Skip to main content

Security Recommendations for Azure SQL Database

In this article, we will cover the security recommendations that you should follow for establishing a secure baseline configuration for Microsoft Azure SQL Services on your Azure Subscription.


1. Enable auditing on SQL Servers & SQL databases:

The Azure platform allows you to create a SQL server as a service. Enabling auditing at the server level ensures that all existing and newly created databases on the SQL server instance are audited.
Auditing tracks database events and writes them to an audit log in your Azure storage account. It also helps you to maintain regulatory compliance, understand database activity, and gain insight into discrepancies and anomalies that could indicate business concerns or suspected security violations.

Steps:

For Azure SQL Server:

1. Go to Azure SQL Server and click on Auditing.
2. Enable Azure SQL Auditing and select your Storage account. You can also select either Log analytics or Event Hub.


For Azure SQL Database:

1. Go to Azure SQL Server and click on Auditing.
2. Enable Azure SQL Auditing and select your Storage account. You can also select either Log analytics or Event Hub.


2. Enable threat detection on SQL Servers & SQL databases:

SQL Threat Detection provides a new layer of security, which enables customers to detect and respond to potential threats as they occur by providing security alerts on anomalous activities. Users will receive an alert upon suspicious database activities, potential vulnerabilities, and SQL injection attacks, as well as anomalous database access patterns. SQL Threat Detection alerts provide details of suspicious activity and recommend action on how to investigate and mitigate the threat.

Steps:

1. Go to Azure SQL server and click on Security Center.
2. Enable AZURE DEFENDER FOR SQL.
3. Select your storage account.
4. Enable Periodic recurring scans & enter your email account where you can receive scan reports. Also select to send email notifications to admins & subscription owners.
5. Enter your email account to which alerts will be sent for the detection of anomalous activities as illustrated in below image. Providing the email address to receive alerts ensures that any detection of anomalous activities is reported as soon as possible, making it more likely to mitigate any potential risk sooner. Always enable service and co-administrators to receive security alerts from SQL Server.
6. Set Threat Detection types to All. Enabling all threat detection types will help you to protect against SQL injection, database vulnerabilities and any other anomalous activities.


You can enable Azure Defender at SQL database level as well but it is recommended to enable Azure Defender at SQL Server level unless you want to generate alerts for the SQL database.


3. Configure Retention policy greater than 90 days.

Ensure that SQL Server & SQL database Audit Retention & Threat Detection Retention should be configured to be greater than 90 days. Audit Logs can be used to check for anomalies and give insight into suspected breaches or misuse of information and access.
Threat Detection Logs can be used to check for suspected attack attempts and breaches on a SQL server with known attack signatures.


4. Use Azure Active Directory Authentication for authentication with SQL Database

Azure Active Directory authentication is a mechanism of connecting to Microsoft Azure SQL Database and SQL Data Warehouse by using identities in Azure Active Directory (Azure AD). With Azure AD authentication, you can centrally manage the identities of database users and other Microsoft services in one central location. Central ID management provides a single place to manage database users and simplifies permission management.

It provides an alternative to SQL Server authentication.
Helps stop the proliferation of user identities across database servers.
Allows password rotation in a single place
Customers can manage database permissions using external (AAD) groups.
It can eliminate storing passwords by enabling integrated Windows authentication and other forms of authentication supported by Azure Active Directory.
Azure AD authentication uses contained database users to authenticate identities at the database level.
Azure AD supports token-based authentication for applications connecting to SQL Database.
Azure AD authentication supports ADFS (domain federation) or native user/password authentication for a local Azure Active Directory without domain synchronization.
Azure AD supports connections from SQL Server Management Studio that use Active Directory Universal Authentication, which includes Multi-Factor Authentication (MFA). MFA includes strong authentication with a range of easy verification options — phone call, text message, smart cards with pin, or mobile app notification.


5. Enable Data encryption on SQL database

Azure SQL Database transparent data encryption helps protect against the threat of malicious activity by performing real-time encryption and decryption of the database, associated backups, and transaction log files at rest without requiring changes to the application.

Steps:

1. Go to Azure SQL Database & select Transparent Data Encryption.
2. Set Data encryption to ON.



References:







Comments

  1. You are sharing a particularly decent article here. It is a significant and factual article for us. Thankful to you for sharing an article like this. What is Microsoft Azure

    ReplyDelete
  2. I read your post and this blog is very good. You have provided good knowledge in this blog. This blog really impressed me. Thank you for sharing your knowledge with all of us. Vietnam Import Data

    ReplyDelete
  3. I have had a great experience with https://www.typingservice.org/services/document-formatting-service/. Their turnaround is really quick and the trancription is accompanied by a certificate of trancription too. I used their services twice for my immigration paperwork. I have not selected the mail option (only email), therefore I can't speak to how fast delivery is. Overall, I am satisfied.

    ReplyDelete

Post a Comment

Thanks for your comment. In case of any concerns, please contact me at er.ashishsharma@outlook.com

Popular posts from this blog

Comparison between Azure Application Gateway V1 and V2

Microsoft has announced new version of Azure Application Gateway and its Web Application Firewall module (WAF). In this article, we will discuss about the enhancements and new highlights that are available in the new SKUs i.e. Standard_v2 and WAF_v2. Enhancements and new features: Scalability: It allows you to perform scaling of the number of instances on the traffic. Static VIP: The VIP assigned to the Application Gateway can be static which will not change over its lifecycle. Header Rewrite: It allows you to add, remove or update HTTP request and response headers on application gateway. Zone redundancy: It enables application gateway to survive zonal failures which allows increasing the resilience of applications. Improved Performance: Improvement in performance during the provisioning and during the configuration update activities. Cost: V2 SKU may work out to be overall cheaper for you relative to V1 SKU. For more information, refer Microsoft p...

Install Solr as an Azure App Service

After Sitecore 9.0.2, Solr is a supported search technology for Sitecore Azure PAAS deployments. In this article, we will install SOLR service 8.4.0 in Azure App Service for Sitecore 10. 1. Create Azure App Service Login to Azure and create Azure App service. Make sure Runtime stack should be Java. 2. Download Solr Download Solr 8.4.0 from https://archive.apache.org/dist/lucene/solr/ Extract the files and add the below web.config file in the Solr package. <?xml version="1.0" encoding="UTF-8"?> <configuration>  <system.webServer>      <handlers>      <add  name="httpPlatformHandler"            path="*"            verb="*"            modules="httpPlatformHandler"            resourceType="Uns...

Configure a Backup for your Azure App Service

The Backup feature in Azure App Service allows us to easily create app backups manually or on a schedule. You can restore the app to a snapshot of a previous state by overwriting the existing app or restoring to another app. Refer the below steps to schedule your backup: 1. Go to your App service and click on Backups from left Navigation bar. 2. Click on Configure and select your Azure storage account and container to store your backup. Then configure the schedule to start your backup as illustrated below. 3. Once everything is configured you can see backup status as shown below. 4. Once backup is succeeded, you can see the next scheduled backup details. Exclude files from your backup If you want to exclude few folders and files from being stored in your backup, then you can create _backup.filter file inside D:\home\site\wwwroot folder of your web app. Let’s assume you want to exclude Logs folder and ashish.pdf file. Then create _backup.filter file and add...

Export BACPAC file of SQL database

When you need to create an archive of an Azure SQL database, you can export the database schema and data to a BACPAC file. A BACPAC file can be stored in Azure blob storage or in local storage in an on-premises location and later imported back into Azure SQL Database or into a SQL Server on-premises installation. Let's learn some of the ways to export BACPAC file. Export BACPAC using Azure Portal Open your SQL Database and select Export. Fill the parameters as shown below. Select your storage account container & enter your SQL Server admin login. To check the status of your database export. Open your SQL Database server containing the database being exported. Go to Settings and then click Import/Export history Export BACPAC using SSMS Login Azure SQL Database by SSMS. Right-click the database -> Tasks -> Export Data-tier Application Save the .bacpac file into local disk. Export BACPAC using SQLPackage There is a command line tool that you can also choose to ...

Difference between Azure Front Door Service and Traffic Manager

Azure Front Door Service is Microsoft’s highly available and scalable web application acceleration platform and global HTTP(s) load balancer. Azure Front Door Service supports Dynamic Site Acceleration (DSA), SSL offloading and end to end SSL, Web Application Firewall, cookie-based session affinity, URL path-based routing, free certificates and multiple domain management. In this article, I will compare Azure Front Door to Azure Traffic Manager in terms of performance and functionality. Similarity: Azure Front Door service can be compared to Azure Traffic Manager in a way that this also provides global HTTP load balancing to distribute traffic across different Azure regions, cloud providers or even with your on-premises. Both AFD & Traffic Manager support: Multi-geo redundancy: If one region goes down, traffic routes to the closest region without any intervention. Closest region routing: Traffic is automatically routed to the closest region. Differences: Azu...