diff --git a/checklists/sqldb_security_checklist.en.json b/checklists/sqldb_security_checklist.en.json index 08e611d7c..bc8e08119 100644 --- a/checklists/sqldb_security_checklist.en.json +++ b/checklists/sqldb_security_checklist.en.json @@ -1,519 +1,641 @@ { - "$schema": "checklist.schema.json", - "items": [ - { - "category": "BCDR", - "subcategory": "Azure Key Vault", - "text": "Protect your backup data with encryption and store keys safely in Azure Key Vault", - "description": "Ensure that your backups are protected against attacks. This should include encryption of the backups to protect against loss of confidentiality. For regular Azure service backup, backup data is automatically encrypted using Azure platform-managed keys. You can also choose to encrypt the backup using a customer-managed key. In this case, ensure this customer-managed key in the key vault is also in the backup scope.", - "guid": "676f6951-0368-49e9-808d-c33a692c9a64", - "severity": "Medium", - "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/sql-database-security-baseline#br-2-encrypt-backup-data" - }, - { - "category": "BCDR", - "subcategory": "Backup", - "text": "Configure Azure SQL Database automated backups", - "description": "Azure SQL Database uses SQL Server technology to create full backups every week, differential backup every 12-24 hours, and transaction log backup every 5 to 10 minutes. By default, SQL Database stores data in geo-redundant storage blobs that are replicated to a paired region.", - "guid": "e2518261-b3bc-4bd1-b331-637fb2df833f", - "severity": "Medium", - "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/sql-database-security-baseline#br-1-ensure-regular-automated-backups" - }, - { - "category": "BCDR", - "subcategory": "Backup", - "text": "Enable geo-redundant backup storage to protect against single region failure and data loss", - "description": "By default, SQL Database stores data in geo-redundant storage blobs that are replicated to a paired region. For SQL Database, the backup storage redundancy can be configured at the time of database creation or can be updated for an existing database; the changes made to an existing database apply to future backups only.", - "guid": "f8c7cda2-3ed7-43fb-a100-85dcd12a0ee4", - "severity": "Low", - "link": "https://learn.microsoft.com/azure/azure-sql/database/automated-backups-overview?tabs=single-database&view=azuresql#backup-storage-redundancy" - }, - { - "category": "Code", - "subcategory": "Source Control and Code Review", - "text": "Use Source Control systems to store, maintain and review application code deployed inside Azure SQLDB Database", - "description": "Malicious code can potentially circumvent security controls. Before deploying custom code to production, it is essential to review what's being deployed. Use a database tool like Azure Data Studio that supports source control. Implement tools and logic for code analysis, vulnerability and credential scanning.", - "guid": "7ca9f006-d2a9-4652-951c-de8e4ac5e76e", - "severity": "Medium", - "link": "https://learn.microsoft.com/azure/azure-sql/database/transparent-data-encryption-byok-create-server" - }, - { - "category": "Data Discovery and Classification", - "subcategory": "Data Discovery and Classification", - "text": "Plan and configure Data Discovery & Classification to protect the sensitive data", - "description": "In case of classification requirements Purview is the preferred option. Only use SQL Data Discovery & Classification in case Purview is not an option. Discover columns that potentially contain sensitive data. What is considered sensitive data heavily depends on the customer, compliance regulation, etc., and needs to be evaluated by the users in charge of that data. Classify the columns to use advanced sensitivity-based auditing and protection scenarios. Review results of automated discovery and finalize the classification if necessary.", - "guid": "d401509b-2629-4484-9a7f-af0d29a7778f", - "severity": "Low", - "link": "https://learn.microsoft.com/azure/azure-sql/database/data-discovery-and-classification-overview?view=azuresql#faq---advanced-classification-capabilities" - }, - { - "category": "Data Masking", - "subcategory": "Data Masking", - "text": "Use Data Masking to prevent unauthorized non-admin users data access if no encryption is possible", - "description": "Usage of this feature is recommended only if column encryption is not an option and there is a specific requirement to preserve data types and formats. Dynamic data masking limits sensitive data exposure by masking it to non-privileged users. Dynamic data masking helps prevent unauthorized access to sensitive data by enabling customers to designate how much of the sensitive data to reveal with minimal impact on the application layer.", - "guid": "9391fd50-135e-453e-90a7-c1a23f88cc13", - "severity": "Low", - "link": "https://learn.microsoft.com/azure/azure-sql/database/dynamic-data-masking-overview" - }, - { - "category": "Defender", - "subcategory": "Advanced Threat Protection", - "text": "Review and complete Advanced Threat Protection (ATP) configuration", - "description": "SQL Advanced Threat Detection (ATP) provides a layer of security that detects potential vulnerabilities and anomalous activity in databases such as SQL injection attacks and unusual behavior patterns. When a potential threat is detected Threat Detection sends an actionable real-time alert by email and in Microsoft Defender for Cloud, which includes clear investigation and remediation steps for the specific threat.", - "guid": "4e52d73f-5d37-428f-b3a2-e6997e835979", - "severity": "High", - "link": "https://learn.microsoft.com/azure/azure-sql/database/threat-detection-configure" - }, - { - "category": "Defender", - "subcategory": "Defender for Azure SQL", - "text": "Enable Microsoft Defender for Azure SQL", - "description": "Enable Microsoft Defender for Azure SQL at the subscription level to automatically onboard and protect all existing and future servers and databases. When you enable on the subscription level, all databases in Azure SQL Database and Azure SQL Managed Instance are protected. You can then disable them individually if you choose. If you want to manually manage which databases are protected, disable at the subscription level and enable each database that you want protected.", - "guid": "dff87489-9edb-4cef-bdda-86e8212b2aa1", - "severity": "High", - "link": "https://learn.microsoft.com/azure/azure-sql/database/azure-defender-for-sql?view=azuresql#enable-microsoft-defender-for-sql " - }, - { - "category": "Defender", - "subcategory": "Defender for Azure SQL", - "text": "Prepare a security response plan to promptly react to Microsoft Defender for Azure SQL alerts", - "description": "Microsoft Defender for Azure SQL ATP detects anomalous activities indicating unusual and potentially harmful attempts to access or exploit databases. Alerts can be configured and generated and will be reported in the Defender for console.", - "guid": "ca342fdf-d25a-4427-b105-fcd50ff8a0ea", - "severity": "High", - "link": "https://learn.microsoft.com/azure/azure-sql/database/threat-detection-configure" - }, - { - "category": "Defender", - "subcategory": "Vulnerability Assessment", - "text": "Configure Vulnerability Assessment (VA) findings and review recommendations", - "description": "Azure SQLDB vulnerability assessment is a service that provides visibility into your security state. Vulnerability assessment includes actionable steps to resolve security issues and enhance your database security. It can help you to monitor a dynamic database environment where changes are difficult to track and improve your SQL security posture.", - "guid": "a6101ae7-534c-45ab-86fd-b34c55ea21ca", - "severity": "High", - "link": "https://learn.microsoft.com/azure/defender-for-cloud/sql-azure-vulnerability-assessment-overview" - }, - { - "category": "Defender", - "subcategory": "Vulnerability Assessment", - "text": "Regularly review of Vulnerability Assessment (VA) findings and recommendations and prepare a plan to fix", - "description": "Microsoft Defender for Cloud provides vulnerability assessment for your Azure SQL Databases. Vulnerability assessment scans your databases for software vulnerabilities and provides a list of findings. You can use the findings to remediate software vulnerabilities and disable findings.", - "guid": "c8c5f112-1e50-4f77-9264-8195b4cd61ac", - "severity": "High", - "link": "https://learn.microsoft.com/azure/defender-for-cloud/sql-azure-vulnerability-assessment-find?view=azuresql" - }, - { - "category": "Encryption", - "subcategory": "Always Encrypted", - "text": "If protecting sensitive PII data from admin users is a key requirement, but Column Encryption limitations cannot be tolerated, consider the adoption of Always Encrypted with Secure Enclaves", - "description": "Always Encrypted with Secure Enclaves expands confidential computing capabilities of Always Encrypted by enabling in-place encryption and richer confidential queries. Always Encrypted with Secure Enclaves addresses these limitations by allowing some computations on plaintext data inside a secure enclave on the server side. Usage of this feature is recommended for the cases where you need to limit administrator access and need your queries to support more than equality matching of encrypted columns.", - "guid": "65d7e54a-10a6-4094-b673-9ff3809c9277", - "severity": "Medium", - "link": "https://learn.microsoft.com/sql/relational-databases/security/encryption/always-encrypted-enclaves" - }, - { - "category": "Encryption", - "subcategory": "Column Encryption", - "text": "To protect sensitive PII data from non-admin users in specific table columns, consider using Column Encryption", - "description": "With Azure SQL Database, you can apply symmetric encryption to a column of data by using Transact-SQL. This approach is called column encryption, because you can use it to encrypt specific columns with different encryption keys. Doing so gives you more granular encryption capability than TDE, which encrypts data in pages. Using Always Encrypted to ensure sensitive data isn't exposed in plaintext in Azure SQL Database or SQL Managed Instance, even in memory/in use. Always Encrypted protects the data from Database Administrators (DBAs) and cloud admins (or bad actors who can impersonate high-privileged but unauthorized users) and gives you more control over who can access your data.", - "guid": "c03ce136-e3d5-4e17-bf25-ed955ee480d3", - "severity": "Low", - "link": "https://learn.microsoft.com/azure/azure-sql/database/security-best-practice?view=azuresql#control-access-of-application-users-to-sensitive-data-through-encryption" - }, - { - "category": "Encryption", - "subcategory": "Transparent Data Encryption", - "text": "Ensure Transparent Data Encryption (TDE) is kept enabled", - "description": "Enabled by default, Transparent data encryption (TDE) helps to protect the database files against information disclosure by performing real-time encryption and decryption of the database, associated backups, and transaction log files 'at rest', without requiring changes to the application.", - "guid": "c614ac47-bebf-4061-b0a1-43e0c6b5e00d", - "severity": "High", - "link": "https://learn.microsoft.com/azure/azure-sql/database/transparent-data-encryption-byok-create-server" - }, - { - "category": "Encryption", - "subcategory": "Transparent Data Encryption", - "text": "Use customer-managed keys (CMK) in Azure Key Vault (AKV) if you need increased transparency and granular control over the TDE protection", - "description": "If separation of duties in the management of keys and data within the organization is required, leverage Customer Managed Keys (CMK) for Transparent Data Encryption (TDE) for your Azure SQLDB and use Azure Key Vault to store (refer to its checklist). Leverage this feature when you have strict security requirements which cannot be met by the managed service keys.", - "guid": "2edb4165-4f54-47cc-a891-5c82c2f21e25", - "severity": "Medium", - "link": "https://learn.microsoft.com/azure/azure-sql/database/transparent-data-encryption-byok-overview" - }, - { - "category": "Encryption", - "subcategory": "Transport Layer Security", - "text": "Enforce minimum TLS version to the latest available", - "description": "The minimal Transport Layer Security (TLS) version setting allows customers to choose which version of TLS their SQL database uses. It's possible to change the minimum TLS version by using the Azure portal, Azure PowerShell, and the Azure CLI.", - "guid": "7754b605-57fd-4bcb-8213-52c39d8e8225", - "severity": "High", - "link": "https://learn.microsoft.com/azure/azure-sql/database/connectivity-settings?source=recommendations&view=azuresql&tabs=azure-portal#minimal-tls-version" - }, - { - "category": "Identity", - "subcategory": "Azure Active Directory", - "text": "Leverage Azure AD authentication for connections to Azure SQL Databases", - "description": "Use Azure Active Directory (Azure AD) authentication for centralized identity management. Use SQL Authentication only if really necessary and document as exceptions.", - "guid": "c9b8b6bf-2c6b-453d-b400-de9a43a549d7", - "severity": "Medium", - "link": "https://learn.microsoft.com/azure/azure-sql/database/authentication-aad-overview" - }, - { - "category": "Identity", - "subcategory": "Azure Active Directory", - "text": "Create a separate Azure AD group with two admin accounts for each Azure SQL Database logical server", - "description": "Using Azure AD groups simplifies permission management and both the group owner, and the resource owner can add/remove members to/from the group. Create a separate group for Azure AD administrators for each logical server. Monitor Azure AD group membership changes using Azure AD audit activity reports.", - "guid": "29820254-1d14-4778-ae90-ff4aeba504a3", - "severity": "Medium", - "link": "https://learn.microsoft.com/azure/azure-sql/database/security-best-practice?view=azuresql#central-management-for-identities" - }, - { - "category": "Identity", - "subcategory": "Azure Active Directory", - "text": "Minimize the use of password-based authentication for applications", - "description": "Ensure that distinct system and user assigned managed identities, that are dedicated to the function, with least permissions assigned, are used for communication from Azure services and applications to the Azure SQLDB databases.", - "guid": "df3a09ee-03bb-4198-8637-d141acf5f289", - "severity": "Medium", - "link": "https://learn.microsoft.com/azure/azure-sql/database/security-best-practice?view=azuresql#minimize-the-use-of-password-based-authentication-for-applications" - }, - { - "category": "Identity", - "subcategory": "Managed Identities", - "text": "Assign Azure SQL Database a managed identity for outbound resource access", - "description": "System or User assigned managed identities enable Azure SQLDB to authenticate to other cloud services (e.g. Azure Key Vault) without storing credentials in code. Once enabled, all necessary permissions can be granted via Azure role-based-access-control to the specific Azure SQLDB instance. Do not share user assigned managed identities across multiple services if not strictly required.", - "guid": "69891194-5074-4e30-8f69-4efc3c580900", - "severity": "Low", - "link": "https://learn.microsoft.com/azure/active-directory/managed-identities-azure-resources/overview" - }, - { - "category": "Identity", - "subcategory": "Passwords", - "text": "Minimize the use of password-based authentication for users", - "description": "Use an Azure AD integrated authentication that eliminates the use of passwords. Password-based authentication methods are a weaker form of authentication. Credentials can be compromised or mistakenly given away. Use single sign-on authentication using Windows credentials. Federate the on-premises AD domain with Azure AD and use integrated Windows authentication (for domain-joined machines with Azure AD).", - "guid": "88287d4a-8bb8-4640-ad78-03f51354d003", - "severity": "Medium", - "link": "https://learn.microsoft.com/azure/azure-sql/database/authentication-aad-configure?view=azuresql&tabs=azure-powershell#active-directory-integrated-authentication" - }, - { - "category": "Ledger", - "subcategory": "Database Digest", - "text": "Use Azure Confidential Ledger to store database digests only if advanced security features are required", - "description": "The hash of the latest block in the database ledger is called the database digest. It represents the state of all ledger tables in the database at the time when the block was generated. Generating a database digest is efficient, because it involves computing only the hashes of the blocks that were recently appended. Azure Confidential Ledger is one of the supported store, it can be used and supports automatic generation and storage of database digests. Azure Ledger provides advanced security features like Blockchain Ledger Proof and Confidential Hardware Enclaves. Use it only if advanced security features are required, otherwise revert to Azure storage.", - "guid": "0e853380-50ba-4bce-b2fd-5c7391c85ecc", - "severity": "Medium", - "link": "https://learn.microsoft.com/azure/architecture/guide/technology-choices/multiparty-computing-service#confidential-ledger-and-azure-blob-storage" - }, - { - "category": "Ledger", - "subcategory": "Database Digest", - "text": "If Azure storage account is used to store database digests, ensure security is properly configured", - "description": "The hash of the latest block in the database ledger is called the database digest. It represents the state of all ledger tables in the database at the time when the block was generated. Generating a database digest is efficient, because it involves computing only the hashes of the blocks that were recently appended. Azure Blob Storage with Immutable Storage feature can be used and supports automatic generation and storage of database digests. To prevent tampering of your digest files, configure and lock a retention policy for your container.", - "guid": "afefb2d3-95da-4ac9-acf5-33d18b32ef9a", - "severity": "Medium", - "link": "https://learn.microsoft.com/sql/relational-databases/security/ledger/ledger-digest-management" - }, - { - "category": "Ledger", - "subcategory": "Integrity", - "text": "Schedule the Ledger verification process regularly to verify data integrity", - "description": "Ledger provides a form of data integrity called forward integrity, which provides evidence of data tampering on data in your ledger tables. The database verification process takes as input one or more previously generated database digests. It then recomputes the hashes stored in the database ledger based on the current state of the ledger tables. If the computed hashes don't match the input digests, the verification fails. The failure indicates that the data has been tampered with. The verification process reports all inconsistencies that it detects.", - "guid": "f8d4ffda-8aac-4cc6-b72b-c81cb8625420", - "severity": "Medium", - "link": "https://learn.microsoft.com/sql/relational-databases/security/ledger/ledger-database-verification" - }, - { - "category": "Ledger", - "subcategory": "Ledger", - "text": "If cryptographic proof of data integrity is a critical requirement, Ledger feature should be considered", - "description": "The Ledger feature provides tamper-evidence capabilities in your database. You can cryptographically attest to other parties, such as auditors or other business parties, that your data hasn't been tampered with. Ledger helps protect data from any attacker or high-privileged user, including database administrators (DBAs), system administrators, and cloud administrators.", - "guid": "2563f498-e2d3-42ea-9e7b-5517881a06a2", - "severity": "Medium", - "link": "https://learn.microsoft.com/sql/relational-databases/security/ledger/ledger-overview" - }, - { - "category": "Ledger", - "subcategory": "Recovery", - "text": "Prepare a response plan to investigate and repair a database after a tampering event", - "description": "Depending on the type of tampering, there are cases where you can repair the ledger without losing data. In the article contained in the --More Info-- column, different scenarios and recovery techniques are described.", - "guid": "804fc554-6554-4842-91c1-713b32f99902", - "severity": "Medium", - "link": "https://learn.microsoft.com/sql/relational-databases/security/ledger/ledger-how-to-recover-after-tampering" - }, - { - "category": "Logging", - "subcategory": "Auditing", - "text": "Ensure that Azure SQL Database Auditing is enabled at the server level", - "description": "Azure SQL Database Auditing tracks database events and writes them to an audit log in your Azure storage account. Auditing helps you understand database activity and gain insight into discrepancies and anomalies that could indicate business concerns or suspected security violations as well as helps you meet regulatory compliance. By default auditing policy includes all actions (queries, stored procedures and successful and failed logins) against the databases, which may result in high volume of audit logs. It's recommended for customers to configure auditing for different types of actions and action groups using PowerShell.", - "guid": "4082e31d-35f4-4a49-8507-d3172cc930a6", - "severity": "Medium", - "link": "https://learn.microsoft.com/azure/azure-sql/database/auditing-overview" - }, - { - "category": "Logging", - "subcategory": "Auditing", - "text": "Ensure that Azure SQL Database Auditing logs are backed up and secured in the selected repository type", - "description": "Azure SQL Database Auditing logs can be written to external storage accounts, Log Analytics workspace or Event Hub. Be sure to protect the target repository using backups and secured configuration. Use Azure SQL Database Managed Identity to access the storage and set an explicit retention period. Do not grant permissions to administrators to the audit log repository. Use a different target storage for --Enabling Auditing of Microsoft support operations--. ", - "guid": "9b64bc50-b60f-4035-bf7a-28c4806dfb46", - "severity": "Low", - "link": "https://learn.microsoft.com/azure/azure-sql/database/auditing-overview" - }, - { - "category": "Logging", - "subcategory": "Auditing", - "text": "Ensure that Azure SQL Database Activity Log is collected and integrated with Auditing logs", - "description": "The Azure Monitor activity log is a platform log in Azure that provides insight into subscription-level events. The activity log includes information like when a resource is modified. It is recommended to send this activity log to the same external storage repository as the Azure SQL Database Audit Log (storage account, Log Analytics workspace, Event Hub).", - "guid": "fcd34708-87ac-4efc-aaf6-57a47f76644a", - "severity": "Medium", - "link": "https://learn.microsoft.com/azure/azure-monitor/essentials/activity-log" - }, - { - "category": "Logging", - "subcategory": "SIEM/SOAR", - "text": "Ensure that Azure SQL Database Auditing logs are being presented in to your organizations SIEM/SOAR", - "description": "Forward any logs from Azure SQL to your Security Information and Event Management (SIEM) and Security Orchestration Automation and Response (SOAR). Ensure that you are monitoring different types of Azure assets for potential threats and anomalies. Focus on getting high-quality alerts to reduce false positives for analysts to sort through. Alerts can be sourced from log data, agents, or other data.", - "guid": "f96e127e-9572-453a-b325-ff89ae9f6b44", - "severity": "Medium", - "link": "https://learn.microsoft.com/azure/azure-sql/database/auditing-overview" - }, - { - "category": "Logging", - "subcategory": "SIEM/SOAR", - "text": "Ensure that Azure SQL Database Activity Log data is presented in to your SIEM/SOAR", - "description": "Forward any logs from Azure SQL to your Security Information and Event Management (SIEM) and Security Orchestration Automation and Response (SOAR), which can be used to set up custom threat detections. Ensure that you are monitoring different types of Azure assets for potential threats and anomalies. Focus on getting high-quality alerts to reduce false positives for analysts to sort through. Alerts can be sourced from log data, agents, or other data.", - "guid": "41503bf8-73da-4a10-af9f-5f7fceb5456f", - "severity": "Medium", - "link": "https://learn.microsoft.com/azure/azure-monitor/essentials/activity-log" - }, - { - "category": "Logging", - "subcategory": "SIEM/SOAR", - "text": "Ensure that you have response plans for malicious or aberrant audit logging events", - "description": "Security Operation Center (SOC) team should create an incident response plan (playbooks or manual responses) to investigate and mitigate tampering, malicious activities, and other anomalous behaviors.", - "guid": "19ec7c97-c563-4e1d-82f0-54d6ec12e754", - "severity": "Medium", - "link": "https://learn.microsoft.com/azure/azure-monitor/essentials/activity-log" - }, - { - "category": "Networking", - "subcategory": "Connectivity", - "text": "Review Public vs. Private Access connectivity methods and select the appropriate one for the workload", - "description": "When you create a logical server from the Azure portal for Azure SQL Database, the result is a public endpoint that is visible and reachable over the public network (Public Access). You can then limit connectivity based on firewall rules and Service Endpoint. You can also configure private connectivity only limiting connections to internal networks using Private Endpoint (Private Access). Private Access using Private Endpoint should be the default unless a business case or performance/technical reason applies that cannot support it. Usage of Private Endpoints has performance implications that need to be considered and assessed.", - "guid": "2c6d356a-1784-475b-a42c-ec187dc8c925", - "severity": "High", - "link": "https://learn.microsoft.com/azure/azure-sql/database/network-access-controls-overview" - }, - { - "category": "Networking", - "subcategory": "Connectivity", - "text": "Keep default Azure SQL Database Connection Policy if not differently required and justified", - "description": "IMPORTANT: Connections to private endpoint only support Proxy as the connection policy. When using private endpoints connections are proxied via the Azure SQL Database gateway to the database nodes. Clients will not have a direct connection.", - "guid": "557b3ce5-bada-4296-8d52-a2d447bc1718", - "severity": "Low", - "link": "https://learn.microsoft.com/azure/azure-sql/database/connectivity-architecture" - }, - { - "category": "Networking", - "subcategory": "Connectivity", - "text": "Ensure Allow Azure Services and Resources to Access this Server setting is disabled in Azure SQL Database firewall", - "description": "This option configures the firewall to allow all connections from Azure, including connections from the subscriptions of other customers. If you select this option, make sure that your login and user permissions limit access to authorized users only. If not strictly required, keep this setting to OFF.", - "guid": "f48efacf-4405-4e8d-9dd0-16c5302ed082", - "severity": "High", - "link": "https://learn.microsoft.com/azure/azure-sql/database/network-access-controls-overview" - }, - { - "category": "Networking", - "subcategory": "Outbound Control", - "text": "Block or restrict outbound REST API calls to external endpoints", - "description": "Azure SQL Database has a new built-in feature that allows native integration with external REST endpoints. This means that integration of Azure SQL Database with Azure Functions, Azure Logic Apps, Cognitive Services, Event Hubs, Event Grid, Azure Containers, API Management and in general any REST or even GraphQL endpoint. If not properly restricted, code inside an Azure SQL Database database could leverage this mechanism to exfiltrate data. If not strictly required, it is recommended to block or restrict this feature using Outbound Firewall Rules.", - "guid": "cb3274a7-e36d-46f6-8de5-46d30c8dde8e", - "severity": "Medium", - "link": "https://learn.microsoft.com/sql/relational-databases/system-stored-procedures/sp-invoke-external-rest-endpoint-transact-sql" - }, - { - "category": "Networking", - "subcategory": "Outbound Control", - "text": "If outbound network access is required, it is recommended to configure outbound networking restrictions using built-in Azure SQL Database control feature", - "description": "Outbound firewall rules limit network traffic from the Azure SQL Database logical server to a customer defined list of Azure Storage accounts and Azure SQL Database logical servers. Any attempt to access storage accounts or databases not in this list is denied.", - "guid": "a566dd3d-314e-4a94-9378-102c42d82b38", - "severity": "Medium", - "link": "https://learn.microsoft.com/azure/azure-sql/database/outbound-firewall-rule-overview" - }, - { - "category": "Networking", - "subcategory": "Private Access", - "text": "If Private Access connectivity is used, ensure that you are using the Private Endpoint, Azure Virtual Network, Azure Firewall, and Azure Network Security Group checklists", - "description": "Private Endpoint is created inside a subnet in an Azure Virtual Network. Proper security configuration must be applied also to the containing network environment, including NSG/ASG, UDR, firewall, monitoring and auditing.", - "guid": "246cd832-f550-4af0-9c74-ca9baeeb8860", - "severity": "Medium", - "link": "https://learn.microsoft.com/azure/azure-sql/database/private-endpoint-overview?view=azuresql#disable-public-access-to-your-logical-server" - }, - { - "category": "Networking", - "subcategory": "Private Access", - "text": "If Private Endpoint (Private Access) is used, consider disabling Public Access connectivity", - "description": "When adding a Private Endpoint connection, public routing to your logical server isn't blocked by default. In the --Firewall and virtual networks-- pane, the setting --Deny public network access-- is not selected by default. To disable public network access, ensure that you select --Deny public network access--.", - "guid": "3a0808ee-ea7a-47ab-bdce-920a6a2b3881", - "severity": "High", - "link": "https://learn.microsoft.com/azure/azure-sql/database/private-endpoint-overview?view=azuresql#disable-public-access-to-your-logical-server" - }, - { - "category": "Networking", - "subcategory": "Private Access", - "text": "If Private Endpoint (Private Access) is used, apply NSG and eventually ASG to limit incoming source IP address ranges", - "description": "Network Security Group (NSG) and Application Security Group (ASG) can be now applied to subnet containing Private Endpoints to restrict connections to Azure SQLDB based on internal source IP ranges.", - "guid": "8600527e-e8c4-4424-90ef-1f0dca0224f2", - "severity": "Medium", - "link": "https://learn.microsoft.com/azure/private-link/private-endpoint-overview#network-security-of-private-endpoints" - }, - { - "category": "Networking", - "subcategory": "Private Access", - "text": "Apply Network Security Groups (NSG) and firewall rules to restrict access to Azure SQL Managed Instance internal subnet", - "description": "A Managed Instance (SQL MI) can be isolated inside a virtual network to prevent external access. Applications and tools that are in the same or peered virtual network in the same region could access it directly. Applications and tools that are in different region could use virtual-network-to-virtual-network connection or ExpressRoute circuit peering to establish connection. Customer should use Network Security Groups (NSG), and eventually internal firewalls, to restrict access over port 1433 only to resources that require access to a managed instance.", - "guid": "18123ef4-a0a6-45e3-87fe-7f454f65d975", - "severity": "Medium", - "link": "https://learn.microsoft.com/azure/azure-sql/managed-instance/connectivity-architecture-overview" - }, - { - "category": "Networking", - "subcategory": "Public Access", - "text": "If Public Access connectivity is used, leverage Service Endpoint to restrict access from selected Azure Virtual Networks", - "description": "Azure Virtual Network Service Endpoint is preferred solution if you want to establish a direct connection to the Azure SQL Database backend nodes using Redirect policy. This will allow access in high performance mode and is the recommended approach from a performance perspective.", - "guid": "55187443-6852-4fbd-99c6-ce303597ca7f", - "severity": "High", - "link": "https://learn.microsoft.com/azure/azure-sql/database/network-access-controls-overview?view=azuresql#ip-vs-virtual-network-firewall-rules" - }, - { - "category": "Networking", - "subcategory": "Public Access", - "text": "If Public Access connectivity is used, ensure that only specific known IPs are added to the firewall", - "description": "The Azure SQL Database firewall allows you to specify IP address ranges from which communications are accepted. This approach is fine for stable IP addresses that are outside the Azure private network.", - "guid": "a73e32da-b3f4-4960-b5ec-2f42a557bf31", - "severity": "Medium", - "link": "https://learn.microsoft.com/azure/azure-sql/database/network-access-controls-overview" - }, - { - "category": "Networking", - "subcategory": "Public Access", - "text": "If Public Access connectivity is used and controlled by Azure SQL Database firewall rules, use database-level over server-level IP rules", - "description": "We recommend that you use database-level IP firewall rules whenever possible. This practice enhances security and makes your database more portable. Use server-level IP firewall rules for administrators. Also use them when you have many databases that have the same access requirements, and you don't want to configure each database individually.", - "guid": "e0f31ac9-35c8-4bfd-9865-edb60ffc6768", - "severity": "Low", - "link": "https://learn.microsoft.com/azure/azure-sql/database/firewall-configure" - }, - { - "category": "Networking", - "subcategory": "Public Access", - "text": "Do not enable Azure SQL Managed Instance public endpoint", - "description": "A Managed Instance (SQL MI) can be isolated inside a virtual network to prevent external access. The Managed Instance public endpoint is not enabled by default, must be explicitly enabled, only if strictly required. If company policy disallows the use of public endpoints, use Azure Policy to prevent enabling public endpoints in the first place.", - "guid": "b8435656-143e-41a8-9922-61d34edb751a", - "severity": "High", - "link": "https://learn.microsoft.com/azure/azure-sql/managed-instance/public-endpoint-overview" - }, - { - "category": "Networking", - "subcategory": "Public Access", - "text": "Restrict access if Azure SQL Managed Instance public endpoint is required", - "description": "A Managed Instance (SQL MI) public endpoint is not enabled by default, must be explicitly enabled, only if strictly required. In this case, it is recommended to apply a Network Security Groups (NSG) to restrict access to port 3342 only to trusted source IP addresses.", - "guid": "057dd298-8726-4aa6-b590-1f81d2e30421", - "severity": "High", - "link": "https://learn.microsoft.com/azure/azure-sql/managed-instance/public-endpoint-overview" - }, - { - "category": "Privileged Access", - "subcategory": "Lockbox", - "text": "Review and enable Customer Lockbox for Azure SQL Database access by Microsoft personnel", - "description": "Most operations, support, and troubleshooting performed by Microsoft personnel and sub-processors do not require access to customer data. In those rare circumstances where such access is required, Customer Lockbox for Microsoft Azure provides an interface for customers to review and approve or reject customer data access requests. In support scenarios where Microsoft needs to access customer data, Azure SQL Database supports Customer Lockbox to provide an interface for you to review and approve or reject customer data access requests.", - "guid": "37b6eb0f-553d-488f-8a8a-cb9bf97388ff", - "severity": "Low", - "link": "https://learn.microsoft.com/azure/security/fundamentals/customer-lockbox-overview" - }, - { - "category": "Privileged Access", - "subcategory": "Permissions", - "text": "Ensure that users are assigned the minimum level of access necessarily to complete their job functions", - "description": "The principle of least privilege states that users shouldn't have more privileges than needed to complete their tasks. High-privileged database and server users can perform many configuration and maintenance activities on the database and can also drop databases in Azure SQL instance. Tracking database owners and privileged accounts is important to avoid having excessive permission.", - "guid": "5fe5281f-f0f9-4842-a682-8baf18bd8316", - "severity": "Medium", - "link": "https://learn.microsoft.com/azure/azure-sql/database/security-best-practice?view=azuresql#implement-principle-of-least-privilege" - }, - { - "category": "Privileged Access", - "subcategory": "Permissions", - "text": "Ensure that distinct applications will be assigned different credentials with minimal permissions to access Azure SQL Database", - "description": "Identities (both Users and SPNs) should be scoped to the least amount of access needed to perform the function. A higher number of tightly scoped SPNs should be used, instead of having one SPN with multiple sets of unrelated permissions. For example, if there are three external web applications hosted on-prem that make queries to the Azure SQL Database, they should not all use the same SPN for these activities. Instead, they should each have their own tightly scoped SPN.", - "guid": "7b5b55e5-4750-4920-be97-eb726c256a5c", - "severity": "Low", - "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/sql-database-security-baseline#im-3-use-azure-ad-single-sign-on-sso-for-application-access" - } - ], - "categories": [ - { - "name": "BCDR" - }, - { - "name": "Defender" - }, - { - "name": "Encryption" - }, - { - "name": "Identity" - }, - { - "name": "Privileged Access" - }, - { - "name": "Ledger" - }, - { - "name": "Logging" - }, - { - "name": "Networking" - }, - { - "name": "Data Discovery and Classification" - }, - { - "name": "Data Masking" - }, - { - "name": "Code" - } - ], - "status": [ - { - "name": "Not verified", - "description": "This check has not been looked at yet" - }, - { - "name": "Open", - "description": "There is an action item associated to this check" - }, - { - "name": "Fulfilled", - "description": "This check has been verified, and there are no further action items associated to it" - }, - { - "name": "Not required", - "description": "Recommendation understood, but not needed by current requirements" - }, - { - "name": "N/A", - "description": "Not applicable for current design" - } - ], - "severities": [ - { - "name": "High" - }, - { - "name": "Medium" - }, - { - "name": "Low" - } - ], - "metadata": { - "name": "Azure SQLDB Security Checklist (Preview)", - "state": "Preview", - "timestamp": "Feb 13, 2023" + "items": [ + { + "category": "BCDR", + "subcategory": "Azure Key Vault", + "text": "Protect your backup data with encryption and store keys safely in Azure Key Vault", + "description": "Ensure that your backups are protected against attacks. This should include encryption of the backups to protect against loss of confidentiality. For regular Azure service backup, backup data is automatically encrypted using Azure platform-managed keys. You can also choose to encrypt the backup using a customer-managed key. In this case, ensure this customer-managed key in the key vault is also in the backup scope.", + "waf": "Security", + "guid": "676f6951-0368-49e9-808d-c33a692c9a64", + "id": "A01.01", + "severity": "Medium", + "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/sql-database-security-baseline#br-2-encrypt-backup-data" + }, + { + "category": "BCDR", + "subcategory": "Backup", + "text": "Configure Azure SQL Database automated backups", + "description": "Azure SQL Database uses SQL Server technology to create full backups every week, differential backup every 12-24 hours, and transaction log backup every 5 to 10 minutes. By default, SQL Database stores data in geo-redundant storage blobs that are replicated to a paired region.", + "waf": "Security", + "guid": "e2518261-b3bc-4bd1-b331-637fb2df833f", + "id": "A02.01", + "severity": "Medium", + "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/sql-database-security-baseline#br-1-ensure-regular-automated-backups" + }, + { + "category": "BCDR", + "subcategory": "Backup", + "text": "Enable geo-redundant backup storage to protect against single region failure and data loss", + "description": "By default, SQL Database stores data in geo-redundant storage blobs that are replicated to a paired region. For SQL Database, the backup storage redundancy can be configured at the time of database creation or can be updated for an existing database; the changes made to an existing database apply to future backups only.", + "waf": "Security", + "guid": "f8c7cda2-3ed7-43fb-a100-85dcd12a0ee4", + "id": "A02.02", + "severity": "Low", + "link": "https://learn.microsoft.com/azure/azure-sql/database/automated-backups-overview?tabs=single-database&view=azuresql#backup-storage-redundancy" + }, + { + "category": "Code", + "subcategory": "Source Control and Code Review", + "text": "Use Source Control systems to store, maintain and review application code deployed inside Azure SQLDB Database", + "description": "Malicious code can potentially circumvent security controls. Before deploying custom code to production, it is essential to review what's being deployed. Use a database tool like Azure Data Studio that supports source control. Implement tools and logic for code analysis, vulnerability and credential scanning.", + "waf": "Security", + "guid": "7ca9f006-d2a9-4652-951c-de8e4ac5e76e", + "id": "B01.01", + "severity": "Medium", + "link": "https://learn.microsoft.com/azure/azure-sql/database/transparent-data-encryption-byok-create-server" + }, + { + "category": "Data Discovery and Classification", + "subcategory": "Data Discovery and Classification", + "text": "Plan and configure Data Discovery & Classification to protect the sensitive data", + "description": "In case of classification requirements Purview is the preferred option. Only use SQL Data Discovery & Classification in case Purview is not an option. Discover columns that potentially contain sensitive data. What is considered sensitive data heavily depends on the customer, compliance regulation, etc., and needs to be evaluated by the users in charge of that data. Classify the columns to use advanced sensitivity-based auditing and protection scenarios. Review results of automated discovery and finalize the classification if necessary.", + "waf": "Security", + "guid": "d401509b-2629-4484-9a7f-af0d29a7778f", + "id": "C01.01", + "severity": "Low", + "link": "https://learn.microsoft.com/azure/azure-sql/database/data-discovery-and-classification-overview?view=azuresql#faq---advanced-classification-capabilities" + }, + { + "category": "Data Masking", + "subcategory": "Data Masking", + "text": "Use Data Masking to prevent unauthorized non-admin users data access if no encryption is possible", + "description": "Usage of this feature is recommended only if column encryption is not an option and there is a specific requirement to preserve data types and formats. Dynamic data masking limits sensitive data exposure by masking it to non-privileged users. Dynamic data masking helps prevent unauthorized access to sensitive data by enabling customers to designate how much of the sensitive data to reveal with minimal impact on the application layer.", + "waf": "Security", + "guid": "9391fd50-135e-453e-90a7-c1a23f88cc13", + "id": "D01.01", + "severity": "Low", + "link": "https://learn.microsoft.com/azure/azure-sql/database/dynamic-data-masking-overview" + }, + { + "category": "Defender", + "subcategory": "Advanced Threat Protection", + "text": "Review and complete Advanced Threat Protection (ATP) configuration", + "description": "SQL Advanced Threat Detection (ATP) provides a layer of security that detects potential vulnerabilities and anomalous activity in databases such as SQL injection attacks and unusual behavior patterns. When a potential threat is detected Threat Detection sends an actionable real-time alert by email and in Microsoft Defender for Cloud, which includes clear investigation and remediation steps for the specific threat.", + "waf": "Security", + "guid": "4e52d73f-5d37-428f-b3a2-e6997e835979", + "id": "E01.01", + "severity": "High", + "link": "https://learn.microsoft.com/azure/azure-sql/database/threat-detection-configure" + }, + { + "category": "Defender", + "subcategory": "Defender for Azure SQL", + "text": "Enable Microsoft Defender for Azure SQL", + "description": "Enable Microsoft Defender for Azure SQL at the subscription level to automatically onboard and protect all existing and future servers and databases. When you enable on the subscription level, all databases in Azure SQL Database and Azure SQL Managed Instance are protected. You can then disable them individually if you choose. If you want to manually manage which databases are protected, disable at the subscription level and enable each database that you want protected.", + "waf": "Security", + "guid": "dff87489-9edb-4cef-bdda-86e8212b2aa1", + "id": "E02.01", + "severity": "High", + "link": "https://learn.microsoft.com/azure/azure-sql/database/azure-defender-for-sql?view=azuresql#enable-microsoft-defender-for-sql " + }, + { + "category": "Defender", + "subcategory": "Defender for Azure SQL", + "text": "Prepare a security response plan to promptly react to Microsoft Defender for Azure SQL alerts", + "description": "Microsoft Defender for Azure SQL ATP detects anomalous activities indicating unusual and potentially harmful attempts to access or exploit databases. Alerts can be configured and generated and will be reported in the Defender for console.", + "waf": "Security", + "guid": "ca342fdf-d25a-4427-b105-fcd50ff8a0ea", + "id": "E02.02", + "severity": "High", + "link": "https://learn.microsoft.com/azure/azure-sql/database/threat-detection-configure" + }, + { + "category": "Defender", + "subcategory": "Vulnerability Assessment", + "text": "Configure Vulnerability Assessment (VA) findings and review recommendations", + "description": "Azure SQLDB vulnerability assessment is a service that provides visibility into your security state. Vulnerability assessment includes actionable steps to resolve security issues and enhance your database security. It can help you to monitor a dynamic database environment where changes are difficult to track and improve your SQL security posture.", + "waf": "Security", + "guid": "a6101ae7-534c-45ab-86fd-b34c55ea21ca", + "id": "E03.01", + "severity": "High", + "link": "https://learn.microsoft.com/azure/defender-for-cloud/sql-azure-vulnerability-assessment-overview" + }, + { + "category": "Defender", + "subcategory": "Vulnerability Assessment", + "text": "Regularly review of Vulnerability Assessment (VA) findings and recommendations and prepare a plan to fix", + "description": "Microsoft Defender for Cloud provides vulnerability assessment for your Azure SQL Databases. Vulnerability assessment scans your databases for software vulnerabilities and provides a list of findings. You can use the findings to remediate software vulnerabilities and disable findings.", + "waf": "Security", + "guid": "c8c5f112-1e50-4f77-9264-8195b4cd61ac", + "id": "E03.02", + "severity": "High", + "link": "https://learn.microsoft.com/azure/defender-for-cloud/sql-azure-vulnerability-assessment-find?view=azuresql" + }, + { + "category": "Encryption", + "subcategory": "Always Encrypted", + "text": "If protecting sensitive PII data from admin users is a key requirement, but Column Encryption limitations cannot be tolerated, consider the adoption of Always Encrypted with Secure Enclaves", + "description": "Always Encrypted with Secure Enclaves expands confidential computing capabilities of Always Encrypted by enabling in-place encryption and richer confidential queries. Always Encrypted with Secure Enclaves addresses these limitations by allowing some computations on plaintext data inside a secure enclave on the server side. Usage of this feature is recommended for the cases where you need to limit administrator access and need your queries to support more than equality matching of encrypted columns.", + "waf": "Security", + "guid": "65d7e54a-10a6-4094-b673-9ff3809c9277", + "id": "F01.01", + "severity": "Medium", + "link": "https://learn.microsoft.com/sql/relational-databases/security/encryption/always-encrypted-enclaves" + }, + { + "category": "Encryption", + "subcategory": "Column Encryption", + "text": "To protect sensitive PII data from non-admin users in specific table columns, consider using Column Encryption", + "description": "With Azure SQL Database, you can apply symmetric encryption to a column of data by using Transact-SQL. This approach is called column encryption, because you can use it to encrypt specific columns with different encryption keys. Doing so gives you more granular encryption capability than TDE, which encrypts data in pages. Using Always Encrypted to ensure sensitive data isn't exposed in plaintext in Azure SQL Database or SQL Managed Instance, even in memory/in use. Always Encrypted protects the data from Database Administrators (DBAs) and cloud admins (or bad actors who can impersonate high-privileged but unauthorized users) and gives you more control over who can access your data.", + "waf": "Security", + "guid": "c03ce136-e3d5-4e17-bf25-ed955ee480d3", + "id": "F02.01", + "severity": "Low", + "link": "https://learn.microsoft.com/azure/azure-sql/database/security-best-practice?view=azuresql#control-access-of-application-users-to-sensitive-data-through-encryption" + }, + { + "category": "Encryption", + "subcategory": "Transparent Data Encryption", + "text": "Ensure Transparent Data Encryption (TDE) is kept enabled", + "description": "Enabled by default, Transparent data encryption (TDE) helps to protect the database files against information disclosure by performing real-time encryption and decryption of the database, associated backups, and transaction log files 'at rest', without requiring changes to the application.", + "waf": "Security", + "guid": "c614ac47-bebf-4061-b0a1-43e0c6b5e00d", + "id": "F03.01", + "severity": "High", + "link": "https://learn.microsoft.com/azure/azure-sql/database/transparent-data-encryption-byok-create-server" + }, + { + "category": "Encryption", + "subcategory": "Transparent Data Encryption", + "text": "Use customer-managed keys (CMK) in Azure Key Vault (AKV) if you need increased transparency and granular control over the TDE protection", + "description": "If separation of duties in the management of keys and data within the organization is required, leverage Customer Managed Keys (CMK) for Transparent Data Encryption (TDE) for your Azure SQLDB and use Azure Key Vault to store (refer to its checklist). Leverage this feature when you have strict security requirements which cannot be met by the managed service keys.", + "waf": "Security", + "guid": "2edb4165-4f54-47cc-a891-5c82c2f21e25", + "id": "F03.02", + "severity": "Medium", + "link": "https://learn.microsoft.com/azure/azure-sql/database/transparent-data-encryption-byok-overview" + }, + { + "category": "Encryption", + "subcategory": "Transport Layer Security", + "text": "Enforce minimum TLS version to the latest available", + "description": "The minimal Transport Layer Security (TLS) version setting allows customers to choose which version of TLS their SQL database uses. It's possible to change the minimum TLS version by using the Azure portal, Azure PowerShell, and the Azure CLI.", + "waf": "Security", + "guid": "7754b605-57fd-4bcb-8213-52c39d8e8225", + "id": "F04.01", + "severity": "High", + "link": "https://learn.microsoft.com/azure/azure-sql/database/connectivity-settings?source=recommendations&view=azuresql&tabs=azure-portal#minimal-tls-version" + }, + { + "category": "Identity", + "subcategory": "Azure Active Directory", + "text": "Leverage Azure AD authentication for connections to Azure SQL Databases", + "description": "Use Azure Active Directory (Azure AD) authentication for centralized identity management. Use SQL Authentication only if really necessary and document as exceptions.", + "waf": "Security", + "guid": "c9b8b6bf-2c6b-453d-b400-de9a43a549d7", + "id": "G01.01", + "severity": "Medium", + "link": "https://learn.microsoft.com/azure/azure-sql/database/authentication-aad-overview" + }, + { + "category": "Identity", + "subcategory": "Azure Active Directory", + "text": "Create a separate Azure AD group with two admin accounts for each Azure SQL Database logical server", + "description": "Using Azure AD groups simplifies permission management and both the group owner, and the resource owner can add/remove members to/from the group. Create a separate group for Azure AD administrators for each logical server. Monitor Azure AD group membership changes using Azure AD audit activity reports.", + "waf": "Security", + "guid": "29820254-1d14-4778-ae90-ff4aeba504a3", + "id": "G01.02", + "severity": "Medium", + "link": "https://learn.microsoft.com/azure/azure-sql/database/security-best-practice?view=azuresql#central-management-for-identities" + }, + { + "category": "Identity", + "subcategory": "Azure Active Directory", + "text": "Minimize the use of password-based authentication for applications", + "description": "Ensure that distinct system and user assigned managed identities, that are dedicated to the function, with least permissions assigned, are used for communication from Azure services and applications to the Azure SQLDB databases.", + "waf": "Security", + "guid": "df3a09ee-03bb-4198-8637-d141acf5f289", + "id": "G01.03", + "severity": "Medium", + "link": "https://learn.microsoft.com/azure/azure-sql/database/security-best-practice?view=azuresql#minimize-the-use-of-password-based-authentication-for-applications" + }, + { + "category": "Identity", + "subcategory": "Managed Identities", + "text": "Assign Azure SQL Database a managed identity for outbound resource access", + "description": "System or User assigned managed identities enable Azure SQLDB to authenticate to other cloud services (e.g. Azure Key Vault) without storing credentials in code. Once enabled, all necessary permissions can be granted via Azure role-based-access-control to the specific Azure SQLDB instance. Do not share user assigned managed identities across multiple services if not strictly required.", + "waf": "Security", + "guid": "69891194-5074-4e30-8f69-4efc3c580900", + "id": "G02.01", + "severity": "Low", + "link": "https://learn.microsoft.com/azure/active-directory/managed-identities-azure-resources/overview" + }, + { + "category": "Identity", + "subcategory": "Passwords", + "text": "Minimize the use of password-based authentication for users", + "description": "Use an Azure AD integrated authentication that eliminates the use of passwords. Password-based authentication methods are a weaker form of authentication. Credentials can be compromised or mistakenly given away. Use single sign-on authentication using Windows credentials. Federate the on-premises AD domain with Azure AD and use integrated Windows authentication (for domain-joined machines with Azure AD).", + "waf": "Security", + "guid": "88287d4a-8bb8-4640-ad78-03f51354d003", + "id": "G03.01", + "severity": "Medium", + "link": "https://learn.microsoft.com/azure/azure-sql/database/authentication-aad-configure?view=azuresql&tabs=azure-powershell#active-directory-integrated-authentication" + }, + { + "category": "Ledger", + "subcategory": "Database Digest", + "text": "Use Azure Confidential Ledger to store database digests only if advanced security features are required", + "description": "The hash of the latest block in the database ledger is called the database digest. It represents the state of all ledger tables in the database at the time when the block was generated. Generating a database digest is efficient, because it involves computing only the hashes of the blocks that were recently appended. Azure Confidential Ledger is one of the supported store, it can be used and supports automatic generation and storage of database digests. Azure Ledger provides advanced security features like Blockchain Ledger Proof and Confidential Hardware Enclaves. Use it only if advanced security features are required, otherwise revert to Azure storage.", + "waf": "Security", + "guid": "0e853380-50ba-4bce-b2fd-5c7391c85ecc", + "id": "H01.01", + "severity": "Medium", + "link": "https://learn.microsoft.com/azure/architecture/guide/technology-choices/multiparty-computing-service#confidential-ledger-and-azure-blob-storage" + }, + { + "category": "Ledger", + "subcategory": "Database Digest", + "text": "If Azure storage account is used to store database digests, ensure security is properly configured", + "description": "The hash of the latest block in the database ledger is called the database digest. It represents the state of all ledger tables in the database at the time when the block was generated. Generating a database digest is efficient, because it involves computing only the hashes of the blocks that were recently appended. Azure Blob Storage with Immutable Storage feature can be used and supports automatic generation and storage of database digests. To prevent tampering of your digest files, configure and lock a retention policy for your container.", + "waf": "Security", + "guid": "afefb2d3-95da-4ac9-acf5-33d18b32ef9a", + "id": "H01.02", + "severity": "Medium", + "link": "https://learn.microsoft.com/sql/relational-databases/security/ledger/ledger-digest-management" + }, + { + "category": "Ledger", + "subcategory": "Integrity", + "text": "Schedule the Ledger verification process regularly to verify data integrity", + "description": "Ledger provides a form of data integrity called forward integrity, which provides evidence of data tampering on data in your ledger tables. The database verification process takes as input one or more previously generated database digests. It then recomputes the hashes stored in the database ledger based on the current state of the ledger tables. If the computed hashes don't match the input digests, the verification fails. The failure indicates that the data has been tampered with. The verification process reports all inconsistencies that it detects.", + "waf": "Security", + "guid": "f8d4ffda-8aac-4cc6-b72b-c81cb8625420", + "id": "H02.01", + "severity": "Medium", + "link": "https://learn.microsoft.com/sql/relational-databases/security/ledger/ledger-database-verification" + }, + { + "category": "Ledger", + "subcategory": "Ledger", + "text": "If cryptographic proof of data integrity is a critical requirement, Ledger feature should be considered", + "description": "The Ledger feature provides tamper-evidence capabilities in your database. You can cryptographically attest to other parties, such as auditors or other business parties, that your data hasn't been tampered with. Ledger helps protect data from any attacker or high-privileged user, including database administrators (DBAs), system administrators, and cloud administrators.", + "waf": "Security", + "guid": "2563f498-e2d3-42ea-9e7b-5517881a06a2", + "id": "H03.01", + "severity": "Medium", + "link": "https://learn.microsoft.com/sql/relational-databases/security/ledger/ledger-overview" + }, + { + "category": "Ledger", + "subcategory": "Recovery", + "text": "Prepare a response plan to investigate and repair a database after a tampering event", + "description": "Depending on the type of tampering, there are cases where you can repair the ledger without losing data. In the article contained in the --More Info-- column, different scenarios and recovery techniques are described.", + "waf": "Security", + "guid": "804fc554-6554-4842-91c1-713b32f99902", + "id": "H04.01", + "severity": "Medium", + "link": "https://learn.microsoft.com/sql/relational-databases/security/ledger/ledger-how-to-recover-after-tampering" + }, + { + "category": "Logging", + "subcategory": "Auditing", + "text": "Ensure that Azure SQL Database Auditing is enabled at the server level", + "description": "Azure SQL Database Auditing tracks database events and writes them to an audit log in your Azure storage account. Auditing helps you understand database activity and gain insight into discrepancies and anomalies that could indicate business concerns or suspected security violations as well as helps you meet regulatory compliance. By default auditing policy includes all actions (queries, stored procedures and successful and failed logins) against the databases, which may result in high volume of audit logs. It's recommended for customers to configure auditing for different types of actions and action groups using PowerShell.", + "waf": "Security", + "guid": "4082e31d-35f4-4a49-8507-d3172cc930a6", + "id": "I01.01", + "severity": "Medium", + "link": "https://learn.microsoft.com/azure/azure-sql/database/auditing-overview" + }, + { + "category": "Logging", + "subcategory": "Auditing", + "text": "Ensure that Azure SQL Database Auditing logs are backed up and secured in the selected repository type", + "description": "Azure SQL Database Auditing logs can be written to external storage accounts, Log Analytics workspace or Event Hub. Be sure to protect the target repository using backups and secured configuration. Use Azure SQL Database Managed Identity to access the storage and set an explicit retention period. Do not grant permissions to administrators to the audit log repository. Use a different target storage for --Enabling Auditing of Microsoft support operations--. ", + "waf": "Security", + "guid": "9b64bc50-b60f-4035-bf7a-28c4806dfb46", + "id": "I01.02", + "severity": "Low", + "link": "https://learn.microsoft.com/azure/azure-sql/database/auditing-overview" + }, + { + "category": "Logging", + "subcategory": "Auditing", + "text": "Ensure that Azure SQL Database Activity Log is collected and integrated with Auditing logs", + "description": "The Azure Monitor activity log is a platform log in Azure that provides insight into subscription-level events. The activity log includes information like when a resource is modified. It is recommended to send this activity log to the same external storage repository as the Azure SQL Database Audit Log (storage account, Log Analytics workspace, Event Hub).", + "waf": "Security", + "guid": "fcd34708-87ac-4efc-aaf6-57a47f76644a", + "id": "I01.03", + "severity": "Medium", + "link": "https://learn.microsoft.com/azure/azure-monitor/essentials/activity-log" + }, + { + "category": "Logging", + "subcategory": "SIEM/SOAR", + "text": "Ensure that Azure SQL Database Auditing logs are being presented in to your organizations SIEM/SOAR", + "description": "Forward any logs from Azure SQL to your Security Information and Event Management (SIEM) and Security Orchestration Automation and Response (SOAR). Ensure that you are monitoring different types of Azure assets for potential threats and anomalies. Focus on getting high-quality alerts to reduce false positives for analysts to sort through. Alerts can be sourced from log data, agents, or other data.", + "waf": "Security", + "guid": "f96e127e-9572-453a-b325-ff89ae9f6b44", + "id": "I02.01", + "severity": "Medium", + "link": "https://learn.microsoft.com/azure/azure-sql/database/auditing-overview" + }, + { + "category": "Logging", + "subcategory": "SIEM/SOAR", + "text": "Ensure that Azure SQL Database Activity Log data is presented in to your SIEM/SOAR", + "description": "Forward any logs from Azure SQL to your Security Information and Event Management (SIEM) and Security Orchestration Automation and Response (SOAR), which can be used to set up custom threat detections. Ensure that you are monitoring different types of Azure assets for potential threats and anomalies. Focus on getting high-quality alerts to reduce false positives for analysts to sort through. Alerts can be sourced from log data, agents, or other data.", + "waf": "Security", + "guid": "41503bf8-73da-4a10-af9f-5f7fceb5456f", + "id": "I02.02", + "severity": "Medium", + "link": "https://learn.microsoft.com/azure/azure-monitor/essentials/activity-log" + }, + { + "category": "Logging", + "subcategory": "SIEM/SOAR", + "text": "Ensure that you have response plans for malicious or aberrant audit logging events", + "description": "Security Operation Center (SOC) team should create an incident response plan (playbooks or manual responses) to investigate and mitigate tampering, malicious activities, and other anomalous behaviors.", + "waf": "Security", + "guid": "19ec7c97-c563-4e1d-82f0-54d6ec12e754", + "id": "I02.03", + "severity": "Medium", + "link": "https://learn.microsoft.com/azure/azure-monitor/essentials/activity-log" + }, + { + "category": "Networking", + "subcategory": "Connectivity", + "text": "Review Public vs. Private Access connectivity methods and select the appropriate one for the workload", + "description": "When you create a logical server from the Azure portal for Azure SQL Database, the result is a public endpoint that is visible and reachable over the public network (Public Access). You can then limit connectivity based on firewall rules and Service Endpoint. You can also configure private connectivity only limiting connections to internal networks using Private Endpoint (Private Access). Private Access using Private Endpoint should be the default unless a business case or performance/technical reason applies that cannot support it. Usage of Private Endpoints has performance implications that need to be considered and assessed.", + "waf": "Security", + "guid": "2c6d356a-1784-475b-a42c-ec187dc8c925", + "id": "J01.01", + "severity": "High", + "link": "https://learn.microsoft.com/azure/azure-sql/database/network-access-controls-overview" + }, + { + "category": "Networking", + "subcategory": "Connectivity", + "text": "Keep default Azure SQL Database Connection Policy if not differently required and justified", + "description": "IMPORTANT: Connections to private endpoint only support Proxy as the connection policy. When using private endpoints connections are proxied via the Azure SQL Database gateway to the database nodes. Clients will not have a direct connection.", + "waf": "Security", + "guid": "557b3ce5-bada-4296-8d52-a2d447bc1718", + "id": "J01.02", + "severity": "Low", + "link": "https://learn.microsoft.com/azure/azure-sql/database/connectivity-architecture" + }, + { + "category": "Networking", + "subcategory": "Connectivity", + "text": "Ensure Allow Azure Services and Resources to Access this Server setting is disabled in Azure SQL Database firewall", + "description": "This option configures the firewall to allow all connections from Azure, including connections from the subscriptions of other customers. If you select this option, make sure that your login and user permissions limit access to authorized users only. If not strictly required, keep this setting to OFF.", + "waf": "Security", + "guid": "f48efacf-4405-4e8d-9dd0-16c5302ed082", + "id": "J01.03", + "severity": "High", + "link": "https://learn.microsoft.com/azure/azure-sql/database/network-access-controls-overview" + }, + { + "category": "Networking", + "subcategory": "Outbound Control", + "text": "Block or restrict outbound REST API calls to external endpoints", + "description": "Azure SQL Database has a new built-in feature that allows native integration with external REST endpoints. This means that integration of Azure SQL Database with Azure Functions, Azure Logic Apps, Cognitive Services, Event Hubs, Event Grid, Azure Containers, API Management and in general any REST or even GraphQL endpoint. If not properly restricted, code inside an Azure SQL Database database could leverage this mechanism to exfiltrate data. If not strictly required, it is recommended to block or restrict this feature using Outbound Firewall Rules.", + "waf": "Security", + "guid": "cb3274a7-e36d-46f6-8de5-46d30c8dde8e", + "id": "J02.01", + "severity": "Medium", + "link": "https://learn.microsoft.com/sql/relational-databases/system-stored-procedures/sp-invoke-external-rest-endpoint-transact-sql" + }, + { + "category": "Networking", + "subcategory": "Outbound Control", + "text": "If outbound network access is required, it is recommended to configure outbound networking restrictions using built-in Azure SQL Database control feature", + "description": "Outbound firewall rules limit network traffic from the Azure SQL Database logical server to a customer defined list of Azure Storage accounts and Azure SQL Database logical servers. Any attempt to access storage accounts or databases not in this list is denied.", + "waf": "Security", + "guid": "a566dd3d-314e-4a94-9378-102c42d82b38", + "id": "J02.02", + "severity": "Medium", + "link": "https://learn.microsoft.com/azure/azure-sql/database/outbound-firewall-rule-overview" + }, + { + "category": "Networking", + "subcategory": "Private Access", + "text": "If Private Access connectivity is used, ensure that you are using the Private Endpoint, Azure Virtual Network, Azure Firewall, and Azure Network Security Group checklists", + "description": "Private Endpoint is created inside a subnet in an Azure Virtual Network. Proper security configuration must be applied also to the containing network environment, including NSG/ASG, UDR, firewall, monitoring and auditing.", + "waf": "Security", + "guid": "246cd832-f550-4af0-9c74-ca9baeeb8860", + "id": "J03.01", + "severity": "Medium", + "link": "https://learn.microsoft.com/azure/azure-sql/database/private-endpoint-overview?view=azuresql#disable-public-access-to-your-logical-server" + }, + { + "category": "Networking", + "subcategory": "Private Access", + "text": "If Private Endpoint (Private Access) is used, consider disabling Public Access connectivity", + "description": "When adding a Private Endpoint connection, public routing to your logical server isn't blocked by default. In the --Firewall and virtual networks-- pane, the setting --Deny public network access-- is not selected by default. To disable public network access, ensure that you select --Deny public network access--.", + "waf": "Security", + "guid": "3a0808ee-ea7a-47ab-bdce-920a6a2b3881", + "id": "J03.02", + "severity": "High", + "link": "https://learn.microsoft.com/azure/azure-sql/database/private-endpoint-overview?view=azuresql#disable-public-access-to-your-logical-server" + }, + { + "category": "Networking", + "subcategory": "Private Access", + "text": "If Private Endpoint (Private Access) is used, apply NSG and eventually ASG to limit incoming source IP address ranges", + "description": "Network Security Group (NSG) and Application Security Group (ASG) can be now applied to subnet containing Private Endpoints to restrict connections to Azure SQLDB based on internal source IP ranges.", + "waf": "Security", + "guid": "8600527e-e8c4-4424-90ef-1f0dca0224f2", + "id": "J03.03", + "severity": "Medium", + "link": "https://learn.microsoft.com/azure/private-link/private-endpoint-overview#network-security-of-private-endpoints" + }, + { + "category": "Networking", + "subcategory": "Private Access", + "text": "Apply Network Security Groups (NSG) and firewall rules to restrict access to Azure SQL Managed Instance internal subnet", + "description": "A Managed Instance (SQL MI) can be isolated inside a virtual network to prevent external access. Applications and tools that are in the same or peered virtual network in the same region could access it directly. Applications and tools that are in different region could use virtual-network-to-virtual-network connection or ExpressRoute circuit peering to establish connection. Customer should use Network Security Groups (NSG), and eventually internal firewalls, to restrict access over port 1433 only to resources that require access to a managed instance.", + "waf": "Security", + "guid": "18123ef4-a0a6-45e3-87fe-7f454f65d975", + "id": "J03.04", + "severity": "Medium", + "link": "https://learn.microsoft.com/azure/azure-sql/managed-instance/connectivity-architecture-overview" + }, + { + "category": "Networking", + "subcategory": "Public Access", + "text": "If Public Access connectivity is used, leverage Service Endpoint to restrict access from selected Azure Virtual Networks", + "description": "Azure Virtual Network Service Endpoint is preferred solution if you want to establish a direct connection to the Azure SQL Database backend nodes using Redirect policy. This will allow access in high performance mode and is the recommended approach from a performance perspective.", + "waf": "Security", + "guid": "55187443-6852-4fbd-99c6-ce303597ca7f", + "id": "J04.01", + "severity": "High", + "link": "https://learn.microsoft.com/azure/azure-sql/database/network-access-controls-overview?view=azuresql#ip-vs-virtual-network-firewall-rules" + }, + { + "category": "Networking", + "subcategory": "Public Access", + "text": "If Public Access connectivity is used, ensure that only specific known IPs are added to the firewall", + "description": "The Azure SQL Database firewall allows you to specify IP address ranges from which communications are accepted. This approach is fine for stable IP addresses that are outside the Azure private network.", + "waf": "Security", + "guid": "a73e32da-b3f4-4960-b5ec-2f42a557bf31", + "id": "J04.02", + "severity": "Medium", + "link": "https://learn.microsoft.com/azure/azure-sql/database/network-access-controls-overview" + }, + { + "category": "Networking", + "subcategory": "Public Access", + "text": "If Public Access connectivity is used and controlled by Azure SQL Database firewall rules, use database-level over server-level IP rules", + "description": "We recommend that you use database-level IP firewall rules whenever possible. This practice enhances security and makes your database more portable. Use server-level IP firewall rules for administrators. Also use them when you have many databases that have the same access requirements, and you don't want to configure each database individually.", + "waf": "Security", + "guid": "e0f31ac9-35c8-4bfd-9865-edb60ffc6768", + "id": "J04.03", + "severity": "Low", + "link": "https://learn.microsoft.com/azure/azure-sql/database/firewall-configure" + }, + { + "category": "Networking", + "subcategory": "Public Access", + "text": "Do not enable Azure SQL Managed Instance public endpoint", + "description": "A Managed Instance (SQL MI) can be isolated inside a virtual network to prevent external access. The Managed Instance public endpoint is not enabled by default, must be explicitly enabled, only if strictly required. If company policy disallows the use of public endpoints, use Azure Policy to prevent enabling public endpoints in the first place.", + "waf": "Security", + "guid": "b8435656-143e-41a8-9922-61d34edb751a", + "id": "J04.04", + "severity": "High", + "link": "https://learn.microsoft.com/azure/azure-sql/managed-instance/public-endpoint-overview" + }, + { + "category": "Networking", + "subcategory": "Public Access", + "text": "Restrict access if Azure SQL Managed Instance public endpoint is required", + "description": "A Managed Instance (SQL MI) public endpoint is not enabled by default, must be explicitly enabled, only if strictly required. In this case, it is recommended to apply a Network Security Groups (NSG) to restrict access to port 3342 only to trusted source IP addresses.", + "waf": "Security", + "guid": "057dd298-8726-4aa6-b590-1f81d2e30421", + "id": "J04.05", + "severity": "High", + "link": "https://learn.microsoft.com/azure/azure-sql/managed-instance/public-endpoint-overview" + }, + { + "category": "Privileged Access", + "subcategory": "Lockbox", + "text": "Review and enable Customer Lockbox for Azure SQL Database access by Microsoft personnel", + "description": "Most operations, support, and troubleshooting performed by Microsoft personnel and sub-processors do not require access to customer data. In those rare circumstances where such access is required, Customer Lockbox for Microsoft Azure provides an interface for customers to review and approve or reject customer data access requests. In support scenarios where Microsoft needs to access customer data, Azure SQL Database supports Customer Lockbox to provide an interface for you to review and approve or reject customer data access requests.", + "waf": "Security", + "guid": "37b6eb0f-553d-488f-8a8a-cb9bf97388ff", + "id": "K01.01", + "severity": "Low", + "link": "https://learn.microsoft.com/azure/security/fundamentals/customer-lockbox-overview" + }, + { + "category": "Privileged Access", + "subcategory": "Permissions", + "text": "Ensure that users are assigned the minimum level of access necessarily to complete their job functions", + "description": "The principle of least privilege states that users shouldn't have more privileges than needed to complete their tasks. High-privileged database and server users can perform many configuration and maintenance activities on the database and can also drop databases in Azure SQL instance. Tracking database owners and privileged accounts is important to avoid having excessive permission.", + "waf": "Security", + "guid": "5fe5281f-f0f9-4842-a682-8baf18bd8316", + "id": "K02.01", + "severity": "Medium", + "link": "https://learn.microsoft.com/azure/azure-sql/database/security-best-practice?view=azuresql#implement-principle-of-least-privilege" + }, + { + "category": "Privileged Access", + "subcategory": "Permissions", + "text": "Ensure that distinct applications will be assigned different credentials with minimal permissions to access Azure SQL Database", + "description": "Identities (both Users and SPNs) should be scoped to the least amount of access needed to perform the function. A higher number of tightly scoped SPNs should be used, instead of having one SPN with multiple sets of unrelated permissions. For example, if there are three external web applications hosted on-prem that make queries to the Azure SQL Database, they should not all use the same SPN for these activities. Instead, they should each have their own tightly scoped SPN.", + "waf": "Security", + "guid": "7b5b55e5-4750-4920-be97-eb726c256a5c", + "id": "K02.02", + "severity": "Low", + "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/sql-database-security-baseline#im-3-use-azure-ad-single-sign-on-sso-for-application-access" } -} \ No newline at end of file + ], + "categories": [ + { + "name": "BCDR" + }, + { + "name": "Defender" + }, + { + "name": "Encryption" + }, + { + "name": "Identity" + }, + { + "name": "Privileged Access" + }, + { + "name": "Ledger" + }, + { + "name": "Logging" + }, + { + "name": "Networking" + }, + { + "name": "Data Discovery and Classification" + }, + { + "name": "Data Masking" + }, + { + "name": "Code" + } + ], + "waf": [ + { + "name": "Reliability" + }, + { + "name": "Security" + }, + { + "name": "Cost" + }, + { + "name": "Operations" + }, + { + "name": "Performance" + } + ], + "yesno": [ + { + "name": "Yes" + }, + { + "name": "No" + } + ], + "status": [ + { + "name": "Not verified", + "description": "This check has not been looked at yet" + }, + { + "name": "Open", + "description": "There is an action item associated to this check" + }, + { + "name": "Fulfilled", + "description": "This check has been verified, and there are no further action items associated to it" + }, + { + "name": "Not required", + "description": "Recommendation understood, but not needed by current requirements" + }, + { + "name": "N/A", + "description": "Not applicable for current design" + } + ], + "severities": [ + { + "name": "High" + }, + { + "name": "Medium" + }, + { + "name": "Low" + } + ], + "metadata": { + "name": "Azure SQLDB Security Checklist (Preview)", + "state": "Preview", + "timestamp": "10/20/2023 11:32:31" + } +}