Perform vulnerability assessment
SQL Vulnerability Assessment refers to an easy-to-configure service that can discover, track, and help you remediate potential database vulnerabilities. This is to proactively improve your database security.
However, VA is part of the Azure Defender for SQL offering, which is a unified package for advanced SQL security capabilities. This can be accessed and managed via the central Azure Defender for SQL portal.
Vulnerability Assessment
SQL Vulnerability Assessment is a service that provides visibility into your security state. Vulnerability Assessment includes actionable steps to resolve security issues and enhance your database security. It can help you:
- Firstly, meet compliance requirements that require database scan reports.
- Secondly, meet data privacy standards.
- Lastly, monitor a dynamic database environment where changes are difficult to track.
However, Vulnerability Assessment is a scanning service built into Azure SQL Database. The service employs a knowledge base of rules that flag security vulnerabilities. Further, it highlights deviations from best practices, such as misconfigurations, excessive permissions, and unprotected sensitive data.
Results of the scan include actionable steps to resolve each issue and provide customized remediation scripts where applicable. So, you can customize an assessment report for your environment by setting an acceptable baseline for:
- Firstly, Permission configurations
- Secondly, Feature configurations
- Lastly, Database settings
Implement Vulnerability Assessment
The following steps implement the vulnerability assessment:
Run a scan
- Firstly, go to your Azure SQL Database, SQL Managed Instance Database, or Azure Synapse resource in the Azure portal.
- Secondly, under the Security heading, select Security center.
- Then, click Select Storage on the Vulnerability Assessment pane to open the Vulnerability Assessment settings pane for either the entire server or managed instance.
- Lastly, configure a storage account where your scan results for all databases on the server or managed instance will be stored. After storage is configured, select Scan to scan your database for vulnerabilities.
View the report
When your scan is finished, your scan report is automatically displayed in the Azure portal. The report presents an overview of your security state. However, it lists how many issues were found and their respective severities. Results include warnings on deviations from best practices and a snapshot of your security-related settings. This includes database principals and roles and their associated permissions. The scan report also provides a map of sensitive data discovered in your database.
Analyze the results and resolve issues
Review your results and determine the findings in the report that are true security issues in your environment. Here, drill down to each failed result to understand the impact of the finding and why each security check failed. Further, use the actionable remediation information provided by the report to resolve the issue.
Set your baseline
As you review your assessment results, you can mark specific results as being an acceptable baseline in your environment. The baseline is essentially a customization of how the results are reported. Further, results that match the baseline are considered as passing in subsequent scans. After you’ve established your baseline security state, Vulnerability Assessment only reports on deviations from the baseline.
Run a new scan to see your customized tracking report
After you finish setting up your Rule Baselines, run a new scan to view the customized report. Vulnerability Assessment now reports only the security issues that deviate from your approved baseline state.
Set up periodic recurring scans
Go to the Vulnerability Assessment settings to turn on Periodic recurring scans. This setting configures Vulnerability Assessment to automatically run a scan on your database once per week. A scan result summary is sent to the email addresses you provide.
Export an assessment report
Select Export Scan Results to create a downloadable Excel report of your scan result. This report contains a summary tab that displays a summary of the assessment. The report includes all failed checks Further, it also includes a Results tab that contains the full set of results from the scan. Lastly, the results include all checks that were run and the result details for each.
View scan history
Select Scan History in the Vulnerability Assessment pane to view a history of all scans previously run on this database. Then, select a particular scan in the list to view the detailed results of that scan. Now, Vulnerability Assessment can be used to monitor that your database maintains a high level of security at all times, and that your organizational policies are met. However, iIf compliance reports are required, Vulnerability Assessment reports can be helpful to facilitate the compliance process.
Manage Vulnerability Assessment baseline rules by using Resource Manager templates
To configure Vulnerability Assessment baselines by using Azure Resource Manager templates, use the Microsoft.Sql/servers/databases/vulnerabilityAssessments/rules/baselines type.
However, ensure that you have enabled vulnerabilityAssessments before you add baselines.
Here’s an example for defining Baseline Rule VA2065 to master database and VA1143 to user database as resources in a Resource Manager template:
For master database and user database, the resource names are defined differently:
- Firstly, Master database – “name”: “[concat(parameters(‘server_name’),’/’, parameters(‘database_name’) , ‘/default/VA2065/master’)]”,
- Secondly, User database – “name”: “[concat(parameters(‘server_name’),’/’, parameters(‘database_name’) , ‘/default/VA2065/default’)]”,
Further, to handle Boolean types as true/false, set the baseline result with binary input like “1”/”0″.
Reference: Microsoft Documentation