Check: ASQL-00-011950
Microsoft Azure SQL Database STIG:
ASQL-00-011950
(in versions v1 r2 through v1 r1)
Title
Azure SQL Database must only use approved firewall settings deemed by the organization to be secure, including denying azure services access to the server. (Cat II impact)
Discussion
Use of nonsecure firewall settings, such as allowing azure services to access the server, exposes the system to avoidable threats.
Check Content
Azure SQL Database must only use approved firewall settings, including denying access to azure services and resources to the server. This option is denied by default in Azure SQL Database and should be left disabled if not otherwise documented and approved. Obtain a list of approved firewall settings from the database documentation. Verify that the "Allow Azure services and resources to access this server" option is disabled. 1. From the Azure Portal, navigate to the Azure SQL Database Dashboard. 2. Select "Set Server Firewall" on the top menu. 3. Under "Exceptions", review the "Allow Azure services and resources to access this server" option and verify that the value is not checked. If the "Allow Azure services and resources to access this server" option is enabled, it must be necessary and specifically approved in the database documentation, otherwise this is a finding.
Fix Text
Assign the approved policy to Azure SQL Database. 1. From the Azure Portal Dashboard, click "Set Server Firewall". 2. Review the Allow Azure services and resources to access this server option. 3. Uncheck the box to "Deny Azure" services and resources to access this server. 4. Click "Save". For more information about connection policies: https://docs.microsoft.com/en-us/azure/azure-sql/database/connectivity-architecture
Additional Identifiers
Rule ID: SV-255347r879756_rule
Vulnerability ID: V-255347
Group Title: SRG-APP-000383-DB-000364
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-001762 |
The organization disables organization-defined functions, ports, protocols, and services within the information system deemed to be unnecessary and/or nonsecure. |
Controls
Number | Title |
---|---|
CM-7 (1) |
Periodic Review |