SQL best practices

Best practice rules for Sql

• Check for Publicly Accessible SQL Servers

  Ensure that Azure SQL database servers are accessible via private endpoints only.

• Check for Sufficient Point in Time Restore (PITR) Backup Retention Period

  Ensure there is a sufficient PITR backup retention period configured for Azure SQL databases.

• Check for Unrestricted SQL Database Access

  Ensure that no SQL databases allow unrestricted inbound access from 0.0.0.0/0 (any IP address).

• Configure "AuditActionGroup" for SQL Server Auditing

  Ensure that "AuditActionGroup" property is well configured at the Azure SQL database server level.

• Configure Emails for Classic Vulnerability Assessment Scan Reports and Alerts

  Configure Vulnerability Assessment scan reports and alerts via email for SQL database servers with classic configuration.

• Detect Create, Update, and Delete SQL Server Firewall Rule Events

  SQL Server firewall rule changes have been detected in your Microsoft Azure cloud account.

• Enable Advanced Data Security for SQL Servers

  Ensure that Advanced Data Security (ADS) is enabled at the Azure SQL database server level.

• Enable All Types of Threat Detection on SQL Servers

  Enable all types of threat detection for your Microsoft Azure SQL database servers.

• Enable Auditing for SQL Servers

  Ensure that database auditing is enabled at the Azure SQL database server level.

• Enable Auto-Failover Groups

  Ensure that your Azure SQL database servers are configured to use auto-failover groups.

• Enable Automatic Tuning for SQL Database Servers

  Ensure that Automatic Tuning feature is enabled for Microsoft Azure SQL database servers.

• Enable Classic Vulnerability Assessment Email Notifications for Admins and Subscription Owners

  Configure Vulnerability Assessment to send email notifications to admins and subscription owners using the classic configuration (Not Scored).

• Enable Transparent Data Encryption for SQL Databases

  Ensure that Transparent Data Encryption (TDE) is enabled for every Azure SQL database.

• Enable Transparent Data Encryption for SQL Managed Instance using Customer-Managed Keys

  Ensure that Azure SQL managed instances are encrypted at rest using Customer-Managed Keys (CMKs).

• Enable Vulnerability Assessment Periodic Recurring Scans

  Ensure that Vulnerability Assessment Periodic Recurring Scans are enabled for SQL database servers (Not Scored).

• Enable Vulnerability Assessment for Microsoft SQL Servers

  Ensure that Vulnerability Assessment is enabled for Microsoft SQL database servers (Not Scored).

• Minimum TLS Version

  Ensure that "Minimum TLS version" is set to "TLS 1.2" for all Azure SQL managed instances.

• SQL Auditing Retention

  Ensure that SQL database auditing has a sufficient log data retention period configured.

• Use BYOK for Transparent Data Encryption

  Use Bring Your Own Key (BYOK) support for Transparent Data Encryption (TDE).

• Use Microsoft Entra Admin for SQL Authentication

  Ensure that an Microsoft Entra admin is configured for SQL authentication.