SQL best practices

Best practice rules for Sql

Trend Micro Cloud One™ – Conformity monitors Sql with the following rules:

• Advanced Data Security for SQL Servers

  Ensure that Advanced Data Security (ADS) is enabled at the Azure SQL database server level.

• Check for Publicly Accessible SQL Servers

  Ensure that Azure SQL database servers are accessible via private endpoints only.

• Check for Sufficient Point in Time Restore (PITR) Backup Retention Period

  Ensure there is a sufficient PITR backup retention period configured for Azure SQL databases.

• Check for Unrestricted SQL Database Access

  Ensure that no SQL databases allow unrestricted inbound access from 0.0.0.0/0 (any IP address).

• Configure "AuditActionGroup" for SQL Server Auditing

  Ensure that "AuditActionGroup" property is well configured at the Azure SQL database server level.

• Detect Create, Update, and Delete SQL Server Firewall Rule Events

  SQL Server firewall rule changes have been detected in your Microsoft Azure cloud account.

• Enable All Types of Threat Detection on SQL Servers

  Enable all types of threat detection for your Microsoft Azure SQL database servers.

• Enable Auditing for SQL Servers

  Ensure that database auditing is enabled at the Azure SQL database server level.

• Enable Auto-Failover Groups

  Ensure that your Azure SQL database servers are configured to use auto-failover groups.

• Enable Automatic Tuning for SQL Database Servers

  Ensure that Automatic Tuning feature is enabled for Microsoft Azure SQL database servers.

• Enable Email Alerts for Administrators and Subscription Owners

  Enable administrators and subscription owners to receive threat detection email notification alerts for SQL servers.

• Enable Email Alerts for SQL Threat Detection Service

  Enable threat detection email notification alerts for your Microsoft Azure SQL servers.

• Enable Transparent Data Encryption for SQL Databases

  Ensure that Transparent Data Encryption (TDE) is enabled for every Azure SQL database.

• Enable Vulnerability Assessment for Microsoft SQL Servers

  Ensure that Vulnerability Assessment is enabled for Microsoft SQL database servers.

• SQL Auditing Retention

  Ensure that SQL database auditing has a sufficient log data retention period configured.

• Use Azure Active Directory Admin for SQL Authentication

  Ensure that an Azure Active Directory (AAD) admin is configured for SQL authentication.

• Use BYOK for Transparent Data Encryption

  Use Bring Your Own Key (BYOK) support for Transparent Data Encryption (TDE).