Skip to content

Commit

Permalink
Merge pull request #312 from igorpag/igorpag-sqldb-security-checklist1
Browse files Browse the repository at this point in the history 
Second version of the checklist
  • Loading branch information
@erjosito
erjosito authored Jan 19, 2023
2 parents 4ef522a + ad87dff commit deba8e8
Showing 1 changed file with 28 additions and 73 deletions.
101 changes: 28 additions & 73 deletions checklists/sqldb_security_checklist.en.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@
{
"category": "BCDR",
"subcategory": "Backup",
"text": "Ensure that Azure SQLDB is having regular automated backups",
"text": "Configure Azure SQL Database automated backups",
"description": "Azure SQL Database uses SQL Server technology to create full backups every week, differential backup every 12-24 hours, and transaction log backup every 5 to 10 minutes. By default, SQL Database stores data in geo-redundant storage blobs that are replicated to a paired region.",
"guid": "e2518261-b3bc-4bd1-b331-637fb2df833f",
"severity": "Medium",
Expand All @@ -28,28 +28,10 @@
"severity": "Medium",
"link": "https://learn.microsoft.com/en-us/security/benchmark/azure/baselines/sql-database-security-baseline#br-2-encrypt-backup-data"
},
{
"category": "BCDR",
"subcategory": "Backup",
"text": "Periodically validate all backups including customer-managed keys",
"description": "It is recommended that validation of application readiness for recovery workflow is performed periodically. Verifying the application behavior and implications of data loss and/or the disruption that failover involves is a good engineering practice. It is also a requirement by most industry standards as part of business continuity certification. Performing a disaster recovery drill consists of: (1) Simulating data tier outage (2) Recovering (3) Validate application integrity post recovery.",
"guid": "a604bd0b-e62d-4037-8318-b62a476ea771",
"severity": "Medium",
"link": "https://learn.microsoft.com/en-us/security/benchmark/azure/baselines/sql-database-security-baseline#br-3-validate-all-backups-including-customer-managed-keys"
},
{
"category": "BCDR",
"subcategory": "Azure Key Vault",
"text": "Mitigate risk of Azure Key Vault (AKV) lost keys used in Azure SQL Database",
"description": "Ensure that you have measures in place to prevent and recover from the loss of keys. Enable soft delete and purge protection in Azure Key Vault to protect keys against accidental or malicious deletion.",
"guid": "c7bb4dc5-4cd9-4215-a46d-9ddd2566f845",
"severity": "Low",
"link": "https://learn.microsoft.com/en-us/azure/key-vault/general/key-vault-recovery"
},
{
"category": "Data Discovery and Classification",
"subcategory": "Data Discovery and Classification",
"text": "Use Azure SQL Database Data Discovery and Classification to discover, classify, label, and protect the sensitive",
"text": "Plan and configure Data Discovery & Classification to protect the sensitive data",
"description": "Discover columns that potentially contain sensitive data. What is considered sensitive data heavily depends on the customer, compliance regulation, etc., and needs to be evaluated by the users in charge of that data. Classify the columns to use advanced sensitivity-based auditing and protection scenarios. Review results of automated discovery and finalize the classification if necessary.",
"guid": "",
"severity": "Low",
Expand All @@ -58,7 +40,7 @@
{
"category": "Data Discovery and Classification",
"subcategory": "Purview",
"text": "For complex and rich database schemas, or to manage at large scale, Microsoft Purview is highly recommended for Data Discovery and Classification",
"text": "Use Microsoft Purview for complex and rich database schemas or to manage at scale",
"description": "We continue to support SQL Data Discovery & Classification and encourage you to adopt Microsoft Purview which has richer capabilities to drive advanced classification capabilities and data governance.",
"guid": "e2e49f0c-ebab-4971-bc88-b9713080ce8d",
"severity": "Low",
Expand All @@ -67,7 +49,7 @@
{
"category": "Data Discovery and Classification",
"subcategory": "Data Discovery and Classification",
"text": "Regularly monitor the classification dashboard for an accurate assessment of the database's classification state",
"text": "Review database classification state for accurate assessment",
"description": "Data Discovery & Classification is built into Azure SQL Database, Azure SQL Managed Instance, and Azure Synapse Analytics. It provides basic capabilities for discovering, classifying, labeling, and reporting the sensitive data in your databases. You can view the database-classification state in a detailed dashboard in the Azure portal. Also, you can download a report in Excel format to use for compliance and auditing purposes and other needs.",
"guid": "0b30c724-9d42-4294-9db5-b60b121384bc",
"severity": "Low",
Expand All @@ -85,7 +67,7 @@
{
"category": "Defender",
"subcategory": "Defender for Azure SQL",
"text": "Enable Microsoft Defender for Azure SQL at the subscription level",
"text": "Enable Microsoft Defender for Azure SQL",
"description": "Enable Microsoft Defender for Azure SQL at the subscription level to automatically onboard and protect all existing and future servers and databases. When you enable on the subscription level, all databases in Azure SQL Database and Azure SQL Managed Instance are protected. You can then disable them individually if you choose. If you want to manually manage which databases are protected, disable at the subscription level and enable each database that you want protected.",
"guid": "dff87489-9edb-4cef-bdda-86e8212b2aa1",
"severity": "High",
Expand All @@ -94,7 +76,7 @@
{
"category": "Defender",
"subcategory": "Vulnerability Assessment",
"text": "Review and complete Vulnerability Assessment (VA) configuration",
"text": "Configure Vulnerability Assessment (VA) findings and review recommendations",
"description": "Azure SQLDB vulnerability assessment is a service that provides visibility into your security state. Vulnerability assessment includes actionable steps to resolve security issues and enhance your database security. It can help you to monitor a dynamic database environment where changes are difficult to track and improve your SQL security posture.",
"guid": "a6101ae7-534c-45ab-86fd-b34c55ea21ca",
"severity": "High",
Expand Down Expand Up @@ -202,21 +184,12 @@
{
"category": "Identity",
"subcategory": "Azure Active Directory",
"text": "Create a separate Azure AD group with two admin accounts for each SQLDB instance",
"description": "Using Azure AD groups simplifies permission management and both the group owner, and the resource owner can add/remove members to/from the group. Create a separate group for Azure AD administrators for each server or managed instance. Monitor Azure AD group membership changes using Azure AD audit activity reports.",
"text": "Create a separate Azure AD group with two admin accounts for each Azure SQL Database logical server",
"description": "Using Azure AD groups simplifies permission management and both the group owner, and the resource owner can add/remove members to/from the group. Create a separate group for Azure AD administrators for each logical server. Monitor Azure AD group membership changes using Azure AD audit activity reports.",
"guid": "29820254-1d14-4778-ae90-ff4aeba504a3",
"severity": "Medium",
"link": "https://learn.microsoft.com/en-us/azure/azure-sql/database/security-best-practice?view=azuresql#central-management-for-identities"
},
{
"category": "Identity",
"subcategory": "Azure Active Directory",
"text": "Enable Multi-Factor Authentication (MFA) in Azure AD using Conditional Access (CA) for interactive authentication",
"description": "Azure AD Multi-Factor Authentication (MFA) helps provides additional security by requiring more than one form of authentication. Use Azure AD Interactive authentication mode for Azure SQL Database and Azure SQL Managed Instance where a password is requested interactively, followed by Multi-Factor Authentication.",
"guid": "4bcb1d1c-7a32-455a-8456-ef22a0372240",
"severity": "Medium",
"link": "https://learn.microsoft.com/en-us/azure/azure-sql/database/authentication-mfa-ssms-overview"
},
{
"category": "Identity",
"subcategory": "Passwords",
Expand Down Expand Up @@ -244,15 +217,6 @@
"severity": "Low",
"link": "https://learn.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/overview"
},
{
"category": "Privileged Access",
"subcategory": "Privileged Access",
"text": "Protect and limit highly privileged users that have access to Azure SQL Database using Privileged Identity Management (PIM) and Just-in-time (JIT) access",
"description": "You should limit the number of highly privileged accounts or roles and protect these accounts at an elevated level. Users with this privilege can directly or indirectly read and modify every resource in your Azure environment. You can enable just-in-time (JIT) privileged access to Azure resources and Azure AD using Azure AD PIM. JIT grants temporary permissions to perform privileged tasks only when users need it. PIM can also generate security alerts when there is suspicious or unsafe activity in your Azure AD organization.",
"guid": "c496b249-94d4-4c04-acd0-92c1da7be81f",
"severity": "Medium",
"link": "https://learn.microsoft.com/en-us/security/benchmark/azure/baselines/sql-database-security-baseline#pa-1-protect-and-limit-highly-privileged-users"
},
{
"category": "Privileged Access",
"subcategory": "Permissions",
Expand All @@ -262,24 +226,6 @@
"severity": "Medium",
"link": "https://learn.microsoft.com/en-us/azure/azure-sql/database/security-best-practice?view=azuresql#implement-principle-of-least-privilege"
},
{
"category": "Privileged Access",
"subcategory": "Azure Active Directory",
"text": "Review and reconcile Azure SQL Database user access regularly using Azure AD access review and reports",
"description": "Azure SQL uses Azure Active Directory (Azure AD) accounts to manage its resources, review user accounts, and access assignments regularly to ensure the accounts and their access are valid. You can use Azure AD and access reviews to review group memberships, access to enterprise applications, and role assignments.",
"guid": "552416b1-e9d8-4acf-83ed-d167bb9b3744",
"severity": "Medium",
"link": "https://learn.microsoft.com/en-us/security/benchmark/azure/baselines/sql-database-security-baseline#pa-3-review-and-reconcile-user-access-regularly"
},
{
"category": "Privileged Access",
"subcategory": "Privileged Access",
"text": "Use privileged access workstations for administrator access",
"description": "Ensure that only highly secure privileged access workstations or Azure Bastion are used, and/or that devices are verified secure before connecting using a product like Intune.",
"guid": "a0af61fa-e714-4993-8f64-e1ae3bdb98a8",
"severity": "Medium",
"link": "https://learn.microsoft.com/en-us/security/benchmark/azure/baselines/sql-database-security-baseline#pa-6-use-privileged-access-workstations"
},
{
"category": "Privileged Access",
"subcategory": "Lockbox",
Expand Down Expand Up @@ -361,6 +307,15 @@
"severity": "Low",
"link": "https://learn.microsoft.com/en-us/azure/azure-sql/database/auditing-overview"
},
{
"category": "Logging",
"subcategory": "Auditing",
"text": "Ensure that Azure SQL Database Activity Log is collected and integrated with Auditing logs",
"description": "The Azure Monitor activity log is a platform log in Azure that provides insight into subscription-level events. The activity log includes information like when a resource is modified. It is recommended to send this activity log to the same external storage repository as the Azure SQL Database Audit Log (storage account, Log Analytics workspace, Event Hub).",
"guid": "fcd34708-87ac-4efc-aaf6-57a47f76644a",
"severity": "Medium",
"link": "https://learn.microsoft.com/en-us/azure/azure-monitor/essentials/activity-log"
},
{
"category": "Logging",
"subcategory": "SIEM/SOAR",
Expand All @@ -372,18 +327,18 @@
},
{
"category": "Logging",
"subcategory": "Auditing",
"text": "Ensure that Azure SQL Database Activity Log is collected and integrated with Auditing logs",
"description": "The Azure Monitor activity log is a platform log in Azure that provides insight into subscription-level events. The activity log includes information like when a resource is modified. It is recommended to send this activity log to the same external storage repository as the Azure SQL Database Audit Log (storage account, Log Analytics workspace, Event Hub).",
"guid": "fcd34708-87ac-4efc-aaf6-57a47f76644a",
"subcategory": "SIEM/SOAR",
"text": "Ensure that Azure SQL Database Activity Log data is presented in to your SIEM/SOAR",
"description": "Forward any logs from Azure SQL to your Security Information and Event Management (SIEM) and Security Orchestration Automation and Response (SOAR), which can be used to set up custom threat detections. Ensure that you are monitoring different types of Azure assets for potential threats and anomalies. Focus on getting high-quality alerts to reduce false positives for analysts to sort through. Alerts can be sourced from log data, agents, or other data.",
"guid": "41503bf8-73da-4a10-af9f-5f7fceb5456f",
"severity": "Medium",
"link": "https://learn.microsoft.com/en-us/azure/azure-monitor/essentials/activity-log"
},
{
"category": "Logging",
"subcategory": "SIEM/SOAR",
"text": "Ensure that Azure SQL Database Activity Log data is presented in to your SIEM/SOAR",
"description": "Forward any logs from Azure SQL to your Security Information and Event Management (SIEM) and Security Orchestration Automation and Response (SOAR), which can be used to set up custom threat detections. Ensure that you are monitoring different types of Azure assets for potential threats and anomalies. Focus on getting high-quality alerts to reduce false positives for analysts to sort through. Alerts can be sourced from log data, agents, or other data.",
"text": "Ensure that you have response plans for malicious or aberrant audit logging events",
"description": "Security Operation Center (SOC) team should create an incident response plan (playbooks or manual responses) to investigate and mitigate tampering, malicious activities, and other anomalous behaviors.",
"guid": "41503bf8-73da-4a10-af9f-5f7fceb5456f",
"severity": "Medium",
"link": "https://learn.microsoft.com/en-us/azure/azure-monitor/essentials/activity-log"
Expand All @@ -392,7 +347,7 @@
"category": "Networking",
"subcategory": "Connectivity",
"text": "Review Public vs. Private Access connectivity methods and select the appropriate one for the workload",
"description": "When you create a logical server from the Azure portal for Azure SQL Database, the result is a public endpoint that is visible and reachable over the public network (Public Access). You can then limit connectivity based on firewall rules and Service Endpoint. You can also configure private connectivity only limiting connections to internal networks using Private Endpoint (Private Access). Private Access using Private Endpoint should be the default unless a business case or performance/technical reason applies that cannot support it.",
"description": "When you create a logical server from the Azure portal for Azure SQL Database, the result is a public endpoint that is visible and reachable over the public network (Public Access). You can then limit connectivity based on firewall rules and Service Endpoint. You can also configure private connectivity only limiting connections to internal networks using Private Endpoint (Private Access). Private Access using Private Endpoint should be the default unless a business case or performance/technical reason applies that cannot support it. Usage of Private Endpoints has performance implications that need to be considered and assessed.",
"guid": "2c6d356a-1784-475b-a42c-ec187dc8c925",
"severity": "High",
"link": "https://learn.microsoft.com/en-us/azure/azure-sql/database/network-access-controls-overview"
Expand Down Expand Up @@ -454,7 +409,7 @@
{
"category": "Networking",
"subcategory": "Public Access",
"text": "If Public Access connectivity is used and controlled by Azure SQL Database firewall rules, use database-level over server-level IP rules whenever possible",
"text": "If Public Access connectivity is used and controlled by Azure SQL Database firewall rules, use database-level over server-level IP rules",
"description": "We recommend that you use database-level IP firewall rules whenever possible. This practice enhances security and makes your database more portable. Use server-level IP firewall rules for administrators. Also use them when you have many databases that have the same access requirements, and you don't want to configure each database individually.",
"guid": "e0f31ac9-35c8-4bfd-9865-edb60ffc6768",
"severity": "Low",
Expand All @@ -466,14 +421,14 @@
"text": "Ensure Allow Azure Services and Resources to Access this Server setting is disabled in Azure SQL Database firewall",
"description": "This option configures the firewall to allow all connections from Azure, including connections from the subscriptions of other customers. If you select this option, make sure that your login and user permissions limit access to authorized users only. If not strictly required, keep this setting to OFF.",
"guid": "f48efacf-4405-4e8d-9dd0-16c5302ed082",
"severity": "Medium",
"severity": "High",
"link": "https://learn.microsoft.com/en-us/azure/azure-sql/database/network-access-controls-overview"
},
{
"category": "Networking",
"subcategory": "Outbound Control",
"text": "Deny all permissions for outbound REST API calls to external endpoints",
"description": "Azure SQL Database has a new built-in feature that allows native integration with external REST endpoints. This means that integration of Azure SQL Database with Azure Functions, Azure Logic Apps, Cognitive Services, Event Hubs, Event Grid, Azure Containers, API Management and in general any REST or even GraphQL endpoint. If not properly restricted, code inside an Azure SQL Database database could leverage this mechanism to exfiltrate data. If not strictly required, it is recommended to deny explicitly the permissions necessary to use this feature.",
"text": "Block or restrict outbound REST API calls to external endpoints",
"description": "Azure SQL Database has a new built-in feature that allows native integration with external REST endpoints. This means that integration of Azure SQL Database with Azure Functions, Azure Logic Apps, Cognitive Services, Event Hubs, Event Grid, Azure Containers, API Management and in general any REST or even GraphQL endpoint. If not properly restricted, code inside an Azure SQL Database database could leverage this mechanism to exfiltrate data. If not strictly required, it is recommended to block or restrict this feature using Outbound Firewall Rules.",
"guid": "cb3274a7-e36d-46f6-8de5-46d30c8dde8e",
"severity": "Medium",
"link": "https://learn.microsoft.com/en-us/sql/relational-databases/system-stored-procedures/sp-invoke-external-rest-endpoint-transact-sql"
Expand Down

0 comments on commit deba8e8

Please sign in to comment.