SQL best practices

Best practice rules for Sql

Trend Micro Cloud One™ – Conformity monitors Sql with the following rules:

• Advanced Data Security for SQL Servers

  Ensure that Advanced Data Security (ADS) is enabled at the Azure SQL database server level.

• Check for Publicly Accessible SQL Servers

  Ensure that Azure SQL database servers are accessible via private endpoints only.

• Check for Sufficient Point in Time Restore (PITR) Backup Retention Period

  Ensure there is a sufficient PITR backup retention period configured for Azure SQL databases.

• Check for Unrestricted SQL Database Access

  Ensure that no SQL databases allow unrestricted inbound access from 0.0.0.0/0 (any IP address).

• Configure "AuditActionGroup" for SQL Server Auditing

  Ensure that "AuditActionGroup" property is well configured at the Azure SQL database server level.

• Configure Emails for Vulnerability Assessment Scan Reports and Alerts

  Ensure that "Send scan reports to" setting is configured for SQL database servers.

• Detect Create, Update, and Delete SQL Server Firewall Rule Events

  SQL Server firewall rule changes have been detected in your Microsoft Azure cloud account.

• Enable All Types of Threat Detection on SQL Servers

  Enable all types of threat detection for your Microsoft Azure SQL database servers.

• Enable Auditing for SQL Servers

  Ensure that database auditing is enabled at the Azure SQL database server level.

• Enable Auto-Failover Groups

  Ensure that your Azure SQL database servers are configured to use auto-failover groups.

• Enable Automatic Tuning for SQL Database Servers

  Ensure that Automatic Tuning feature is enabled for Microsoft Azure SQL database servers.

• Enable Transparent Data Encryption for SQL Databases

  Ensure that Transparent Data Encryption (TDE) is enabled for every Azure SQL database.

• Enable Transparent Data Encryption for SQL Managed Instance using Customer-Managed Keys

  Ensure that Azure SQL managed instances are encrypted at rest using Customer-Managed Keys (CMKs).

• Enable Vulnerability Assessment Email Notifications for Admins and Subscription Owners

  Ensure that the Vulnerability Assessment setting "Also send email notification to admins and subscription owners" is enabled for your Microsoft SQL database servers.

• Enable Vulnerability Assessment Periodic Recurring Scans

  Ensure that the Vulnerability Assessment Periodic Recurring Scans setting is enabled for SQL database servers.

• Enable Vulnerability Assessment for Microsoft SQL Servers

  Ensure that Vulnerability Assessment is enabled for Microsoft SQL database servers.

• SQL Auditing Retention

  Ensure that SQL database auditing has a sufficient log data retention period configured.

• Use BYOK for Transparent Data Encryption

  Use Bring Your Own Key (BYOK) support for Transparent Data Encryption (TDE).

• Use Microsoft Entra Admin for SQL Authentication

  Ensure that an Microsoft Entra admin is configured for SQL authentication.