Check: ASQL-00-008500
Microsoft Azure SQL Database STIG:
ASQL-00-008500
(in versions v1 r2 through v1 r1)
Title
Azure SQL Database must map the PKI-authenticated identity to an associated user account. (Cat II impact)
Discussion
The DOD standard for authentication is DOD-approved PKI certificates. Once a PKI certificate has been validated, it must be mapped to an Azure SQL Database user account for the authenticated identity to be meaningful to Azure SQL Database and useful for authorization decisions.
Check Content
To verify that Azure Active Directory is configured as the authentication type, use the following PowerShell commands: $LogicalServerName = "myServer" Get-AzSqlServer -ServerName $LogicalServerName | Get-AzSqlServerActiveDirectoryOnlyAuthentication If AzureADOnlyAuthentication returns False, this is a finding.
Fix Text
To set the Azure Active Directory Administrator, use the following PowerShell command: $LogicalServerName = "myServer" Set-AzSqlServerActiveDirectoryAdministrator -ResourceGroupName "myResourceGroup" -ServerName $LogicalServerName -DisplayName "myAADIdentify" Azure Active Directory Authentication can be enabled using either PowerShell or the Azure CLI. To enable Azure Active Directory Authentication using PowerShell, use the commands below: ###### ###### Sets the AAD Admin in the SQL Server using PowerShell ###### ###### $LogicalServerName = "myServer" $ResourceGroup = "myResourceGroup" $DisplayName = "<AAD Principal>" $ObjectId = "<GUID for AAD Principal>" Set-AzSqlServerActiveDirectoryAdministrator ` -ResourceGroupName $ResourceGroup ` -ServerName $LogicalServerName ` -DisplayName $DisplayName ` -ObjectId$ObjectId #Sets AD Admin Only Get-AzSqlServer -ServerName $LogicalServerName ` | Enable-AzSqlServerActiveDirectoryOnlyAuthentication To enable Azure Active Directory Authentication using the Azure CLI, use the commands below: ###### ###### Sets the AAD Admin in the SQL Server using the Azure CLI ###### ###### az sql server ad-admin create ` --resource-group $ResourceGroup --server $LogicalServerName ` --display-name $DisplayName ` --object-id $ObjectId ` #Sets AD Admin Only az sql server ad-only-auth enable ` --resource-group $ResourceGroup ` --name $LogicalServerName https://docs.microsoft.com/en-us/cli/azure/sql/server/ad-only-auth?view=azure-cli-latest https://docs.microsoft.com/en-us/azure/azure-sql/database/authentication-aad-configure?tabs=azure-powershell
Additional Identifiers
Rule ID: SV-255336r879614_rule
Vulnerability ID: V-255336
Group Title: SRG-APP-000177-DB-000069
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000187 |
The information system, for PKI-based authentication, maps the authenticated identity to the account of the individual or group. |
Controls
Number | Title |
---|---|
IA-5 (2) |
Pki-Based Authentication |