4.2.3 Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server

Information

Enable Vulnerability Assessment (VA) Periodic recurring scans for critical SQL servers and corresponding SQL databases.

Rationale:

VA setting 'Periodic recurring scans' schedules periodic (weekly) vulnerability scanning for the SQL server and corresponding Databases. Periodic and regular vulnerability scanning provides risk visibility based on updated known vulnerability signatures and best practices.

Impact:

Enabling the Azure Defender for SQL feature will incur additional costs for each SQL server.

Solution

From Azure Console

Go to SQL servers

For each server instance

Click on Security Center

In Section Vulnerability Assessment Settings, set Storage Account if not already

Toggle 'Periodic recurring scans' to ON.

Click Save

Using Azure PowerShell
If not already, Enable Advanced Data Security for a SQL Server:

Set-AZSqlServerThreatDetectionPolicy -ResourceGroupName <resource group name> -ServerName <server name> -EmailAdmins $True

To enable ADS-VA service with 'Periodic recurring scans'

Update-AzSqlServerVulnerabilityAssessmentSetting '
-ResourceGroupName '<resource group name>''
-ServerName '<Server Name>''
-StorageAccountName '<Storage Name from same subscription and same Location' '
-ScanResultsContainerName 'vulnerability-assessment' '
-RecurringScansInterval Weekly '
-EmailSubscriptionAdmins $true '
-NotificationEmail @('[email protected]' , '[email protected]')

Default Value:

Enabling Azure Defender for SQL enables 'Periodic recurring scans' by default but does not configure the Storage account.

See Also

https://workbench.cisecurity.org/files/3459

Item Details

Category: RISK ASSESSMENT, SYSTEM AND INFORMATION INTEGRITY

References: 800-53|RA-5, 800-53|SI-4, CSCv7|3.1

Plugin: microsoft_azure

Control ID: bdc3f18d8dd5e0896cd2c583718d74f17a1cf611f9fda8a8fe4178ba32ce22f8