.ControlSettings.SqlServer.AuditRetentionPeriod_Min) days", "Id": "SQLDatabase140", "ControlSeverity": "Medium", "Automated": "Yes", "MethodName": "CheckSqlDatabaseAuditing", "Recommendation": "Run command Set-AzureRmSqlDatabaseAuditingPolicy -ResourceGroupName '{ResourceGroupName}' -ServerName '{ServerName}' -DatabaseName '{DatabaseName}' -StorageAccountName '{StorageAccountName}' -EventType 'All'-RetentionInDays $($this.ControlSettings.SqlServer.AuditRetentionPeriod_Min). Refer: https://docs.microsoft.com/en-us/powershell/module/azurerm.sql/set-azurermsqldatabaseauditingpolicy?view=azurermps-3.8.0", "Tags": [ "SDL", "TCP", "Automated", "Audit", "SOX" ], "Enabled": true, "FixControl": { "FixMethodName": "EnableDatabaseAuditingPolicy", "FixControlImpact": "Low", "Parameters": { "StorageAccountName": "" } } }, { "ControlID": "Azure_SQLDatabase_Audit_Review_Logs_Periodically", "Description": "Logs should be reviewed routinely", "Id": "SQLDatabase250", "ControlSeverity": "Medium", "Automated": "No", "MethodName": "", "Recommendation": "Use Azure SQL Audit Logs Excel template to review logs. Refer: https://docs.microsoft.com/en-us/azure/sql-database/sql-database-auditing#subheading-3", "Tags": [ "SDL", "TCP", "Manual", "Audit" ], "Enabled": true }, { "ControlID": "Azure_SQLDatabase_Deploy_Use_Latest_Version", "Description": "Use the latest version for SQL Database that is available", "Id": "SQLDatabase110", "ControlSeverity": "Low", "Automated": "Yes", "MethodName": "CheckSqlServerVersionUpgrade", "Recommendation": "Run command Start-AzureRmSqlServerUpgrade -ResourceGroupName '{ResourceGroupName}' -ServerName '{ServerName}' -ServerVersion 12.0. Refer: https://docs.microsoft.com/en-us/powershell/module/azurerm.sql/start-azurermsqlserverupgrade?view=azurermps-3.8.0 ", "Tags": [ "SDL", "TCP", "Automated", "Deploy", "SOX" ], "Enabled": true } ] } |