Best practice rules for Sql
Trend Micro Cloud One™ – Conformity monitors Sql with the following rules:
- Advanced Data Security for SQL Servers
Ensure that Advanced Data Security (ADS) is enabled at the Azure SQL database server level.
- Check for Publicly Accessible SQL Servers
Ensure that Azure SQL database servers are accessible via private endpoints only.
- Check for Sufficient Point in Time Restore (PITR) Backup Retention Period
Ensure there is a sufficient PITR backup retention period configured for Azure SQL databases.
- Check for Unrestricted SQL Database Access
Ensure that no SQL databases allow unrestricted inbound access from 0.0.0.0/0 (any IP address).
- Configure "AuditActionGroup" for SQL Server Auditing
Ensure that "AuditActionGroup" property is well configured at the Azure SQL database server level.
- Configure Emails for Vulnerability Assessment Scan Reports and Alerts
Ensure that "Send scan reports to" setting is configured for SQL database servers.
- Detect Create, Update, and Delete SQL Server Firewall Rule Events
SQL Server firewall rule changes have been detected in your Microsoft Azure cloud account.
- Enable All Types of Threat Detection on SQL Servers
Enable all types of threat detection for your Microsoft Azure SQL database servers.
- Enable Auditing for SQL Servers
Ensure that database auditing is enabled at the Azure SQL database server level.
- Enable Auto-Failover Groups
Ensure that your Azure SQL database servers are configured to use auto-failover groups.
- Enable Automatic Tuning for SQL Database Servers
Ensure that Automatic Tuning feature is enabled for Microsoft Azure SQL database servers.
- Enable Transparent Data Encryption for SQL Databases
Ensure that Transparent Data Encryption (TDE) is enabled for every Azure SQL database.
- Enable Transparent Data Encryption for SQL Managed Instance using Customer-Managed Keys
Ensure that Azure SQL managed instances are encrypted at rest using Customer-Managed Keys (CMKs).
- Enable Vulnerability Assessment Email Notifications for Admins and Subscription Owners
Ensure that the Vulnerability Assessment setting "Also send email notification to admins and subscription owners" is enabled for your Microsoft SQL database servers.
- Enable Vulnerability Assessment Periodic Recurring Scans
Ensure that the Vulnerability Assessment Periodic Recurring Scans setting is enabled for SQL database servers.
- Enable Vulnerability Assessment for Microsoft SQL Servers
Ensure that Vulnerability Assessment is enabled for Microsoft SQL database servers.
- SQL Auditing Retention
Ensure that SQL database auditing has a sufficient log data retention period configured.
- Use BYOK for Transparent Data Encryption
Use Bring Your Own Key (BYOK) support for Transparent Data Encryption (TDE).
- Use Microsoft Entra Admin for SQL Authentication
Ensure that an Microsoft Entra admin is configured for SQL authentication.