SQL Servers

SQL Server Public Access

Risk Level: HIGH

Description: 

This plugin prevents SQL Servers from granting public access. SQL Server instances should not have a public endpoint and should only be accessed from within a VNET unless there is a compelling business necessity. A firewall is a network security device that monitors incoming and outgoing network traffic and allows or disallows data packets according to a set of security rules.

PingSafe strongly recommends ensuring that the firewall of each SQL Server is configured to prohibit traffic from the public 0.0.0.0 global IP address.

About the Service :

Azure SQL is a set of managed, secure, and intelligent SQL Server database solutions that run in the Azure cloud. Because Azure SQL is based on the well-known SQL Server engine,  applications can be easily transferred while keeping the existing tools, languages, and resources. 

Impact : 

A high level of visibility into Azure SQL Server firewall activity is an important component of security and operational best practices, and it helps you safeguard SQL database access.

Steps to Reproduce :

  1. Sign in to your Azure portal with your Azure account.
    https://portal.azure.com/#home 
  2. Navigate to Azure’s All Resources.
  3. In the Type filter select the value as SQL Servers and click Apply.
  4. Next, select the SQL Server that you want to examine.
  5. Click on Firewalls and Virtual Networks under Security in the navigation pane.
  6. Check if the firewall rules are configured to prohibit traffic from the public 0.0.0.0 global IP address.
  7. Repeat the same steps for other servers as well.

Steps for remediation :

  1. Sign in to your Azure portal with your Azure account.
    https://portal.azure.com/#home 
  2. Navigate to Azure’s All Resources.
  3. In the Type filter select the value as SQL Servers and click Apply.
  4. Next, select the SQL Server that you want to examine.
  5. Click on Firewalls and Virtual Networks under Security in the navigation pane.
  6. Check if the firewall rules are configured to prohibit traffic from the public 0.0.0.0 global IP address.
  7. Configure the firewall settings to prohibit traffic from the public 0.0.0.0 global IP address and click Save.
  8. Repeat the same steps for other servers as well.

References :

Please feel free to reach out to support@pingsafe.ai with any questions that you may have.

Thanks

PingSafe Support