module/ConfigurationProvider/ControlConfigurations/Services/SQLServer.json
|
{
"FeatureName": "SQLServer", "Reference": "aka.ms/azsktcp/sqldatabase", "IsMaintenanceMode": false, "Controls": [ { "ControlID": "Azure_SQLDatabase_AuthZ_Use_Microsoft_Entra_ID_Only", "Description": "Enable Entra ID (formerly AAD) as only Authentication for the SQL Server", "Id": "SQLDatabase120", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckSqlServerAADOnlyAuth", "Rationale": "Azure AD authentication is used to centrally manage identities of database users. Enforcing AAD Only Authentication prevents the proliferation of user identities across servers.", "Recommendation": "To enable Azure AD Only Authentication enable Azure AD Admin for SQL server and turn on the Support for Azure AD Only Authentication. 1. For SQL servers run command1: Set-AzSqlServerActiveDirectoryAdministrator -ResourceGroupName '{ResourceGroupName}' -ServerName '{ServerName}' -DisplayName '{AzureAdAdmin Display Name}' Refer: https://docs.microsoft.com/en-us/powershell/module/az.sql/set-azsqlserveractivedirectoryadministrator and command2: Enable-AzSqlServerActiveDirectoryOnlyAuthentication -ServerName '{ServerName}' -ResourceGroupName '{ResourceGroupName}' Refer https://learn.microsoft.com/en-us/azure/azure-sql/database/authentication-azure-ad-only-authentication?view=azuresql&tabs=azure-powershell. 2. For Synapse Analytics workspaces run command1: Set-AzSynapseSqlActiveDirectoryAdministrator -ResourceGroupName '{ResourceGroupName}' -WorkspaceName '{Workspace Name}' -DisplayName '{AzureAdAdmin Display Name}' Refer: https://docs.microsoft.com/en-us/powershell/module/az.synapse/set-azsynapsesqlactivedirectoryadministrator?view=azps-7.2.0 and command2: Enable-AzSynapseActiveDirectoryOnlyAuthentication -ResourceGroupName '{ResourceGroupName}' -WorkspaceName '{Workspace Name}' Refer https://learn.microsoft.com/en-us/powershell/module/az.synapse/enable-azsynapseactivedirectoryonlyauthentication?view=azps-9.3.0", "Tags": [ "SDL", "TCP", "Automated", "AuthZ", "Baseline", "CSEOPilotSub" ], "Enabled": true, "ControlEvaluationDetails": { "RequiredProperties": [ "IsAADOnlyAuthenticationEnabled" ] }, "DisplayName": "Enable Entra ID (formerly AAD) as only Authentication for SQL Server", "Category": "Authentication must be enabled on all user accounts and services", "ControlRequirements": "Access to data, networks, services, utilities, tools, and applications must be controlled by authentication and authorization mechanisms", "CustomTags": [ "TenantBaseline", "CSEOBaseline", "MSD", "Daily", "Preview", "SN:SQL_EntraIDAuthOnly", "TBv8", "EDPreview", "SMTPreview", "WEBXTWave1", "WEBXTPreview", "EPSFWave1", "EPSFPreview" ] }, { "ControlID": "Azure_SQLDatabase_DP_Enable_TDE", "Description": "Enable Transparent Data Encryption on SQL databases", "Id": "SQLDatabase150", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckSqlDatabaseTDE", "DisplayName": "Enable Transparent Data Encryption on SQL databases", "Category": "Encrypt data at rest", "ControlRequirements": "Data must be encrypted in transit and at rest", "Rationale": "Using this feature ensures that sensitive data is stored encrypted at rest. This minimizes the risk of data loss from physical theft and also helps meet regulatory compliance requirements.", "Recommendation": "Run command Set-AzSqlDatabaseTransparentDataEncryption -ResourceGroupName '{ResourceGroupName}' -ServerName '{ServerName}' -DatabaseName '{DatabaseName}' -State 'Enabled'. Refer: https://docs.microsoft.com/en-us/powershell/module/az.sql/set-azsqldatabasetransparentdataencryption *Note:If Blob Auditing or Threat Detection are enabled on the server, they will always apply to the database, regardless of the database level settings.", "Tags": [ "SDL", "TCP", "Automated", "DP", "SqlDatabase", "Baseline", "Daily", "CSEOPilotSub" ], "Enabled": true, "ControlScanSource": "MDCorReader", "AssessmentProperties": { "AssessmentNames": [ "651967bf-044e-4bde-8376-3e08e0600105" ], "AssessmentStatusMappings": [ { "AssessmentStatusCode": "NotApplicable", "EffectiveVerificationResult": "Failed", "AssessmentStatusCausePatterns": "(.)*OffByPolicy|Exempt(.)*", "AppendMessageToStatusReason": "Disabling or exempting the policy from getting evaluated is not recommended. The Control will be marked as Failed." } ], "ResourceDetails": { "HasExtendedResourceId": true, "ExtendedIdResourceTypes": [ "Microsoft.Sql/servers/databases" ], "ExcludeExtendedIdPatterns": ".*/master$" } }, "ControlEvaluationDetails": { "RequiredProperties": [ "SQLDatabaseTDEDetails" ] }, "PolicyDefinitionGuid": "17k78e20-9358-41c9-923c-fb736d382a12", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/17k78e20-9358-41c9-923c-fb736d382a12", "CustomTags": [ "SOX", "CSEOBaseline", "MSD", "Prod", "CSEOPilot", "TenantBaseline", "P1", "Wave6", "EDPreview", "SMTPreview", "SN:SQL_TDE", "WEBXTWave1", "WEBXTPreview", "EPSFWave1", "EPSFPreview" ] }, { "ControlID": "Azure_SQLDatabase_Audit_Enable_Threat_Detection_Server", "Description": "Enable SQL Server threat detection with email admins option. Do not exclude any detection types", "Id": "SQLDatabase160", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckSqlServerThreatDetection", "Rationale": "Enabling threat detection helps generate alerts about suspicious activity that might indicate attacks such as SQL Injection, login from a new location, unusual usage patterns and related attacks in a timely manner.", "Recommendation": "First run command 'Set-AzSqlServerAudit -ResourceGroupName '{ResourceGroupName}' -ServerName '{ServerName}' -StorageAccountResourceId '{StorageAccountResourceId}' -BlobStorageTargetState 'Enabled' -RetentionInDays 365'.Refer: https://docs.microsoft.com/en-us/powershell/module/az.sql/set-azsqlserveraudit. Then run command 'Update-AzSqlServerAdvancedThreatProtectionSetting -ResourceGroupName '{ResourceGroupName}' -ServerName '{ServerName}' -StorageAccountName '{StorageAccountName}' -EmailAdmins `$true -ExcludedDetectionType 'None''.", "Tags": [ "SDL", "TCP", "Automated", "Audit", "Baseline", "Daily", "CSEOPilotSub" ], "Enabled": true, "ControlEvaluationDetails": { "RequiredProperties": [ "SQLServerAuditSetting", "SQLServerAlertPolicies", "SecurityCenterContacts" ] }, "ControlSettings": { "SecurityContacts": { "NotificationsRecipientsRoleName": [ "Owner", "ServiceAdmin" ] } }, "PolicyDefinitionGuid": "abfb4388-5bf4-4ad7-ba82-2cd2f41ceae9", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/abfb4388-5bf4-4ad7-ba82-2cd2f41ceae9", "DisplayName": "Enable advanced data security on your SQL servers", "Category": "Monitoring must be enabled", "ControlRequirements": "Monitoring and auditing must be enabled and correctly configured according to prescribed organizational guidance", "CustomTags": [ "SOX", "TenantBaseline", "CSEOBaseline", "MSD", "Prod", "CSEOPilot", "P1", "Wave6", "TRWave4", "TRPreview", "TRBaseline", "CAIPreview", "EDPreview", "SMTPreview", "SN:SQL_ADS" ] }, { "ControlID": "Azure_SQLDatabase_NetSec_Dont_Allow_Universal_IP_Range", "Description": "Do not use Any-to-Any IP range for Azure SQL Database.", "Id": "SQLDatabase360", "ControlSeverity": "High", "DisplayName": "Do not use Any-to-Any IP range for Azure SQL Database", "Category": "Deploy controls to restrict network traffic", "ControlRequirements": "Restrict network traffic flows", "ControlEvaluationDetails": { "RequiredProperties": [ "FirewallRules" ] }, "Automated": "Yes", "MethodName": "CheckSqlDatabaseFirewallIPAddressRange", "Rationale": "Using the firewall feature ensures that access to the data or the service is restricted to a specific set/group of clients. NOTE: While this control does provide an extra layer of access control protection, it may not always be feasible to implement in all scenarios.", "Recommendation": "Do not configure Any to Any firewall IP address. Run command Remove-AzSqlServerFirewallRule -FirewallRuleName '{AnyToAny FirewallRule Name}' -ResourceGroupName '{ResourceGroupName}' -ServerName '{ServerName}'. Refer: https://docs.microsoft.com/en-us/powershell/module/az.sql/Remove-AzSqlServerFirewallRule", "Tags": [ "SDL", "Best Practice", "Automated", "NetSec", "Baseline", "Weekly" ], "ControlSettings": { "IPRangeStartIP": "0.0.0.0", "IPRangeEndIP": "255.255.255.255", "FirewallRuleName_AllowAzureIps": "AllowAllWindowsAzureIps" }, "Enabled": true, "CustomTags": [ "SOX" ] }, { "ControlID": "Azure_SQLDatabase_Audit_Enable_Logging_and_Monitoring_Server", "Description": "Enable SQL Server audit with selected event types and retention period of minimum 365 days", "Id": "SQLDatabase140", "ControlSeverity": "Medium", "Automated": "Yes", "MethodName": "CheckSqlServerAuditing", "DisplayName": "Ensure Azure SQL Server auditing is configured correctly", "Category": "Monitoring must be enabled", "ControlRequirements": "Monitoring and auditing must be enabled and correctly configured according to prescribed organizational guidance", "Rationale": "Auditing enables log collection of important system events pertinent to security. Regular monitoring of audit logs can help to detect any suspicious and malicious activity early and respond in a timely manner.", "Recommendation": "Run command Set-AzSqlServerAudit -ResourceGroupName '{ResourceGroupName}' -ServerName '{ServerName}' -StorageAccountResourceId '{StorageAccountResourceId}' -BlobStorageTargetState 'Enabled' -RetentionInDays 365. Refer: https://docs.microsoft.com/en-us/powershell/module/az.sql/set-azsqlserveraudit. Through Portal: After logging into subscription, go under Home -> Select Azure SQL server -> Under security section select auditing. Ensure auditing is turned ON. If selecting storage, ensure that the retention period is set to at least 365 days.", "Tags": [ "SDL", "TCP", "Automated", "Audit", "Baseline", "Weekly" ], "ControlSettings": { "SqlServer": { "AuditRetentionPeriod_Min": 365, "AuditRetentionPeriod_Forever": 0 } }, "Enabled": true, "CustomTags": [ "SOX", "P1", "Wave99", "CSEOBaseline", "CSEOPilot", "SN:SQL_audit" ] }, { "ControlID": "Azure_SQLDatabase_AuthZ_Firewall_Deny_Access_AzureServices", "Description": "Use the 'Allow access to Azure services' flag only if required.", "Id": "SQLDatabase380", "ControlSeverity": "Medium", "DisplayName": "Use the 'Allow access to Azure services' flag only if required", "Category": "Management interfaces and ports must not be open", "ControlRequirements": "Restrict network traffic flows", "ControlEvaluationDetails": { "RequiredProperties": [ "FirewallRules" ] }, "ControlSettings": { "FirewallRuleName_AllowAzureIps": "AllowAllWindowsAzureIps" }, "Automated": "Yes", "MethodName": "CheckSqlServerFirewallAccessAzureService", "Rationale": "The 'Allow access to Azure services' setting configures a very broad range of IP addresses from Azure as permitted to access the SQL Server. Please make sure your scenario really requires this setting before enabling it. Turning it ON exposes your SQL Server to risk of attacks from resources (IPs) owned by others in the Azure region.", "Recommendation": "Turn off the allow access to Azure services flag. Run command Remove-AzSqlServerFirewallRule -FirewallRuleName 'AllowAllWindowsAzureIps' -ResourceGroupName '{ResourceGroupName}' -ServerName '{ServerName}'. Refer: https://docs.microsoft.com/en-us/powershell/module/az.sql/remove-azsqlserverfirewallrule", "Tags": [ "SDL", "Best Practice", "Automated", "AuthZ", "Baseline", "Weekly" ], "Enabled": true, "CustomTags": [ "SOX" ] }, { "ControlID": "Azure_SQLDatabase_Audit_Enable_Vuln_Assessment", "Description": "Enable SQL Server vulnerability assessments with email admins option.", "Id": "SQLDatabase390", "ControlSeverity": "Medium", "Automated": "Yes", "MethodName": "CheckSqlServerVulnerabilityAssessmentSetting", "Rationale": "Known database vulnerabilities in a system can be easy targets for attackers. A vulnerability assessment solution can help to detect/warn about vulnerabilities in the system and facilitate addressing them in a timely manner.", "Recommendation": "First run command 'Enable-AzSqlServerAdvancedDataSecurity -ResourceGroupName '{ResourceGroupName}' -ServerName '{ServerName}''. Then run command 'Update-AzSqlServerVulnerabilityAssessmentSetting -ResourceGroupName '{ResourceGroupName}' -ServerName '{ServerName}' -StorageAccountName '{StorageAccountName}' -ScanResultsContainerName 'vulnerability-assessment' -RecurringScansInterval Weekly -EmailAdmins $true -NotificationEmail @('mail1@mail.com' , 'mail2@mail.com')'.", "Tags": [ "SDL", "TCP", "Automated", "Audit", "Baseline", "Weekly" ], "Enabled": true, "ControlEvaluationDetails": { "RequiredProperties": [ "VulnerabilityAssessmentSetting" ] }, "DisplayName": "Enable Vulnerability assessment on your SQL servers", "Category": "Vulnerability assessments must be enabled on all services", "ControlRequirements": "Vulnerability scans must be performed and vulnerabilities remediated according to prescribed organizational guidance", "CustomTags": [ "P1", "Wave99", "SN:SQL_assessment" ] }, { "ControlID": "Azure_SQLDatabase_SI_Remediate_Security_Vulnerabilities", "Description": "Vulnerabilities on your SQL databases should be remediated.", "Id": "SQLDatabase400", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "", "DisplayName": "Vulnerabilities on your SQL databases must be remediated", "Category": "Vulnerabilities must be remediated", "ControlRequirements": "Vulnerability scans must be performed and vulnerabilities remediated according to prescribed organizational guidance", "AssessmentName": "fe02b3b7-a722-d4d6-6731-6493776203a6", "ControlScanSource": "MDC", "AssessmentProperties": { "AssessmentNames": [ "82e20e14-edc5-4373-bfc4-f13121257c37" ], "AssessmentStatusMappings": [ { "AssessmentStatusCode": "NotApplicable", "EffectiveVerificationResult": "Failed", "AssessmentStatusCausePatterns": "(.)*OffByPolicy|Exempt|Exempt by Rule|Disabled parent assessment|(.)*", "AppendMessageToStatusReason": "Disabling or exempting the policy from getting evaluated is not recommended. The Control will be marked as Failed." } ], "ResourceDetails": { "HasExtendedResourceId": true, "ExtendedIdResourceTypes": [ "Microsoft.Sql/servers/databases" ], "ExcludeExtendedIdPatterns": ".*/master$" } }, "Rationale": "Known database vulnerabilities in a system can be easy targets for attackers. A vulnerability assessment solution can help to detect/warn about vulnerabilities in the system and facilitate addressing them in a timely manner.", "Recommendation": "Go to security center --> Data & storage --> SQL --> Click on SQL server name --> Click on Recommendation in Recommendation List --> Remediate list of vulnerabilities", "Tags": [ "SDL", "Automated", "Baseline", "Weekly", "ExcludedControl" ], "Enabled": true, "CustomTags": [] }, { "ControlID": "Azure_SQLDatabase_DP_Use_Secure_TLS_Version", "Description": "Use approved version of TLS for SQL Server", "Id": "SQLDatabase410", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckSqlServerTLSVersion", "DisplayName": "Use approved version of TLS for SQL Server", "Category": "Encrypt data in transit", "ControlRequirements": "Data must be encrypted in transit and at rest", "Rationale": "TLS provides privacy and data integrity between client and server. Using approved TLS version significantly reduces risks from security design issues and security bugs that may be present in older versions.", "Recommendation": "To Configure 'Minimum TLS Version' setting for SQL Server, go to Azure Portal --> Your SQL Server --> Networking --> Connectivity --> Set the Minimum TLS Version to latest version. Refer: https://learn.microsoft.com/en-us/azure/azure-sql/database/connectivity-settings?view=azuresql&tabs=azure-portal#minimal-tls-version", "Tags": [ "SDL", "TCP", "DP", "Automated", "Baseline" ], "Enabled": true, "CustomTags": [ "Daily", "SN:SQL_TLS", "Preview", "TenantBaseline", "EDPreview", "SMTPreview", "MSD", "TBv8", "CAIPreview", "CAIWave1" ], "ControlSettings": { "MinReqTLSVersion": "1.2", "InvalidTLSValue": "None" } }, { "ControlID": "Azure_SQLDatabase_DP_Enable_TDE_MCSB", "Description": "[MCSB] Enable Transparent Data Encryption on SQL databases", "Id": "SQLDatabase430", "ControlSeverity": "High", "Automated": "Yes", "ControlScanSource": "MDC", "DisplayName": "[MCSB] Enable Transparent Data Encryption on SQL databases", "Category": "Encrypt data at rest", "ControlRequirements": "Data must be encrypted in transit and at rest", "Rationale": "Using this feature ensures that sensitive data is stored encrypted at rest. This minimizes the risk of data loss from physical theft and also helps meet regulatory compliance requirements.", "Recommendation": "Run command Set-AzSqlDatabaseTransparentDataEncryption -ResourceGroupName '{ResourceGroupName}' -ServerName '{ServerName}' -DatabaseName '{DatabaseName}' -State 'Enabled'. Refer: https://docs.microsoft.com/en-us/powershell/module/az.sql/set-azsqldatabasetransparentdataencryption *Note:If Blob Auditing or Threat Detection are enabled on the server, they will always apply to the database, regardless of the database level settings.", "Tags": [ "Automated", "DP", "Baseline", "SQLServer" ], "AssessmentProperties": { "AssessmentNames": [ "651967bf-044e-4bde-8376-3e08e0600105" ], "AssessmentStatusMappings": [ { "AssessmentStatusCode": "NotApplicable", "EffectiveVerificationResult": "Failed", "AssessmentStatusCausePatterns": "(.)*OffByPolicy|Exempt(.)*", "AppendMessageToStatusReason": "Disabling or exempting the policy from getting evaluated is not recommended. The Control will be marked as Failed." } ], "ResourceDetails": { "HasExtendedResourceId": true, "ExtendedIdResourceTypes": [ "Microsoft.Sql/servers/databases" ], "ExcludeExtendedIdPatterns": ".*/master$" } }, "Enabled": false, "CustomTags": [ "Daily", "MCSB" ] }, { "ControlID": "Azure_SQLServer_AuthN_Dont_Allow_Public_Network_Access", "Description": "Public network access on Azure SQL Database should be disabled", "Id": "SQLDatabase450", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckPublicNetworkAccess", "DisplayName": "Public network access on Azure SQL Database should be disabled", "Category": "Public Network Access should be disabled", "ControlRequirements": "Restrict network traffic flows", "Rationale": "Configuring public access on your SQL server allows the server access through a public endpoint which is not recommended.", "Recommendation": "To remediate, disable public network access on your SQL server or refer link https://learn.microsoft.com/en-us/azure/azure-sql/database/connectivity-settings?view=azuresql&tabs=azure-portal", "ControlScanSource": "MDCorReader", "AssessmentProperties": { "AssessmentNames": [ "22e93e92-4a31-b4cd-d640-3ef908430aa6" ], "AssessmentStatusMappings": [ { "AssessmentStatusCode": "NotApplicable", "EffectiveVerificationResult": "Failed", "AssessmentStatusCausePatterns": "(.)*OffByPolicy|Exempt(.)*", "AppendMessageToStatusReason": "Disabling or exempting the policy from getting evaluated is not recommended. The Control will be marked as Failed." } ] }, "Tags": [ "SDL", "TCP", "Automated", "Baseline", "AuthN" ], "Enabled": true, "CustomTags": [ "Weekly", "SN:SQL_NoPublicAccess" ] }, { "ControlID": "Azure_SQLServer_Config_Enable_MicrosoftDefender_MCSB", "Description": "[MCSB] Microsoft Defender for SQL should be enabled for unprotected Azure SQL servers", "Id": "SQLDatabase460", "ControlSeverity": "High", "Automated": "Yes", "ControlScanSource": "MDC", "DisplayName": "[MCSB] Microsoft Defender for SQL should be enabled for unprotected Azure SQL servers", "Category": "Monitoring must be correctly configured", "ControlRequirements": "To support threat detection scenarios, monitor all known resource types for known and expected threats and anomalies", "Rationale": "Microsoft Defender for SQL is a unified package that provides advanced SQL security capabilities. It surfaces and mitigates potential database vulnerabilities, and detects anomalous activities that could indicate a threat to your database.", "Recommendation": "To enable Microsoft Defender for SQL on SQL servers: 1. Select the SQL server. 2. Under 'Defender for Cloud', set Microsoft Defender for SQL to 'On'. 3. Under 'Vulnerability Assessment Settings', configure a storage account for storing vulnerability assessment scan results and set 'Periodic recurring scans' to 'On'. 4. Select 'Save'.", "Tags": [ "SDL", "Automated", "Baseline", "Config" ], "AssessmentProperties": { "AssessmentNames": [ "400a6682-992c-4726-9549-629fbc3b988f" ], "AssessmentStatusMappings": [ { "AssessmentStatusCode": "NotApplicable", "EffectiveVerificationResult": "Failed", "AssessmentStatusCausePatterns": "(.)*OffByPolicy|Exempt(.)*", "AppendMessageToStatusReason": "Disabling or exempting the policy from getting evaluated is not recommended. The Control will be marked as Failed." } ] }, "Enabled": false, "CustomTags": [ "Daily", "MCSB" ] }, { "ControlID": "Azure_SQLServer_Audit_Enable_Vulnerability_Assessment_MCSB", "Description": "[MCSB] SQL servers should have vulnerability assessment configured", "Id": "SQLDatabase470", "ControlSeverity": "High", "Automated": "Yes", "ControlScanSource": "MDC", "DisplayName": "[MCSB] SQL servers should have vulnerability assessment configured", "Category": "Vulnerability assessments must be enabled on all services", "ControlRequirements": "Vulnerability scans must be performed and vulnerabilities remediated according to prescribed organizational guidance", "Rationale": "Vulnerability assessment can discover, track, and help you remediate potential database vulnerabilities.", "Recommendation": "To enable vulnerability assessment on SQL servers: 1. Select the SQL server 2. Open 'Microsoft Defender for Cloud' under 'Security' 3. Make sure Microsoft Defender for Cloud's status is 'enabled at the server-level' or 'enabled at the subscription-level' 4. Open '(Configure)' 5. If a warning appears that vulnerability assessment is not configured then click on the 'Enable' button to remediate.", "Tags": [ "SDL", "Automated", "Baseline", "Audit" ], "AssessmentProperties": { "AssessmentNames": [ "1db4f204-cb5a-4c9c-9254-7556403ce51c" ], "AssessmentStatusMappings": [ { "AssessmentStatusCode": "NotApplicable", "EffectiveVerificationResult": "Failed", "AssessmentStatusCausePatterns": "(.)*OffByPolicy|Exempt(.)*", "AppendMessageToStatusReason": "Disabling or exempting the policy from getting evaluated is not recommended. The Control will be marked as Failed." } ] }, "Enabled": false, "CustomTags": [ "Daily", "MCSB" ] }, { "ControlID": "Azure_SQLServer_Audit_Enable_Advanced_Threat_Protection_Types_MCSB", "Description": "[MCSB] All advanced threat protection types should be enabled in SQL server advanced data security settings", "Id": "SQLDatabase480", "ControlSeverity": "High", "Automated": "Yes", "ControlScanSource": "MDC", "DisplayName": "[MCSB] All advanced threat protection types should be enabled in SQL server advanced data security settings", "Category": "Monitoring must be correctly configured", "ControlRequirements": "Monitoring and auditing must be enabled and correctly configured according to prescribed organizational guidance", "Rationale": "Enabling all types protects against SQL injection, database vulnerabilities, and any other anomalous activities", "Recommendation": "To set advanced threat protection types to 'All' on SQL servers: 1. Select the SQL server. 2. Make sure that 'Advanced data security' is set to 'On'. 3. Under 'Advanced threat protection types', mark the check box for 'all'. 4. click OK. 5. Select 'Save'.", "Tags": [ "SDL", "Automated", "Baseline", "Audit" ], "AssessmentProperties": { "AssessmentNames": [ "f7010359-8d21-4598-a9f2-c3e81a17141e" ], "AssessmentStatusMappings": [ { "AssessmentStatusCode": "NotApplicable", "EffectiveVerificationResult": "Failed", "AssessmentStatusCausePatterns": "(.)*OffByPolicy|Exempt(.)*", "AppendMessageToStatusReason": "Disabling or exempting the policy from getting evaluated is not recommended. The Control will be marked as Failed." } ] }, "Enabled": false, "CustomTags": [ "Daily", "MCSB" ] }, { "ControlID": "Azure_SQLServer_AuthZ_Provision_AzureAD_Administrator_MCSB", "Description": "[MCSB] SQL servers should have an Azure Active Directory administrator provisioned", "Id": "SQLDatabase490", "ControlSeverity": "High", "Automated": "Yes", "ControlScanSource": "MDC", "DisplayName": "[MCSB] SQL servers should have an Azure Active Directory administrator provisioned", "Category": "Authentication must be enabled on all user accounts and services", "ControlRequirements": "Access to data, networks, services, utilities, tools, and applications must be controlled by authentication and authorization mechanisms", "Rationale": "Provision an Azure AD administrator for your SQL server to enable Azure AD authentication. Azure AD authentication enables simplified permission management and centralized identity management of database users and other Microsoft services.", "Recommendation": "To provision an Azure AD administrator for SQL server, see https://docs.microsoft.com/azure/sql-database/sql-database-aad-authentication-configure", "Tags": [ "SDL", "Automated", "Baseline", "AuthZ" ], "AssessmentProperties": { "AssessmentNames": [ "f0553104-cfdb-65e6-759c-002812e38500" ], "AssessmentStatusMappings": [ { "AssessmentStatusCode": "NotApplicable", "EffectiveVerificationResult": "Failed", "AssessmentStatusCausePatterns": "(.)*OffByPolicy|Exempt(.)*", "AppendMessageToStatusReason": "Disabling or exempting the policy from getting evaluated is not recommended. The Control will be marked as Failed." } ] }, "Enabled": false, "CustomTags": [ "Daily", "MCSB" ] }, { "ControlID": "Azure_SQLServer_NetSec_Enable_Private_Endpoint_MCSB", "Description": "[MCSB] Private endpoint connections on Azure SQL Database should be enabled", "Id": "SQLDatabase510", "ControlSeverity": "High", "Automated": "Yes", "ControlScanSource": "MDC", "DisplayName": "[MCSB] Private endpoint connections on Azure SQL Database should be enabled", "Category": "Deploy controls to restrict network traffic", "ControlRequirements": "Restrict network traffic flows", "Rationale": "Private endpoint connections enforce secure communication by enabling private connectivity to Azure SQL Database.", "Recommendation": "To configure private endpoint on Azure SQL Database, refer: https://learn.microsoft.com/en-us/azure/azure-sql/database/private-endpoint-overview?view=azuresql#creation-process", "Tags": [ "SDL", "Automated", "Baseline", "NetSec", "SQLServer" ], "AssessmentProperties": { "AssessmentNames": [ "75396512-3323-9be4-059d-32ecb113c3de" ], "AssessmentStatusMappings": [ { "AssessmentStatusCode": "NotApplicable", "EffectiveVerificationResult": "Failed", "AssessmentStatusCausePatterns": "(.)*OffByPolicy|Exempt(.)*", "AppendMessageToStatusReason": "Disabling or exempting the policy from getting evaluated is not recommended. The Control will be marked as Failed." } ] }, "Enabled": false, "CustomTags": [ "Daily", "MCSB" ] }, { "ControlID": "Azure_SQLServer_DP_Use_Managed_Keys_MCSB", "Description": "[MCSB] SQL servers should use customer-managed keys to encrypt data at rest", "Id": "SQLDatabase520", "ControlSeverity": "High", "Automated": "Yes", "ControlScanSource": "MDC", "DisplayName": "[MCSB] SQL servers should use customer-managed keys to encrypt data at rest", "Category": "Encrypt data in transit", "ControlRequirements": "Data must be encrypted in transit and at rest", "Rationale": "TDE (Transparent Data Encryption) ensures that sensitive data is stored encrypted at rest. This minimizes the risk of data loss from physical theft and also helps meet regulatory compliance requirements. And by using a customer-managed key, you can supplement default encryption with an additional encryption layer.", "Recommendation": "To use customer-managed keys in Azure SQL server, please refer: https://learn.microsoft.com/en-us/azure/azure-sql/database/transparent-data-encryption-byok-overview?view=azuresql#recommendations-when-configuring-akv", "Tags": [ "SQLServer", "Baseline", "DP" ], "AssessmentProperties": { "AssessmentNames": [ "9d465431-a8d8-136d-e35b-9b0a8079ce91" ], "AssessmentStatusMappings": [ { "AssessmentStatusCode": "NotApplicable", "EffectiveVerificationResult": "Failed", "AssessmentStatusCausePatterns": "(.)*OffByPolicy|Exempt(.)*", "AppendMessageToStatusReason": "Disabling or exempting the policy from getting evaluated is not recommended. The Control will be marked as Failed." } ] }, "Enabled": false, "CustomTags": [ "Daily", "MCSB" ] }, { "ControlID": "Azure_SQLServer_Audit_Enable_Logs_MCSB", "Description": "[MCSB] Auditing on SQL server should be enabled", "Id": "SQLDatabase530", "ControlSeverity": "High", "Automated": "Yes", "ControlScanSource": "MDC", "DisplayName": "[MCSB] Auditing on SQL server should be enabled", "Category": "Monitoring must be correctly configured", "ControlRequirements": "Monitoring and auditing must be enabled and correctly configured according to prescribed organizational guidance", "Rationale": "Auditing on your SQL Server should be enabled to track database activities across all databases on the server and save them in an audit log.", "Recommendation": "Please refer: https://learn.microsoft.com/en-us/azure/azure-sql/database/auditing-overview?view=azuresql#setup-auditing", "Tags": [ "Automated", "Audit", "Baseline", "SQLServer" ], "AssessmentProperties": { "AssessmentNames": [ "94208a8b-16e8-4e5b-abbd-4e81c9d02bee" ], "AssessmentStatusMappings": [ { "AssessmentStatusCode": "NotApplicable", "EffectiveVerificationResult": "Failed", "AssessmentStatusCausePatterns": "(.)*OffByPolicy|Exempt(.)*", "AppendMessageToStatusReason": "Disabling or exempting the policy from getting evaluated is not recommended. The Control will be marked as Failed." } ] }, "Enabled": false, "CustomTags": [ "Daily", "MCSB" ] }, { "ControlID": "Azure_SQLDatabase_AuthZ_Use_AAD_Only_MCSB", "Description": "[MCSB] Azure SQL Database should only have AAD based authentication enabled", "Id": "SQLDatabase540", "ControlSeverity": "High", "Automated": "Yes", "ControlScanSource": "MDC", "DisplayName": "[MCSB] Azure SQL Database should only have AAD based authentication enabled", "Category": "Authentication must be enabled on all user accounts and services", "ControlRequirements": "Access to data, networks, services, utilities, tools, and applications must be controlled by authentication and authorization mechanisms", "Rationale": "Disabling local authentication methods and allowing only Azure Active Directory Authentication improves security by ensuring that Azure SQL Databases can exclusively be accessed by Azure Active Directory identities. Learn more at: aka.ms/adonlycreate", "Recommendation": "To disable local authentication methods and only allow Azure Active Directory authentication: 1.Find your Azure Sql server in the portal. 2. Navigate to Azure Active Directory in the left navigation pane. 3. Select Set admin if Azure Active Directory admin is not already set. 4. Check the Support only Azure Active Directory authentication for this server box and press Save. See https://learn.microsoft.com/en-us/azure/azure-sql/database/authentication-azure-ad-only-authentication-tutorial?WT.mc_id=Portal-Microsoft_Azure_Security for further details.", "Tags": [ "Automated", "AuthZ", "Baseline", "SQLServer" ], "AssessmentProperties": { "AssessmentNames": [ "c076bfee-3834-4685-8ab5-17f5207c827e" ], "AssessmentStatusMappings": [ { "AssessmentStatusCode": "NotApplicable", "EffectiveVerificationResult": "Failed", "AssessmentStatusCausePatterns": "(.)*OffByPolicy|Exempt(.)*", "AppendMessageToStatusReason": "Disabling or exempting the policy from getting evaluated is not recommended. The Control will be marked as Failed." } ] }, "Enabled": false, "CustomTags": [ "Daily", "MCSB" ] }, { "ControlID": "Azure_SQLDatabase_SI_Configure_Retention_Period_MCSB", "Description": "[MCSB] SQL servers with auditing to storage account destination must be configured with 90 days retention or higher", "Id": "SQLDatabase550", "ControlSeverity": "High", "Automated": "Yes", "ControlScanSource": "MDC", "DisplayName": "[MCSB] SQL servers with auditing to storage account destination must be configured with 90 days retention or higher", "Category": "Data persistence should be ensured", "ControlRequirements": "Data should be backed to ensure quicker and efficient recovery", "Rationale": "For incident investigation purposes, we recommend setting the data retention for your SQL Server auditing to storage account destination to at least 90 days.", "Recommendation": "To configure retention days in SQL Servers using Azure Portal, Go to Azure Portal -> Select the SQL Server -> Properties -> Click on 'Auditing' -> Under storage access keys click 'Advanced properties' -> Choose retention days > 90", "Tags": [ "Automated", "SI", "Baseline", "SQLServer" ], "AssessmentProperties": { "AssessmentNames": [ "620671b8-6661-273a-38ac-4574967750ec" ], "AssessmentStatusMappings": [ { "AssessmentStatusCode": "NotApplicable", "EffectiveVerificationResult": "Failed", "AssessmentStatusCausePatterns": "(.)*OffByPolicy|Exempt(.)*", "AppendMessageToStatusReason": "Disabling or exempting the policy from getting evaluated is not recommended. The Control will be marked as Failed." } ] }, "Enabled": false, "CustomTags": [ "Daily", "MCSB" ] }, { "ControlID": "Azure_SQLDatabase_SI_Resolve_Vulnerability_Findings_MCSB", "Description": "[MCSB] SQL databases must have vulnerability findings resolved", "Id": "SQLDatabase560", "ControlSeverity": "High", "Automated": "Yes", "ControlScanSource": "MDC", "DisplayName": "[MCSB] SQL databases must have vulnerability findings resolved", "Category": "Vulnerabilities must be remediated", "ControlRequirements": "Vulnerability scans must be performed and vulnerabilities remediated according to prescribed organizational guidance", "Rationale": "SQL Vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture.", "Recommendation": "Please refer:https://learn.microsoft.com/en-us/azure/defender-for-cloud/sql-azure-vulnerability-assessment-manage?tabs=express", "Tags": [ "Automated", "SI", "Baseline", "SQLServer" ], "AssessmentProperties": { "AssessmentNames": [ "82e20e14-edc5-4373-bfc4-f13121257c37" ], "AssessmentStatusMappings": [ { "AssessmentStatusCode": "NotApplicable", "EffectiveVerificationResult": "Failed", "AssessmentStatusCausePatterns": "(.)*OffByPolicy|Exempt(.)*", "AppendMessageToStatusReason": "Disabling or exempting the policy from getting evaluated is not recommended. The Control will be marked as Failed." } ] }, "Enabled": false, "CustomTags": [ "Daily", "MCSB" ] }, { "ControlID": "Azure_SQLDatabase_AuthZ_Use_AAD_Only_KR51", "Description": "[KR51] Enable Azure AD Only Authentication for the SQL Server.", "Id": "SQLDatabase570", "ControlSeverity": "Medium", "Automated": "Yes", "ControlScanSource": "Policy", "DisplayName": "[KR51] Enable Azure AD Only Authentication for the SQL Server.", "Category": "Authentication must be enabled on all user accounts and services", "ControlRequirements": "Access to data, networks, services, utilities, tools, and applications must be controlled by authentication and authorization mechanisms", "Rationale": "Azure AD authentication is used to centrally manage identities of database users. Enforcing AAD Only Authentication prevents the proliferation of user identities across servers.", "Recommendation": "To enable Azure AD Only Authentication enable Azure AD Admin for SQL server and turn on the Support for Azure AD Only Authentication. 1. For SQL servers run command1: Set-AzSqlServerActiveDirectoryAdministrator -ResourceGroupName '{ResourceGroupName}' -ServerName '{ServerName}' -DisplayName '{AzureAdAdmin Display Name}' Refer: https://docs.microsoft.com/en-us/powershell/module/az.sql/set-azsqlserveractivedirectoryadministrator and command2: Enable-AzSqlServerActiveDirectoryOnlyAuthentication -ServerName '{ServerName}' -ResourceGroupName '{ResourceGroupName}' Refer https://learn.microsoft.com/en-us/azure/azure-sql/database/authentication-azure-ad-only-authentication?view=azuresql&tabs=azure-powershell. 2. For Synapse Analytics workspaces run command1: Set-AzSynapseSqlActiveDirectoryAdministrator -ResourceGroupName '{ResourceGroupName}' -WorkspaceName '{Workspace Name}' -DisplayName '{AzureAdAdmin Display Name}' Refer: https://docs.microsoft.com/en-us/powershell/module/az.synapse/set-azsynapsesqlactivedirectoryadministrator?view=azps-7.2.0 and command2: Enable-AzSynapseActiveDirectoryOnlyAuthentication -ResourceGroupName '{ResourceGroupName}' -WorkspaceName '{Workspace Name}' Refer https://learn.microsoft.com/en-us/powershell/module/az.synapse/enable-azsynapseactivedirectoryonlyauthentication?view=azps-9.3.0", "Tags": [ "Baseline", "Automated", "AuthZ", "SQLDatabase" ], "CustomPolicyProperties": { "PolicyDefinitionandAssignmentIdMapping": [ { "PolicyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/abda6d70-9778-44e7-84a8-06713e6db027", "AssignmentId": "" } ] }, "CustomDeploymentPolicyProperties": { "PolicyDefinitonMappings": [ { "EffectType": "Deny", "DefinitionType": "Definition", "DisplayName": "Azure SQL Database should have Azure Active Directory Only Authentication enabled", "Description": "Disabling local authentication methods and allowing only Azure Active Directory Authentication improves security by ensuring that Azure SQL Databases can exclusively be accessed by Azure Active Directory identities. Learn more at: aka.ms/adonlycreate.", "Id": "/providers/Microsoft.Authorization/policyDefinitions/abda6d70-9778-44e7-84a8-06713e6db027" } ] }, "Enabled": false, "CustomTags": [ "KR51", "Daily" ] }, { "ControlID": "Azure_SQLDatabase_DP_Enable_TDE_KR51", "Description": "[KR51] Transparent Data Encryption must be enabled on SQL databases.", "Id": "SQLDatabase580", "ControlSeverity": "Medium", "Automated": "Yes", "ControlScanSource": "Policy", "DisplayName": "[KR51] Transparent Data Encryption must be enabled on SQL databases.", "Category": "Encrypt data at rest", "ControlRequirements": "Data must be encrypted in transit and at rest", "Rationale": "Using this feature ensures that sensitive data is stored encrypted at rest. This minimizes the risk of data loss from physical theft and also helps meet regulatory compliance requirements.", "Recommendation": "Run command Set-AzSqlDatabaseTransparentDataEncryption -ResourceGroupName '{ResourceGroupName}' -ServerName '{ServerName}' -DatabaseName '{DatabaseName}' -State 'Enabled'. Refer: https://docs.microsoft.com/en-us/powershell/module/az.sql/set-azsqldatabasetransparentdataencryption *Note:If Blob Auditing or Threat Detection are enabled on the server, they will always apply to the database, regardless of the database level settings.", "Tags": [ "Baseline", "Automated", "SQLDatabase", "DP" ], "CustomPolicyProperties": { "PolicyDefinitionandAssignmentIdMapping": [ { "PolicyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/17k78e20-9358-41c9-923c-fb736d382a12", "AssignmentId": "", "ResourceDetails": { "HasExtendedResourceId": true, "ExtendedIdResourceTypes": [ "Microsoft.Sql/servers/databases" ], "UseExtendedResourceMetadata": false } } ] }, "CustomDeploymentPolicyProperties": { "PolicyDefinitonMappings": [ { "EffectType": "Dine", "DefinitionType": "Definition", "DisplayName": "Transparent Data Encryption on SQL databases should be enabled", "Description": "Enable transparent data encryption to protect data-at-rest and meet compliance requirements", "Id": "/providers/Microsoft.Authorization/policyDefinitions/86a912f6-9a06-4e26-b447-11b16ba8659f" } ] }, "Enabled": false, "CustomTags": [ "KR51", "Daily" ] }, { "ControlID": "Azure_SQLDatabase_BCDR_Configure_Geo_Redundancy", "Description": "Geo Redundancy must be configured on SQL Database", "Id": "SQLDatabase590", "ControlSeverity": "Medium", "Automated": "Yes", "MethodName": "CheckSqlServerGeoRedundancy", "DisplayName": "Geo Redundancy must be configured on SQL Database", "Category": "Business Continuity and Disaster Recovery", "ControlRequirements": "Appropriate redundancy must be configured for Azure SQL Database", "Rationale": "Configuring appropriate redundancy for Azure SQL Database ensures business continuity and disaster recovery capabilities. It minimizes downtime and data loss risks in case of failures, enhancing overall system reliability and availability.", "Recommendation": "Configure Geo replication https://learn.microsoft.com/en-us/azure/azure-sql/database/active-geo-replication-overview?view=azuresql Or Geo backup storage redundancy https://learn.microsoft.com/en-us/rest/api/sql/databases/list-by-server?view=rest-sql-2021-11-01&tabs=HTTP", "ControlSettings": { "BackUpStorage": "Geo" }, "Tags": [ "Automated", "Baseline", "BCDR", "SQLDatabase" ], "Enabled": true, "ControlEvaluationDetails": { "RequiredProperties": [ "SQLDatabaseBackUpStorageRedundancy", "ReplicationLinks" ] }, "CustomTags": [ "Weekly" ] } ] } |