Logo of Trend Micro
Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Enable Vulnerability Assessment Periodic Recurring Scans

Trend Micro Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 750 automated best practice checks.

Risk Level: Medium (should be achieved)
Rule ID: Sql-018

Enable Vulnerability Assessment Periodic Recurring Scans setting for critical Microsoft SQL servers and corresponding SQL databases. Once the security setting is enabled, scans will be performed automatically once a week. A scan result summary will be sent to the email address(es) that you provide.

This rule resolution is part of the Conformity Security & Compliance tool for Azure.

Security

The Periodic Recurring Scans setting schedules periodic (weekly) vulnerability scanning for Microsoft SQL servers and their corresponding databases. Regular vulnerability scanning provides risk visibility based on the updated list of known vulnerability signatures and best practices.

Audit

To determine if the Periodic Recurring Scans setting is enabled for your Microsoft SQL servers, perform the following actions:

Using Azure Console

01 Sign in to the Microsoft Azure Portal.

02 Navigate to All resources blade at https://portal.azure.com/#blade/HubsExtension/BrowseAll to access your Azure cloud resources.

03 From the Type filter box, select SQL server to list only the SQL database servers provisioned in your Azure account.

04 Click on the name (link) of the SQL server that you want to examine.

05 In the blade navigation panel, under Security, select Microsoft Defender for Cloud.

06 On the Microsoft Defender for Cloud page, make sure that Microsoft Defender for SQL is enabled at the server level, then choose (Configure) next to Microsoft Defender for SQL:. It is recommended to enable Microsoft Defender for SQL at the subscription-level, but it can also be enabled at the individual server-level.

07 On the Server settings configuration page, under VULNERABILITY ASSESSMENT SETTINGS, check the Periodic recurring scans configuration setting. If Periodic recurring scans is set to OFF, the Vulnerability Assessment Periodic Recurring Scans security setting is not enabled for the selected Microsoft SQL database server.

08 Repeat steps no. 4 – 7 for each SQL database server provisioned in the selected Azure subscription.

09 Repeat steps no. 3 – 8 for each subscription created in your Azure cloud account.

Using Azure PowerShell

01 Run Get-AzSqlServer PowerShell command with custom query filters to list the name of each SQL database server and the name of its associated resource group, available within the current Azure subscription: 

Get-AzSqlServer | Select-Object ServerName,ResourceGroupName

02 The command output should return the requested SQL database server information: 

ServerName             ResourceGroupName
----------             -----------------
cc-prod-db-server      cloud-shell-storage-westeurope
cc-web-sql-server      cloud-shell-storage-westeurope

03 Run Get-AzSqlServerVulnerabilityAssessmentSetting command using the name of the SQL database server that you want to examine as the identifier parameter and custom query filters to determine if the Periodic Recurring Scans security setting is enabled for the Vulnerability Assessment (VA) feature: 

Get-AzSqlServerVulnerabilityAssessmentSetting
-ServerName "cc-prod-db-server"
-ResourceGroupName "cloud-shell-storage-westeurope" | Select-Object RecurringScansInterval,StorageAccountName

04 The command output should return the requested configuration information: 

RecurringScansInterval StorageAccountName
---------------------- ------------------
                  None          myStorage

If the Get-AzSqlServerVulnerabilityAssessmentSetting cmdlet output returns None for the RecurringScansInterval attribute, as shown in the output example above, the Vulnerability Assessment Periodic Recurring Scans setting is not enabled for the selected Microsoft SQL database server. If the cmdlet does not return a storage account, then there is no target storage account to store the vulnerability assessments.

05 Repeat steps no. 3 and 4 for each SQL database server available within the current subscription.

06 Repeat steps no. 1 – 5 for each subscription created in your Azure cloud account.

Remediation / Resolution

To enable and configure Vulnerability Assessment Periodic Recurring Scans for your Microsoft SQL database servers, perform the following actions:

Using Azure Console

01 Sign in to the Microsoft Azure Portal.

02 Navigate to All resources blade at https://portal.azure.com/#blade/HubsExtension/BrowseAll to access your Azure cloud resources.

03 From the Type filter box, select SQL server to list only the SQL database servers provisioned in the selected Azure subscription.

04 Click on the name of the SQL server that you want to reconfigure.

05 In the blade navigation panel, under Security, select Microsoft Defender for Cloud.

06 On the Microsoft Defender for Cloud page, make sure that Microsoft Defender for SQL is enabled at the server level, then choose (Configure) next to Microsoft Defender for SQL:. It is recommended to enable Microsoft Defender for SQL at the subscription-level, but it can also be enabled at the individual server-level.

07 On the Server settings configuration page, under VULNERABILITY ASSESSMENT SETTINGS, perform the following operations:

  1. Ensure there is a storage account configured.
  2. Select ON under Periodic recurring scans to enable the Periodic Recurring Scans security setting for the Vulnerability Assessment (VA) feature.
  3. Choose Save to apply the configuration changes.

08 Repeat steps no. 4 – 7 for each SQL database server provisioned in the selected subscription.

09 Repeat steps no. 3 – 8 for each subscription created within your Azure cloud account.

Using Azure PowerShell

01 Run Update-AzSqlServerVulnerabilityAssessmentSetting cmdlet using the name of the SQL server that you want to reconfigure and the name of the associated resource group as the identifier parameters to enable the Vulnerability Assessment Periodic Recurring Scans setting for the selected Microsoft SQL database server. Once the setting is enabled, the scans will be triggered automatically once a week. Replace the highlighted information, i.e. <storage-account-name> with the name of your storage account: 

Update-AzSqlServerVulnerabilityAssessmentSetting
-ServerName "cc-prod-db-server"
-ResourceGroupName "cloud-shell-storage-westeurope"
-StorageAccountName "<storage-account-name>"
-RecurringScansInterval Weekly

02 The command output should return the new Vulnerability Assessment (VA) settings: 

ServerName                : cc-prod-db-server
ResourceGroupName         : cloud-shell-storage-westeurope
StorageAccountName        : <storage-account-name>
ScanResultsContainerName  : vulnerability-assessment
RecurringScansInterval    : Weekly
EmailAdmins               : True
NotificationEmail         :

03 Repeat steps no. 1 and 2 for each SQL database server provisioned within the current Azure subscription.

04 Repeat steps no. 1 – 3 for each subscription in your Azure cloud account.

References

Publication date Oct 23, 2021

Related Sql rules

Unlock the Remediation Steps

Free 30-day Trial

Automatically audit your configurations with Conformity
and gain access to our cloud security platform.

Confirmity Cloud Platform

No thanks, back to article

You are auditing:

Enable Vulnerability Assessment Periodic Recurring Scans

Risk Level: Medium