SQL vulnerability assessment is an easy-to-configure service that can discover, track, and help you remediate potential database vulnerabilities. Use it to proactively improve your database security.
Vulnerability assessment is part of the Microsoft Defender for SQL offering, which is a unified package for advanced SQL security capabilities. Vulnerability assessment can be accessed and managed via the central Microsoft Defender for SQL portal.
What is SQL vulnerability assessment?
SQL vulnerability assessment is a service that provides visibility into your security state. Vulnerability assessment includes actionable steps to resolve security issues and enhance your database security. It can help you to monitor a dynamic database environment where changes are difficult to track and improve your SQL security posture.
Vulnerability assessment is a scanning service built into Azure SQL Database. The service employs a knowledge base of rules that flag security vulnerabilities. It highlights deviations from best practices, such as misconfigurations, excessive permissions, and unprotected sensitive data.
The rules are based on Microsoft's best practices and focus on the security issues that present the biggest risks to your database and its valuable data. They cover database-level issues and server-level security issues, like server firewall settings and server-level permissions.
The results of the scan include actionable steps to resolve each issue and provide customized remediation scripts where applicable. You can customize an assessment report for your environment by setting an acceptable baseline for:
Permission configurations
Feature configurations
Database settings
Rule categories
SQL Vulnerability Assessment rules have five categories, which are in the following sections:
Prerequisites
The SQL Vulnerability Assessment service needs permission to the storage account to save baseline and scan results. There are three methods:
Use Storage Account key:
Azure creates the SAS key and saves it (though we don't save the account key)
Use Storage SAS key:
The SAS key must have: Write | List | Read | Delete permissions
Use SQL server-managed identity:
The SQL Server must have a managed identity. The storage account must have a role assignment for the SQL Managed Identity as Storage Blob Data Contributor. When you apply the settings, the VA fields storage Container's AsKey and Storage Account Access Key must be empty. When storage is behind a firewall or virtual network, then the SQL-managed identity is required.
When you use the Azure portal to save SQL VA settings, Azure checks if you have permission to assign a new role assignment for the managed identity as Storage Blob Data Contributor on the storage. If permissions are assigned, Azure uses SQL Server managed identity, otherwise Azure uses the key method.
Storage account requirements
The storage account in which vulnerability assessment scan results are saved must meet the following requirements:
Type: StorageV2 (General Purpose V2) or Storage (General Purpose V1)
Performance: Standard (only)
Region: The storage must be in the same region as the instance of Azure SQL Server.
If any of these requirements aren't met, saving changes to vulnerability assessment settings fails.
Permissions
The following permissions are required to save changes to vulnerability assessment settings:
SQL Security Manager
Storage Blob Data Reader
Owner role on the storage account
Setting a new role assignment requires owner or user administrator access to the storage account and the following permissions:
Storage Blob Data Owner