Description:
Enable Vulnerability Assessment (VA) Periodic recurring scans for critical SQL servers and corresponding SQL databases.
Rationale:
VA setting 'Periodic recurring scans' schedules periodic (weekly) vulnerability scanning for the SQL server and corresponding Databases. Periodic and regular vulnerability scanning provides risk visibility based on updated known vulnerability signatures and best practices.
Impact:
Enabling the Azure Defender for SQL feature will incur additional costs for each SQL server.
Default Value:
Enabling Azure Defender for SQL enables 'Periodic recurring scans' by default but does not configure the Storage account.
Audit:
From Azure Console
Go to SQL servers
Select a server instance
Click on Security Center
Ensure that Azure Defender for SQL is set to Enabled
In Section Vulnerability Assessment Settings, Ensure Storage Accounts is configured.
In Section Vulnerability Assessment Settings, Ensure Periodic recurring scans is set to On
Using Azure PowerShell
Get the list of all SQL Servers
1Get-AZSqlServer
For each Server
1Get-AzSqlServerVulnerabilityAssessmentSetting -ResourceGroupName <resource group name> -ServerName <server name>
Remediation:
From Azure Console
Go to SQL servers
For each server instance
Click on Security Center
In Section Vulnerability Assessment Settings, set Storage Account if not already
Toggle 'Periodic recurring scans' to ON
Click Save
Using Azure PowerShell
If not already, Enable Advanced Data Security for a SQL Server:
1Set-AZSqlServerThreatDetectionPolicy -ResourceGroupName <resource group name> 2-ServerName <server name> -EmailAdmins $True
To enable ADS-VA service with 'Periodic recurring scans'
1Update-AzSqlServerVulnerabilityAssessmentSetting ` 2-ResourceGroupName "<resource group name>"` 3-ServerName "<Server Name>"` 4-StorageAccountName "<Storage Name from same subscription and same Location" ` 5-ScanResultsContainerName "vulnerability-assessment" ` 6-RecurringScansInterval Weekly ` 7-EmailSubscriptionAdmins $true ` 8-NotificationEmail @("[email protected]" , "[email protected]")
Backout Plan:
Go to SQL servers
Select a server instance
Click on Security Center
Ensure that Azure Defender for SQL is set to Enabled
In Section Vulnerability Assessment Settings, Ensure Storage Accounts is not configured