Framework/Configurations/SVT/Services/SQLDatabase.json
|
{
"FeatureName": "SQLDatabase", "Reference": "aka.ms/azsdkosstcp/sqlserver", "IsManintenanceMode": false, "Controls": [ { "ControlID": "Azure_SQLDatabase_Deploy_Use_Latest_Version", "Description": "Must use SQL DB v12", "Id": "SQLDatabase110", "ControlSeverity": "Low", "Automated": "Yes", "MethodName": "CheckSqlServerVersionUpgrade", "Recommendation": "Run command Start-AzureRmSqlServerUpgrade -ResourceGroupName '{ResourceGroupName}' -ServerName '{ServerName}' -ServerVersion 12.0. Refer Link - https://docs.microsoft.com/en-us/powershell/module/azurerm.sql/start-azurermsqlserverupgrade?view=azurermps-3.8.0 ", "Tags": [ "SDL", "TCP", "Automated", "Deploy", "SOX" ], "Enabled": true }, { "ControlID": "Azure_SQLDatabase_AuthZ_Use_AAD_Admin", "Description": "Must use Azure AAD admin - must be set up as a GROUP using principles of LPA", "Id": "SQLDatabase120", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckSqlServerADAdmin", "Recommendation": "Run command Set-AzureRmSqlServerActiveDirectoryAdministrator -ResourceGroupName '{ResourceGroupName}' -ServerName '{ServerName}' -DisplayName '{AzureAdAdmin Display Name}' Refer Link - https://docs.microsoft.com/en-us/powershell/module/azurerm.sql/set-azurermsqlserveractivedirectoryadministrator?view=azurermps-3.8.0", "Tags": [ "SDL", "TCP", "Automated", "AuthZ" ], "Enabled": true }, { "ControlID": "Azure_SQLDatabase_Audit_Enable_Logging_and_Monitoring_Server", "Description": "Enable SQL Server audit with selected event types and retention period of minimum $($this.ControlSettings.SqlServer.AuditRetentionPeriod_Days) days", "Id": "SQLDatabase130", "ControlSeverity": "Medium", "Automated": "Yes", "MethodName": "CheckSqlServerAuditing", "Recommendation": "Run command Set-AzureRmSqlServerAuditingPolicy -ResourceGroupName '{ResourceGroupName}' -ServerName '{ServerName}' -StorageAccountName '{StorageAccountName}' -EventType 'All' -RetentionInDays 365 -TableIdentifier '{TableIdentifier}'. Refer Link - https://docs.microsoft.com/en-us/powershell/module/azurerm.sql/set-azurermsqlserverauditingpolicy?view=azurermps-3.8.0", "Tags": [ "SDL", "TCP", "Automated", "Audit", "SOX" ], "Enabled": true }, { "ControlID": "Azure_SQLDatabase_Audit_Enable_Logging_and_Monitoring_DB", "Description": "Enable SQL Database audit with selected event types and retention period of minimum $($this.ControlSettings.SqlServer.AuditRetentionPeriod_Days) days", "Id": "SQLDatabase140", "ControlSeverity": "Medium", "Automated": "Yes", "MethodName": "CheckSqlDatabaseAuditing", "Recommendation": "Run command Set-AzureRmSqlDatabaseAuditingPolicy -ResourceGroupName '{ResourceGroupName}' -ServerName '{ServerName}' -DatabaseName '{DatabaseName}' -StorageAccountName '{StorageAccountName}' -EventType 'All'-RetentionInDays 365. Refer Link - https://docs.microsoft.com/en-us/powershell/module/azurerm.sql/set-azurermsqldatabaseauditingpolicy?view=azurermps-3.8.0", "Tags": [ "SDL", "TCP", "Automated", "Audit", "SOX" ], "Enabled": true }, { "ControlID": "Azure_SQLDatabase_DP_Enable_TDE", "Description": "Transparent data encryption (TDE) must be enabled", "Id": "SQLDatabase150", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckSqlDatabaseTDE", "Recommendation": "Run command Set-AzureRmSqlDatabaseTransparentDataEncryption -ResourceGroupName '{ResourceGroupName}' -ServerName '{ServerName}' -DatabaseName '{DatabaseName}' -State 'Enabled'. Refer Link - https://docs.microsoft.com/en-us/powershell/module/azurerm.sql/set-azurermsqldatabasetransparentdataencryption?view=azurermps-3.8.0 ", "Tags": [ "SDL", "TCP", "Automated", "DP", "SOX" ], "Enabled": true }, { "ControlID": "Azure_SQLDatabase_Audit_Enable_Threat_Detection_Server", "Description": "Enable SQL Server threat detection with no excluded detection types with email admins enabled", "Id": "SQLDatabase160", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckSqlServerThreatDetection", "Recommendation": "Run command Set-AzureRmSqlServerThreatDetectionPolicy -ResourceGroupName '{ResourceGroupName}' -ServerName '{ServerName}' -StorageAccountName '{StorageAccountName}' -EmailAdmins '{EmailAdmins} '-ExcludedDetectionType 'None'. Refer Link - https://docs.microsoft.com/en-us/powershell/module/azurerm.sql/set-azurermsqlserverthreatdetectionpolicy?view=azurermps-3.8.0 ", "Tags": [ "SDL", "TCP", "Automated", "Audit", "SOX" ], "Enabled": true }, { "ControlID": "Azure_SQLDatabase_Audit_Enable_Threat_Detection_DB", "Description": "Enable SQL Database threat detection with no excluded detection types with email admins enabled", "Id": "SQLDatabase170", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckSqlDatabaseThreatDetection", "Recommendation": "Run command Set-AzureRmSqlDatabaseThreatDetectionPolicy -ResourceGroupName '{ResourceGroupName}' -ServerName '{ServerName}' -DatabaseName '{DatabaseName}' -EmailAdmins '{EmailAdmins}' -ExcludedDetectionType 'None'. Refer Link - https://docs.microsoft.com/en-in/powershell/module/azurerm.sql/set-azurermsqldatabasethreatdetectionpolicy?view=azurermps-2.2.0", "Tags": [ "SDL", "TCP", "Automated", "Audit", "SOX" ], "Enabled": true }, { "ControlID": "Azure_SQLDatabase_AuthZ_Enable_Firewall", "Description": "SQL Server firewall must be enabled", "Id": "SQLDatabase180", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckSqlDatabaseFirewallEnabled", "Recommendation": "Run command New-AzureRmSqlServerFirewallRule -FirewallRuleName '{FirewallRuleName}' -ResourceGroupName '{ResourceGroupName}' -ServerName '{ServerName}' -StartIpAddress '{StartIpAddress}' -EndIpAddress '{EndIpAddress}'. Refer Link - https://docs.microsoft.com/en-us/powershell/module/azurerm.sql/new-azurermsqlserverfirewallrule?view=azurermps-3.8.0", "Tags": [ "SDL", "TCP", "Automated", "AuthZ", "SOX" ], "Enabled": true }, { "ControlID": "Azure_SQLDatabase_AuthZ_Use_IP_Firewall_Rules_DB", "Description": "If there are multiple databases on a server, always set database level firewall rules", "Id": "SQLDatabase190", "ControlSeverity": "High", "Automated": "No", "MethodName": "", "Recommendation": "Grant access to databases based on the originating IP address of each request. Refer Link - https://docs.microsoft.com/en-us/azure/sql-database/sql-database-firewall-configure", "Tags": [ "SDL", "TCP", "Manual", "AuthZ" ], "Enabled": true }, { "ControlID": "Azure_SQLDatabase_AuthN_Dont_Use_SQL_AuthN", "Description": "No SQL Server Authentication is permitted", "Id": "SQLDatabase210", "ControlSeverity": "High", "Automated": "No", "MethodName": "", "Recommendation": "Install .NET Framework 4.6 or later on client machines from which applications or users connect to Azure SQL Database. Install Azure Active Directory Authentication Library for SQL Server. Use SSMS 2016 or above to use AAD Integrated Auth. Refer Links - https://docs.microsoft.com/en-us/azure/sql-database/sql-database-aad-authentication", "Tags": [ "SDL", "TCP", "Manual", "AuthN" ], "Enabled": true }, { "ControlID": "Azure_SQLDatabase_AuthN_Use_AD_User_Or_Group", "Description": "There must be an AD contained user/group in the user database", "Id": "SQLDatabase220", "ControlSeverity": "High", "Automated": "No", "MethodName": "", "Recommendation": "Use a domain group; Refer Links - https://docs.microsoft.com/en-us/sql/t-sql/statements/create-user-transact-sql, https://docs.microsoft.com/en-gb/azure/sql-database/sql-database-manage-logins ", "Tags": [ "SDL", "TCP", "Manual", "AuthN" ], "Enabled": true }, { "ControlID": "Azure_SQLDatabase_AuthN_Use_AAD_Credentials", "Description": "Any database in the SQL Server must be associated with AAD", "Id": "SQLDatabase230", "ControlSeverity": "High", "Automated": "No", "MethodName": "", "Recommendation": "To associate db with AAD- go to settings, select your subscription, click edit directory, and select the remove the non-Corporate AAD mapping. NOTE: Many subscriptions are associated with AAD and no editing is possible. You will see Subscription, Subscription ID, Account Administrator, and Directory grayed out. Refer Link - https://azure.microsoft.com/en-us/documentation/articles/sql-database-aad-authentication/#3-optional-associate-or-change-the-active-directory-that-is-currently-associated-with-your-azure-subscription ", "Tags": [ "SDL", "TCP", "Manual", "AuthN" ], "Enabled": true }, { "ControlID": "Azure_SQLDatabase_Audit_Review_Logs_Periodically", "Description": "Logs should be reviewed routinely", "Id": "SQLDatabase250", "ControlSeverity": "Medium", "Automated": "No", "MethodName": "", "Recommendation": "Use Azure SQL Audit Logs Excel template to review logs. Refer Link - https://docs.microsoft.com/en-us/azure/sql-database/sql-database-auditing#subheading-3", "Tags": [ "SDL", "TCP", "Manual", "Audit" ], "Enabled": true }, { "ControlID": "Azure_SQLDatabase_DP_Use_Client_Side_Encryption", "Description": "Client-Side encryption must be used", "Id": "SQLDatabase260", "ControlSeverity": "Medium", "Automated": "No", "MethodName": "", "Recommendation": "Preferred column level encryption solution is 'Always Encrypted'. Silver Spring is available now as a Microsoft-internal opensource SDK with integrated data encryption key management and Azure Key Vault protection. Refer Link - https://docs.microsoft.com/en-us/azure/sql-database/sql-database-always-encrypted", "Tags": [ "SDL", "TCP", "Manual", "DP" ], "Enabled": true }, { "ControlID": "Azure_SQLDatabase_DP_Escrow_Asymmetric_Keys", "Description": "Asymmetric keys must be escrowed", "Id": "SQLDatabase270", "ControlSeverity": "Rem", "Automated": "No", "MethodName": "", "Recommendation": "Do not have the Azure Key Vault create the asymmetric key. Get a certificate from the trusted provider.", "Tags": [ "SDL", "TCP", "Manual", "DP" ], "Enabled": true }, { "ControlID": "Azure_SQLDatabase_DP_Protect_Symmetric_Keys", "Description": "Symmetric keys must be protected by RSA Asymmetric keys", "Id": "SQLDatabase280", "ControlSeverity": "Rem", "Automated": "No", "MethodName": "", "Recommendation": "Do not have the Azure Key Vault create the asymmetric key. Get a certificate from the trusted provider. Export the certificate and the private key in pfx format. Provide metadata mapping the symmetric data encryption key, the asymmetric keys, and the encrypted data.", "Tags": [ "SDL", "TCP", "Manual", "DP" ], "Enabled": true }, { "ControlID": "Azure_SQLDatabase_DP_Store_Secrets_in_Key_Vault", "Description": "Asymmetric keys must be protected in a Key Vault", "Id": "SQLDatabase290", "ControlSeverity": "High", "Automated": "No", "MethodName": "", "Recommendation": "Get asymmetric key pair and certificate from the trusted provider. Do not use Add-AzureKeyVaultKey to create asymmetric key directly in Azure Key Vault.", "Tags": [ "SDL", "TCP", "Manual", "DP" ], "Enabled": true }, { "ControlID": "Azure_SQLDatabase_DP_Dont_Generate_Asymmetric_Keys_Keyvault", "Description": "Asymmetric keys must not be generated by Key Vault", "Id": "SQLDatabase300", "ControlSeverity": "Medium", "Automated": "No", "MethodName": "", "Recommendation": "Do not use Add-AzureKeyVaultKey to create asymmetric key directly in Azure Key Vault. Get a certificate from the trusted provider", "Tags": [ "SDL", "TCP", "Manual", "DP" ], "Enabled": true }, { "ControlID": "Azure_SQLDatabase_DP_CLE_Key_Protection", "Description": "CLE keys must be protected by RSA Asymmetric keys", "Id": "SQLDatabase310", "ControlSeverity": "Medium", "Automated": "No", "MethodName": "", "Recommendation": "Get asymmetric key pair from the trusted provider.", "Tags": [ "SDL", "TCP", "Manual", "DP" ], "Enabled": true }, { "ControlID": "Azure_SQLDatabase_AuthZ_Grant_Min_Access", "Description": "Access to SQL Servers and DBs must be controlled on a need to know basis", "Id": "SQLDatabase320", "ControlSeverity": "Medium", "Automated": "No", "MethodName": "", "Recommendation": "Using SSMS Object Explorer and T-SQL to assign database roles, e.g. db_datareader, db_datawriter, db_securityadmin: Alter Role db_datareader ADD MEMBER ApplicationUser; to allow ApplicationUser to read data, Alter Role db_datawriter ADD MEMBER ApplicationUser; to allow ApplicationUser to write data. Refer Links - https://azure.microsoft.com/en-us/documentation/articles/sql-database-security/#authorization, http://blogs.technet.com/b/scotts-it-blog/archive/2014/09/03/adding-accounts-to-database-roles-in-sql-server-2012.aspx", "Tags": [ "SDL", "TCP", "Manual", "AuthZ" ], "Enabled": true }, { "ControlID": "Azure_SQLDatabase_AuthZ_Use_Least_Priv_Accounts", "Description": "Must use the application user account with more limited permissions to connect from application to the database", "Id": "SQLDatabase330", "ControlSeverity": "Rem", "Automated": "No", "MethodName": "", "Recommendation": "Using SSMS Object Explorer and T-SQL to assign database roles, e.g. db_datareader, db_datawriter, db_securityadmin: Alter Role db_datareader ADD MEMBER ApplicationUser; to allow ApplicationUser to read data. Alter Role db_datawriter ADD MEMBER ApplicationUser; to allow ApplicationUser to write data. Refer Links - https://azure.microsoft.com/en-us/documentation/articles/sql-database-security/#authorization, http://blogs.technet.com/b/scotts-it-blog/archive/2014/09/03/adding-accounts-to-database-roles-in-sql-server-2012.aspx, https://azure.microsoft.com/en-us/documentation/articles/sql-database-security/#connection-security", "Tags": [ "SDL", "TCP", "Manual", "AuthZ" ], "Enabled": true }, { "ControlID": "Azure_SQLDatabase_AuthZ_Allow_Only_Outbound", "Description": "VMs and Worker roles must permit outbound TCP 1433 only, no inbound", "Id": "SQLDatabase340", "ControlSeverity": "Rem", "Automated": "No", "MethodName": "", "Recommendation": "Block inbound connections on TCP port 1433. Refer Link - https://azure.microsoft.com/en-us/documentation/articles/sql-database-security-guidelines/. For Web and Worker Roles: http://onwindowsazure.com/setting-acls-on-your-windows-azure-inputendpoints/", "Tags": [ "SDL", "TCP", "Manual", "AuthZ" ], "Enabled": true }, { "ControlID": "Azure_SQLDatabase_AuthN_Validate_SQL_Server_Cert", "Description": "All connections to the SQL Server must verify the identity of the SQL Server by validating the SQL Server certificate", "Id": "SQLDatabase350", "ControlSeverity": "Rem", "Automated": "No", "MethodName": "", "Recommendation": "Set encrypt=true and trustservercert=false in DB connection string. If you copy the connection strings provided in Azure Portal, these are configured for ado.net app code, ODBC, PHP, and JDBC. In the Azure Portal: SQL databases > mySQLdb, Database connection strings. SSMS also supports cert validation; in the “connect to server” dialog box click “Options” tab, then “Connection Properties” tab. “Trust server certificate” should not be checked. Check “encrypt connection” on the “connection properties” tab. Refer Link - https://azure.microsoft.com/en-us/documentation/articles/sql-database-security-guidelines/", "Tags": [ "SDL", "TCP", "Manual", "AuthN" ], "Enabled": true }, { "ControlID": "Azure_SQLDatabase_AuthZ_Configure_IP_Range", "Description": "Consider configuring SQL Server firewall IP address ranges for additional protection(Don't add Any to Any IP range $($this.ControlSettings.UniversalIPRange))", "Id": "SQLDatabase360", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckSqlDatabaseFirewallIPAddressRange", "Recommendation": "Do not configure Any to Any firewall IP address. Run command Remove-AzureRmSqlServerFirewallRule -FirewallRuleName '{AnyToAny FirewallRule Name}' -ResourceGroupName '{ResourceGroupName}' -ServerName '{ServerName}'. Refer Link - https://docs.microsoft.com/en-us/powershell/module/azurerm.sql/remove-azurermsqlserverfirewallrule?view=azurermps-3.8.0", "Tags": [ "SDL", "Best Practice", "Automated", "AuthZ", "SOX" ], "Enabled": true } ] } |