| title | description | services | ms.service | ms.subservice | ms.custom | ms.devlang | ms.topic | author | ms.author | ms.reviewer | manager | ms.date |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
SQL Vulnerability Assessment - Azure SQL Database| Microsoft Docs |
Learn how to configure and SQL Vulnerability Assessment on SQL Database, and interpret the assessment reports. |
sql-database |
sql-database |
security |
conceptual |
ronitr |
ronitr |
vanto, carlrab |
craigg |
10/05/2018 |
SQL Vulnerability Assessment is an easy to configure service that can discover, track, and help you remediate potential database vulnerabilities. Use it to proactively improve your database security.
Vulnerability Assessment is part of the SQL Advanced Threat Protection (ATP) offering, which is a unified package for advanced SQL security capabilities. Vulnerability Assessment can be accessed and managed via the central SQL ATP portal.
SQL Vulnerability Assessment (VA) is a service that provides visibility into your security state, and includes actionable steps to resolve security issues, and enhance your database security. It can help you:
- Meet compliance requirements that require database scan reports.
- Meet data privacy standards.
- Monitor a dynamic database environment where changes are difficult to track.
Vulnerability Assessment is a scanning service built into the Azure SQL Database service. The service employs a knowledge base of rules that flag security vulnerabilities and highlight deviations from best practices, such as misconfigurations, excessive permissions, and unprotected sensitive data. The rules are based on Microsoft’s best practices and focus on the security issues that present the biggest risks to your database and its valuable data. They cover both database-level issues as well as server-level security issues, like server firewall settings and server-level permissions. These rules also represent many of the requirements from various regulatory bodies to meet their compliance standards.
Results of the scan include actionable steps to resolve each issue and provide customized remediation scripts where applicable. An assessment report can be customized for your environment by setting an acceptable baseline for permission configurations, feature configurations, and database settings.
The following steps implement VA on SQL Database.
Get started with VA by navigating to Advanced Threat Protection under the Security heading in your Azure SQL Database pane. Click to enable Advanced Threat Protection, and then click on the Vulnerability Assessment card, which automatically opens the Vulnerability Assessment settings card.
Start by configuring a storage account where your scan results will be stored. For information about storage accounts, see About Azure storage accounts. Once storage is configured, click Scan to scan your database for vulnerabilities.
Note
The scan is lightweight and safe. It takes a few seconds to run, and is entirely read-only. It does not make any changes to your database.
When your scan is complete, your scan report is automatically displayed in the Azure portal. The report presents an overview of your security state: how many issues were found and their respective severities. Results include warnings on deviations from best practices and a snapshot of your security-related settings, such as database principals and roles and their associated permissions.The scan report also provides a map of sensitive data discovered in your database, and includes recommendations to classify that data using Data Discovery & Classification.
Review your results and determine the findings in the report that are true security issues in your environment. Drill down to each failed result to understand the impact of the finding and why each security check failed. Use the actionable remediation information provided by the report to resolve the issue.
As you review your assessment results, you can mark specific results as being an acceptable Baseline in your environment. The baseline is essentially a customization of how the results are reported. Results that match the baseline are considered as passing in subsequent scans. Once you have established your baseline security state, VA only reports on deviations from the baseline and you can focus your attention on the relevant issues.
After you complete setting up your Rule Baselines, run a new scan to view the customized report. VA now reports only the security issues that deviate from your approved baseline state.
Vulnerability Assessment can now be used to monitor that your database maintains a high level of security at all times, and that your organizational policies are met. If compliance reports are required, VA reports can be helpful to facilitate the compliance process.
Navigate to the Vulnerability Assessment settings to turn on Periodic recurring scans. This configures Vulnerability Assessment to automatically run a scan on your database once per week. A scan result summary will be sent to the email address(es) you provide.
Click Export Scan Results to create a downloadable Excel report of your scan result. This report contains a summary tab that displays a summary of the assessment, including all failed checks. It also includes a Results tab containing the full set of results from the scan, including all checks that were run and the result details for each.
Click Scan History in the VA pane to view a history of all scans previously run on this database. Select a particular scan in the list to view the detailed results of that scan.
Vulnerability Assessment can now be used to monitor that your database maintains a high level of security at all times, and that your organizational policies are met. If compliance reports are required, VA reports can be helpful to facilitate the compliance process.
You can use Azure PowerShell cmdlets to programmatically manage your vulnerability assessments. The supported cmdlets are:
-
Update-AzureRmSqlDatabaseVulnerabilityAssessmentSettings
Updates the vulnerability assessment settings of a database
-
Get-AzureRmSqlDatabaseVulnerabilityAssessmentSettings
Returns the vulnerability assessment settings of a database
-
Clear-AzureRmSqlDatabaseVulnerabilityAssessmentSettings
Clears the vulnerability assessment settings of a database
-
Set-AzureRmSqlDatabaseVulnerabilityAssessmentRuleBaseline
Sets the vulnerability assessment rule baseline.
-
Get-AzureRmSqlDatabaseVulnerabilityAssessmentRuleBaseline
Gets the vulnerability assessment rule baseline for a given rule.
-
Clear-AzureRmSqlDatabaseVulnerabilityAssessmentRuleBaseline
Clears the vulnerability assessment rule baseline. First set the baseline before using this cmdlet to clear it.
-
Start-AzureRmSqlDatabaseVulnerabilityAssessmentScan
Triggers the start of a vulnerability assessment scan
-
Get-AzureRmSqlDatabaseVulnerabilityAssessmentScanRecord
Gets all vulnerability assessment scan record(s) associated with a given database.
-
Convert-AzureRmSqlDatabaseVulnerabilityAssessmentScan
Converts vulnerability assessment scan results to an Excel file
For a script example, see Azure SQL Vulnerability Assessment PowerShell support.
- Learn more about SQL Advanced Threat Protection
- Learn more about Data Discovery & Classification