Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Minimum TLS Version

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)

Ensure that your Microsoft Azure SQL managed instances are using the latest supported version of the TLS protocol (i.e. TLS 1.2) for inbound connections in order to enhance security by providing stronger encryption, protecting data integrity, reducing vulnerabilities to cyber attacks, and maintaining compatibility with modern browsers.

Security

The Transport Layer Security (TLS) protocol addresses network security problems such as tampering and eavesdropping between a client and a server. Using weak and deprecated TLS protocols can increase opportunities for malicious activities such as hacking, Man-in-the-Middle (MITM), and downgrade attacks. Therefore, it is strongly recommended to use the latest TLS version supported by Microsoft Azure SQL.


Audit

To determine the TLS version configured for your Microsoft Azure SQL managed instances, perform the following operations:

Using Azure Console

01 Sign in to the Azure Management Console.

02 Navigate to All resources blade at https://portal.azure.com/#browse/all to access all your Microsoft Azure cloud resources.

03 Choose the Azure subscription that you want to access from the Subscription equalls all filter box and choose Apply.

04 From the Type equalls all filter box, choose Equals, select SQL managed instance, and choose Apply to list only the Microsoft Azure SQL managed instances available in the selected subscription.

05 Click on the name (link) of the Azure SQL managed instance that you want to examine.

06 In the resource navigation panel, under Security, choose Networking to access the networking configuration settings available for the selected SQL instance.

07 On the Networking page, check the Minimum TLS version setting, to determine the TLS version configured for the selected resource. If Minimum TLS version is not set to 1.2, the selected Microsoft Azure SQL managed instance does not use the latest supported version of the TLS protocol (i.e. TLS 1.2).

08 Repeat steps no. 5 – 7 for each managed SQL instance deployed in the selected Azure subscription.

09 Repeat steps no. 3 – 8 for each subscription created in your Microsoft Azure cloud account.

Using Azure CLI

01 Run sql mi list command (Windows/macOS/Linux) with custom output filters to list the identifier (ID) of each Azure SQL managed instance available in the current Azure subscription:

az sql mi list
  --query '[*].id'

02 The command output should return the requested SQL instance IDs:

[
	"/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Sql/managedInstances/cc-prod-managed-instance",
	"/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Sql/managedInstances/cc-project5-sql-managed"
]

03 Run sql mi show command (Windows/macOS/Linux) with the name of the managed SQL instance that you want to examine as the identifier parameter and custom output filters to describe the Transport Layer Security (TLS) protocol version configured for the selected SQL instance:

az sql mi show
  --ids "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Sql/managedInstances/cc-prod-managed-instance"
  --query 'minimalTlsVersion'

04 The command output should return the TLS version configured for the selected SQL instance:

"1.0"

If the TLS version returned by the sql mi show command output is different than "1.2", as shown in the output example above, the selected Microsoft Azure SQL managed instance does not use the latest supported version of the TLS protocol (i.e. TLS 1.2).

05 Repeat steps no. 3 and 4 for each managed SQL instance provisioned in the selected Azure subscription.e

06 Repeat steps no. 1 – 5 for each subscription created in your Microsoft Azure cloud account.

Remediation / Resolution

To ensure that your Microsoft Azure SQL managed instances are using the latest supported version of the TLS protocol, perform the following operations:

Using Azure Console

01 Sign in to the Azure Management Console.

02 Navigate to All resources blade at https://portal.azure.com/#browse/all to access all your Microsoft Azure cloud resources.

03 Choose the Azure subscription that you want to access from the Subscription equalls all filter box and choose Apply.

04 From the Type equalls all filter box, choose Equals, select SQL managed instance, and choose Apply to list only the Microsoft Azure SQL managed instances available in the selected subscription.

05 Click on the name (link) of the Azure SQL managed instance that you want to configure.

06 In the resource navigation panel, under Security, choose Networking to access the networking settings available for the selected SQL instance.

07 On the Networking configuration page, set the Minimum TLS version setting to 1.2, to enforce TLS 1.2 for all inbound connections to the selected Microsoft Azure SQL managed instance. Choose Save to apply the configuration changes.

08 Repeat steps no. 5 – 7 for each managed SQL instance that you want to configure, available within the selected Azure subscription.

09 Repeat steps no. 3 – 8 for each subscription created in your Microsoft Azure cloud account.

Using Azure CLI

01 Run sql mi update command (Windows/macOS/Linux) with the ID of the Azure SQL managed instance that you want to configure as the identifier parameter, to update the TLS protocol version for the selected instance to TLS 1.2:

az sql mi update
  --ids "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Sql/managedInstances/cc-prod-managed-instance"
  --set minimalTlsVersion="1.2"

02 The command output should return the configuration information available for the modified instance:

{
	"administrators": {
		"administratorType": "ActiveDirectory",
		"azureAdOnlyAuthentication": true,
		"login": "AAD App Management",
		"principalType": "Application",
		"sid": "abcdabcd-1234-abcd-1234-abcdabcdabcd",
		"tenantId": "abcdabcd-1234-abcd-1234-abcdabcdabcd"
	},
	"authenticationMetadata": "AzureAD",
	"collation": "SQL_Latin1_General_CP1_CI_AS",
	"createTime": "2024-08-05T10:27:38.453000+00:00",
	"currentBackupStorageRedundancy": "Geo",
	"databaseFormat": "SQLServer2022",
	"dnsZonePartner": null,
	"externalGovernanceStatus": "Disabled",
	"hybridSecondaryUsage": "Active",
	"hybridSecondaryUsageDetected": null,
	"id": "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Sql/managedInstances/cc-prod-managed-instance",
	"identity": {
		"principalId": "abcdabcd-1234-abcd-1234-abcdabcdabcd",
		"tenantId": "abcdabcd-1234-abcd-1234-abcdabcdabcd",
		"type": "SystemAssigned",
		"userAssignedIdentities": null
	},
	"instancePoolId": null,
	"isGeneralPurposeV2": false,
	"keyId": null,
	"licenseType": "LicenseIncluded",
	"location": "westeurope",
	"maintenanceConfigurationId": "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/providers/Microsoft.Maintenance/publicMaintenanceConfigurations/SQL_Default",
	"managedInstanceCreateMode": null,
	"minimalTlsVersion": "1.2",
	"name": "cc-prod-managed-instance",
	"pricingModel": "Freemium",
	"primaryUserAssignedIdentityId": null,
	"privateEndpointConnections": [],
	"provisioningState": "Succeeded",
	"proxyOverride": "Proxy",
	"publicDataEndpointEnabled": true,
	"requestedBackupStorageRedundancy": "Geo",
	"resourceGroup": "cloud-shell-storage-westeurope",
	"restorePointInTime": null,
	"servicePrincipal": null,
	"sku": {
		"capacity": 4,
		"family": "Gen5",
		"name": "GP_Gen5",
		"size": null,
		"tier": "GeneralPurpose"
	},
	"sourceManagedInstanceId": null,
	"state": "Ready",
	"storageIOps": null,
	"storageSizeInGb": 64,
	"storageThroughputMBps": null,
	"subnetId": "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Network/virtualNetworks/vnet-cc-prod-managed-instance/subnets/ManagedInstance",
	"tags": {},
	"timezoneId": "UTC",
	"type": "Microsoft.Sql/managedInstances",
	"vCores": 4,
	"virtualClusterId": "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Sql/virtualClusters/VirtualCluster04f2bd4d-27b4-49bf-a1d4-5131a4f7bdfc",
	"zoneRedundant": false
}

03 Repeat steps no. 1 and 2 for each managed SQL instance that you want to configure, provisioned in the selected Azure subscription.

04 Repeat steps no. 1 – 3 for each subscription created in your Microsoft Azure cloud account.

References

Publication date Aug 27, 2024