Logo of Trend Micro
Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Enable Vulnerability Assessment for Microsoft SQL Servers

Trend Micro Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 750 automated best practice checks.

Risk Level: Medium (should be achieved)
Rule ID: Sql-017

Enable Vulnerability Assessment (VA) feature for Microsoft Azure SQL servers by setting a storage account. Turning on Microsoft Defender for SQL does not enable Vulnerability Assessment for individual SQL databases unless storage accounts are configured to store VA scanned data and reports.

This rule resolution is part of the Conformity Security & Compliance tool for Azure.

Security

Once enabled, the Vulnerability Assessment (VA) feature scans SQL databases for known security vulnerabilities and highlights deviations from industry best practices, such as misconfigurations, excessive permissions, and unprotected sensitive data such Personally Identifiable Information (PII). The results of the VA scans include actionable steps to resolve each issue and provide customized remediation scripts where applicable. Additionally, an assessment report can be customized by setting an acceptable baseline for permission configurations, feature configurations, and database configuration settings.

Audit

To determine if Vulnerability Assessment (VA) is enabled for your Azure SQL database servers, perform the following operations:

Using Azure Console

01 Sign in to the Azure Management Console.

02 Navigate to All resources blade at https://portal.azure.com/#blade/HubsExtension/BrowseAll to view all your Microsoft Azure cloud resources.

03 From the Subscription equals filter box, select the Azure account subscription that you want to examine.

04 From the Type equals filter box, select SQL server and choose Apply to list only the SQL servers available in your Azure account.

05 Click on the name (link) of the SQL database server that you want to examine.

06 In the resource navigation panel, under Security, selectMicrosoft Defender for Cloud.

07 Ensure that Microsoft Defender for SQL is enabled at the SQL server level, then choose Configure next to Enablement Status: Enabled at the server-level.

08 On the Server settings configuration page, under VULNERABILITY ASSESSMENT SETTINGS, check the Storage account attribute value. If there is no Azure storage account listed as value for the Storage account attribute, instead the Select Storage account link is available, there is no storage account configured for Vulnerability Assessment, therefore the Vulnerability Assessment (VA) feature is not enabled for the selected Microsoft Azure SQL server.

09 Repeat steps no. 5 – 8 for each SQL database server provisioned in the selected subscription.

10 Repeat steps no. 3 – 9 for each subscription created in your Microsoft Azure cloud account.

Using Azure PowerShell

01 Run Get-AzSqlServer PowerShell command with custom query filters to list the names of all the SQL database servers and the names of their associated resource groups, available in the current Azure subscription: 

Get-AzSqlServer | Select-Object ServerName,ResourceGroupName

02 The command output should return the requested SQL database server information: 

ServerName          ResourceGroupName
----------          -----------------
cc-prod-db-server   cloud-shell-storage-westeurope
cc-web-sql-server   cloud-shell-storage-westeurope

03 Run Get-AzSqlServerVulnerabilityAssessmentSetting command using the name of the SQL server that you want to examine as the identifier parameter and custom query filters to describe the name of the Azure storage account configured for Vulnerability Assessment: 

Get-AzSqlServerVulnerabilityAssessmentSetting
  -ServerName "cc-prod-db-server"
  -ResourceGroupName "cloud-shell-storage-westeurope" | Select-Object StorageAccountName

04 The command output should return the requested storage account name: 

StorageAccountName

If the Get-AzSqlServerVulnerabilityAssessmentSetting cmdlet output does not return a value for the StorageAccountName attribute, as shown in the example above, there is no storage account configured for Vulnerability Assessment, therefore the Vulnerability Assessment (VA) feature is not enabled for the selected Azure SQL server.

05 Repeat step no. 3 and 4 for each SQL database server available in the selected subscription.

06 Repeat steps no. 1 – 5 for each subscription created within your Microsoft Azure cloud account.

Remediation / Resolution

To enable Vulnerability Assessment (VA) for your Microsoft Azure SQL servers by configuring appropriate storage accounts, perform the following operations:

Using Azure Console

01 Sign in to the Azure Management Console.

02 Navigate to All resources blade at https://portal.azure.com/#blade/HubsExtension/BrowseAll to view all your Microsoft Azure cloud resources.

03 From the Subscription equals filter box, select the Azure account subscription that you want to examine.

04 From the Type equals filter box, select SQL server and choose Apply to list only the SQL servers available in your Azure account.

05 Click on the name of the SQL database server that you want to reconfigure.

06 In the resource navigation panel, under Security, selectMicrosoft Defender for Cloud.

07 Make sure that Microsoft Defender for SQL is enabled at the server level, then choose Configure next to Enablement Status: Enabled at the server-level.

08 On the Server settings page, under VULNERABILITY ASSESSMENT SETTINGS, perform the following actions:

  1. Choose Select Storage account under Storage account to select an existing Azure storage account for Vulnerability Assessment (VA).
  2. Select the name of the storage account that you want to use for Vulnerability Assessment from the Choose storage account list. If you don't have a storage account already available, follow the Azure Portal setup wizard to create a new one.
  3. Choose Save to apply the configuration changes.

09 Repeat steps no. 4 – 8 for each SQL database server provisioned in the selected subscription.

10 Repeat steps no. 3 – 9 for each subscription created in your Microsoft Azure cloud account.

Using Azure PowerShell

01 Run Update-AzSqlServerVulnerabilityAssessmentSetting cmdlet using the name of the SQL server that you want to reconfigure and the name of the associated resource group as the identifier parameters to enable Vulnerability Assessment (VA) for the selected Azure SQL server by setting a storage account. Replace the highlighted information, i.e. <storage-account-name> with the name of your storage account. The selected storage account must be from the same Azure subscription and location: 

Update-AzSqlServerVulnerabilityAssessmentSetting
  -ServerName "cc-prod-db-server"
  -ResourceGroupName "cloud-shell-storage-westeurope"
  -StorageAccountName "<storage-account-name>"

02 The command output should return the new Vulnerability Assessment settings: 

ServerName               : cc-prod-db-server
ResourceGroupName        : cloud-shell-storage-westeurope
StorageAccountName       : <storage-account-name>
ScanResultsContainerName : vulnerability-assessment
RecurringScansInterval   : Weekly
EmailAdmins              : True
NotificationEmail        :

03 Repeat steps no. 1 and 2 for each SQL database server provisioned in the selected subscription.

04 Repeat steps no. 1 - 3 for each subscription created within your Microsoft Azure cloud account.

References

Publication date Feb 19, 2022

Related Sql rules

Unlock the Remediation Steps

Free 30-day Trial

Automatically audit your configurations with Conformity
and gain access to our cloud security platform.

Confirmity Cloud Platform

No thanks, back to article

You are auditing:

Enable Vulnerability Assessment for Microsoft SQL Servers

Risk Level: Medium