rules/findings/azure/databases/azure_sql/azure-sql-firewall-rule-overly-permissive.json
|
{
"args": [], "provider": "Azure", "serviceType": "SQL Database", "serviceName": "Databases", "displayName": "Ensure no Azure SQL Database firewall rule is overly permissive", "description": "Ensure that no SQL Databases have overly permissive firewall rules (e.g. rule allowing traffic with start IP address of 0.0.0.0 and end IP address of 255.255.255.255, or other combinations allowing large swathes of IP addresses).", "rationale": "The preferred setting for Public Network Access is disabled. If Public Network Access is disabled, this recommendation is moot. In general, the use of well architected Private Endpoints for network traffic management is strongly preferred to allowing any public network access.<br/><br/>Where Public Network Access must be allowed as an exception, Azure SQL Server provides a firewall to explicitly define traffic allowance and denial. In order to reduce the potential attack surface for a SQL server, firewall rules should be reviewed from time to time to ensure that no rule is overly permissive, and all included rules are justified through association with known and trusted sources and destinations.<br/><br/>NOTE: For some Azure services to work with Azure SQL databases, the Allow Azure services and resource to access this server exception may need to be allowed. This exception creates a firewall rule named AllowAllWindowsAzureIps that may be considered overly permissive. It should be noted that this exception places implicit trust on a rule which is defined and managed by Microsoft. This rule can be viewed in the SQL database's master database under sys.firewall_rules (more details here:\nhttps://learn.microsoft.com/en-us/sql/relational-databases/system-catalog-views/sys-firewall-rules-azure-sql-database?view=azuresqldb-current).", "impact": "Managing firewall rules will require some consideration from a network architecture perspective to ensure appropriate traffic is allowed.", "remediation": { "text": " #### Remediate from Azure Portal 1. Search for and open SQL servers 2. For each SQL server listed, click on the server name to open the resource management window 3. Expand the Security section, then click on Networking 4. On the `Public access` tab, if public network access is set to `Selected Networks`, scroll down to the Firewall Rules section 5. Remove overly permissive firewall rules and ensure that any remaining rules contain only source and destination IPs which are trusted. ", "code": { "powerShell": null, "iac": null, "terraform": null, "other": null } }, "recommendation": null, "references": [ "https://learn.microsoft.com/en-us/sql/database-engine/configure-windows/configure-a-windows-firewall-for-database-engine-access?view=sql-server-2017", "https://learn.microsoft.com/en-us/azure/azure-sql/database/firewall-configure?view=azuresql#connections-from-inside-azure", "https://learn.microsoft.com/en-us/sql/relational-databases/system-stored-procedures/sp-set-database-firewall-rule-azure-sql-database?view=azuresqldb-current", "https://learn.microsoft.com/en-us/security/benchmark/azure/mcsb-network-security#ns-2-secure-cloud-native-services-with-network-controls" ], "compliance": [ { "name": "CIS Microsoft Azure Database Services", "version": "2.0.0", "reference": "9.3", "profile": [ "Level 1" ] } ], "level": "medium", "tags": [], "rule": { "path": "az_sql_servers", "subPath": null, "selectCondition": { }, "query": [ { "filter": [ { "conditions": [ [ "networking.firewall.StartIpAddress", "eq", "_ARG_0_" ], [ "networking.firewall.EndIpAddress", "eq", "_ARG_1_" ] ], "operator": "and" } ] } ], "shouldExist": null, "returnObject": null, "removeIfNotExists": null }, "output": { "html": { "data": { "properties": { "Name": "Server Name", "Location": "Location", "ResourceGroupName": "Resource Group", "networking.firewall.RuleName": "Rule Name", "networking.firewall.StartIpAddress": "StartIpAddress", "networking.firewall.EndIpAddress": "EndIpAddress" }, "expandObject": "networking.firewall" }, "table": "default", "decorate": [], "emphasis": [], "actions": { "objectData": { "properties": [ "Name", "Location", "RuleName", "StartIpAddress", "EndIpAddress" ], "expandObject": "networking.firewall", "limit": null }, "showGoToButton": true, "showModalButton": true, "directLink": null } }, "text": { "data": { "properties": { "Name": "Server Name", "Location": "Location", "ResourceGroupName": "Resource Group", "networking.firewall.RuleName": "Rule Name", "networking.firewall.StartIpAddress": "StartIpAddress", "networking.firewall.EndIpAddress": "EndIpAddress" }, "expandObject": "networking.firewall" }, "status": { "keyName": ["name"], "message": "Ensure no Azure SQL Database firewall rule is overly permissive for {name}", "defaultMessage": null }, "properties": { "resourceName": "name", "resourceId": "id", "resourceType": "type" }, "onlyStatus": false } }, "idSuffix": "azure_sql_overly_permissive_firewall_rule", "notes": [], "categories": [], "immutable_properties": [ "name", "id" ], "id": "azure_sql_003" } |