Best practice rules for Sql
Trend Micro Cloud One™ – Conformity monitors Sql with the following rules:
- Advanced Data Security for SQL Servers
Ensure that Advanced Data Security (ADS) is enabled at the Azure SQL database server level.
- Check for Publicly Accessible SQL Servers
Ensure that Azure SQL database servers are accessible via private endpoints only.
- Check for Sufficient Point in Time Restore (PITR) Backup Retention Period
Ensure there is a sufficient PITR backup retention period configured for Azure SQL databases.
- Check for Unrestricted SQL Database Access
Ensure that no SQL databases allow unrestricted inbound access from 0.0.0.0/0 (any IP address).
- Configure "AuditActionGroup" for SQL Server Auditing
Ensure that "AuditActionGroup" property is well configured at the Azure SQL database server level.
- Enable All Types of Threat Detection on SQL Servers
Enable all types of threat detection for your Microsoft Azure SQL database servers.
- Enable Auditing for SQL Servers
Ensure that database auditing is enabled at the Azure SQL database server level.
- Enable Auto-Failover Groups
Ensure that your Azure SQL database servers are configured to use auto-failover groups.
- Enable Automatic Tuning for SQL Database Servers
Ensure that Automatic Tuning feature is enabled for Microsoft Azure SQL database servers.
- Enable Email Alerts for Administrators and Subscription Owners
Enable administrators and subscription owners to receive threat detection email notification alerts for SQL servers.
- Enable Email Alerts for SQL Threat Detection Service
Enable threat detection email notification alerts for your Microsoft Azure SQL servers.
- Enable Transparent Data Encryption for SQL Databases
Ensure that Transparent Data Encryption (TDE) is enabled for every Azure SQL database.
- SQL Auditing Retention
Ensure that SQL database auditing has a sufficient log data retention period configured.
- Use Azure Active Directory Admin for SQL Authentication
Ensure that an Azure Active Directory (AAD) admin is configured for SQL authentication.
- Use BYOK for Transparent Data Encryption
Use Bring Your Own Key (BYOK) support for Transparent Data Encryption (TDE).