lacework-global-624
4.2.3 Ensure that Vulnerability Assessment (VA) setting 'Periodic recurring scans' is set to 'on' for each SQL server (Automated)
Profile Applicability
• Level 2
Description
Enable Vulnerability Assessment (VA) Periodic recurring scans for critical SQL servers and corresponding SQL databases.
Rationale
VA setting 'Periodic recurring scans' schedules periodic (weekly) vulnerability scanning for the SQL server and corresponding Databases. Periodic and regular vulnerability scanning provides risk visibility based on updated known vulnerability signatures and best practices.
Impact
Enabling the Azure Defender for SQL feature will incur additional costs for each SQL server.
Audit
From Azure Portal
- Go to
SQL servers - Select a server instance
- Click on
Security Center - Ensure that
Microsoft Defender for SQLis set toEnabled - In Section
Vulnerability Assessment Settings, EnsureStorage Accountsis configured. - In Section
Vulnerability Assessment Settings, EnsurePeriodic recurring scansis set to On.
From Azure Powershell
Get the list of all SQL Servers
Get-AZSqlServer
For each Server
Get-AzSqlServerVulnerabilityAssessmentSetting -ResourceGroupName <resource group name> -ServerName <server name>
Ensure that value for parameter RecurringScansInterval is not set to None.
Sample Output:
ResourceGroupName : ResourceGroup01
ServerName : Server01
StorageAccountName : mystorage
ScanResultsContainerName : vulnerability-assessment
RecurringScansInterval : weekly
EmailSubscriptionAdmins : False
NotificationEmail : {}
Remediation
From Azure Portal
- Go to
SQL servers - For each server instance
- Click on
Security Center - In Section
Vulnerability Assessment Settings, setStorage Accountif not already - Toggle 'Periodic recurring scans' to ON.
- Click
Save
From Azure Powershell
If not already, Enable Advanced Data Security for a SQL Server:
Set-AZSqlServerThreatDetectionPolicy -ResourceGroupName <resource group name> -ServerName <server name> -EmailAdmins $True
To enable ADS-VA service with 'Periodic recurring scans'
Update-AzSqlServerVulnerabilityAssessmentSetting `
-ResourceGroupName "<resource group name>"`
-ServerName "<Server Name>"`
-StorageAccountName "<Storage Name from same subscription and same Location" `
-ScanResultsContainerName "vulnerability-assessment" `
-RecurringScansInterval Weekly `
-EmailSubscriptionAdmins $true `
-NotificationEmail @("mail1@mail.com" , "mail2@mail.com")
References
https://docs.microsoft.com/en-us/azure/sql-database/sql-vulnerability-assessment
https://docs.microsoft.com/en-us/rest/api/sql/servervulnerabilityassessments/listbyserver
https://docs.microsoft.com/en-in/powershell/module/Az.Sql/Update-AzSqlServerVulnerabilityAssessmentSetting?view=azps-2.6.0
https://docs.microsoft.com/en-in/powershell/module/Az.Sql/Get-AzSqlServerVulnerabilityAssessmentSetting?view=azps-2.6.0
https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-posture-vulnerability-management#pv-6-perform-software-vulnerability-assessments