Microsoft Azure Security Technologies (AZ-500)
Database Security
Explore vulnerability assessment
Vulnerability Assessment is an automated security solution designed to scan, identify, and report potential vulnerabilities in your database environment. Regular assessments enable you to continuously monitor emerging threats while providing detailed reports on each vulnerability, including its severity level and recommended remediation steps.
Key Features
- Routine Scanning: Continuously monitors your system with scheduled scans to ensure ongoing protection.
- Comprehensive Reporting: Offers detailed vulnerability reports with severity levels and tailored guidance on remediation.
- Real-Time Alerts: Sends immediate notifications for high-risk vulnerabilities, enabling fast response actions similar to Azure ATP.
- Compliance Support: Generates compliance-ready reports to help meet various data protection standards and regulations.
- Baseline Management: Lets you define an acceptable configuration baseline for your database. Any deviation triggers automatic alerts for all administrators.
Accessing Vulnerability Assessment in Defender for Cloud
If you have already enabled vulnerability assessment for your server within Microsoft Defender for Cloud, accessing the assessment results is straightforward. When you navigate to the Defender for Cloud dashboard, you will see the vulnerability assessment findings displayed prominently. If the feature is not yet enabled, a prompt will appear at the top of the page inviting you to activate it.
Once enabled, if no findings are visible immediately because the tool was just activated, click the provided link to navigate to the findings page. From there, you can initiate a database scan by selecting the Scan option. Once the scan is complete, vulnerabilities are organized by severity.
Note
In our example scenario, the assessment detected one medium severity vulnerability. The detailed report includes valuable information to help resolve the issue.
Example Vulnerability Report
A sample vulnerability report might include details such as:
- Vulnerability ID: VA1143
- Issue: DBA users should not be used for normal service operations
- Category: Surface Area Reduction
- Benchmark: FedRAMP
- Severity: Medium
Clicking on a vulnerability entry provides further insights, including an in-depth description and the underlying logic of the assessment rule.
Vulnerability Assessment Rule Example
The following SQL query determines whether the database owner (DBO) account is being misused. The DBO account inherently has permissions to perform all activities within the database. This query checks for the presence of user accounts with a principal ID within a specific range.
IF ((SELECT COUNT(*) FROM sys.database_principals
WHERE principal_id >= 5 AND principal_id < 16384) > 0)
SELECT 0
ELSE
SELECT 1 AS [Violation]
This query confirms that standard user accounts are in place. Using the DBO account for routine operations is discouraged. Instead, create users with lower privileges tailored to specific tasks.
Warning
Avoid using the DBO account for normal service operations, as it exposes your database to unnecessary security risks.
Managing Baselines
This vulnerability assessment result is based on the FedRAMP benchmark. You have two options for managing the result:
| Option | Description |
|---|---|
| Approve Baseline | If the current configuration is acceptable, add this result as a baseline to prevent it from appearing in future scans. |
| Remediate Issue | Alternatively, implement corrective actions by creating users with appropriate, limited privileges and addressing the issue. |
By following these steps, you can effectively leverage Vulnerability Assessment in Defender for Cloud to enhance the security and compliance of your database environment.
Watch Video
Watch video content