Ensure no Azure SQL Databases allow ingress from 0.0.0.0/0 (ANY IP)

SQL Server includes a firewall to block access to unauthorized connections. More granular IP addresses can be defined by referencing the range of addresses available from specific data centers. By default, for a SQL server, a Firewall exists with StartIp of 0.0.0.0 and EndIP of 0.0.0.0 allowing access to all the Azure services. Additionally, a custom rule can be set up with StartIp of 0.0.0.0 and EndIP of 255.255.255.255 allowing access from ANY IP over the Internet. In order to reduce the potential attack surface for a SQL server, firewall rules should be defined with more granular IP addresses by referencing the range of addresses available from specific data centers.

Risk Level: High
Cloud Entity: SQL Server on Virtual Machines
CloudGuard Rule ID: D9.AZU.NET.01
Covered by Spectral: Yes
Category: Compute

GSL LOGIC

SQLServer should have firewallRules contain-none [ startIpAddress='0.0.0.0' and endIpAddress='255.255.255.255' ]

REMEDIATION

Azure Console

  1. Go to SQL servers
  2. For each SQL server
  3. Click on Firewall / Virtual Networks
  4. Set Allow access to Azure services to 'OFF'
  5. Ensure that no firewall rule exists with
    5a. Start IP of 0.0.0.0
    5b. End IP of 255.255.255.255
  6. Set firewall rules to limit access to only authorized connections

Default Value:
By default, setting Allow access to Azure Services is set to ON allowing access to all Windows Azure IP ranges.

References

  1. https://docs.microsoft.com/en-us/sql/database-engine/configure-windows/configure-a-windows-firewall-for-database-engine-access?view=sql-server-2017
  2. https://docs.microsoft.com/en-us/powershell/module/azurerm.sql/get-azurermsqlserverfirewallrule?view=azurermps-5.2.0
  3. https://docs.microsoft.com/en-us/azure/sql-database/sql-database-server-level-firewall-rule
  4. https://docs.microsoft.com/en-us/azure/sql-database/sql-database-firewall-configure
  5. https://docs.microsoft.com/en-us/sql/relational-databases/system-stored-procedures/sp-set-database-firewall-rule-azure-sql-database?view=azuresqldb-current

SQL Server on Virtual Machines

SQL Server on Azure virtual machines enables you to use full versions of SQL Server in the Cloud without having to manage any on-premises hardware. SQL Server VMs also simplify licensing costs when you pay as you go.

Azure virtual machines run in many different geographic regions around the world. They also offer a variety of machine sizes. The virtual machine image gallery allows you to create a SQL Server VM with the right version, edition, and operating system. This makes virtual machines a good option for a many different SQL Server workloads.

Compliance Frameworks

  • AZU PCI-DSS 4.0
  • Azure CIS Foundations v. 1.0.0
  • Azure CIS Foundations v. 1.1.0
  • Azure CIS Foundations v. 1.2.0
  • Azure CIS Foundations v. 1.3.0
  • Azure CIS Foundations v. 1.3.1
  • Azure CIS Foundations v. 1.4.0
  • Azure CIS Foundations v. 1.5.0
  • Azure CIS Foundations v.2.0
  • Azure CSA CCM v.3.0.1
  • Azure CSA CCM v.4.0.1
  • Azure CloudGuard Best Practices
  • Azure CloudGuard CheckUp
  • Azure CloudGuard Network Security Alerts
  • Azure CloudGuard SOC2 based on AICPA TSC 2017
  • Azure HIPAA
  • Azure HITRUST v9.5.0
  • Azure ISO 27001:2013
  • Azure LGPD regulation
  • Azure NIST 800-171
  • Azure NIST 800-53 Rev 4
  • Azure NIST 800-53 Rev 5
  • Azure NIST CSF v1.1
  • Azure New Zealand Information Security Manual (NZISM) v.3.4
  • Azure PCI-DSS 3.2
  • CloudGuard Azure All Rules Ruleset