Detect Create, Update, and Delete SQL Server Firewall Rule Events

Trend Micro Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 750 automated best practice checks.

Risk level: High (not acceptable risk)
Rule ID: Sql-016

Trend Micro Cloud One™ – Conformity Real-Time Threat Monitoring and Analysis (RTMA) engine has detected "Create SQL Server Firewall Rule", "Update SQL Server Firewall Rule", or "Delete SQL Server Firewall Rule" events within your Microsoft Azure cloud account.

Microsoft Azure SQL Server creates a firewall at the server level for single and pooled databases. This firewall prevents client applications from connecting to the SQL server or any of its databases unless you create an IP rule to open the firewall, therefore, all the connections to the server and its database(s) are rejected. For a connection from an IP address outside the Azure cloud, you must create a firewall rule for a specific IP address or IP address range that you want to be able to connect. When a computer tries to connect to your SQL database server from the Internet, the firewall first checks the originating IP address of the request against the server-level IP firewall rules created for the server that the connection requests. The firewall rules are stored in the master database and are ultimately used to provide secure access to the SQL databases hosted on the server. You create the server-level firewall rules by using the Microsoft Azure Portal or programmatically by using Azure PowerShell, Azure Command Line Interface (CLI), or a REST API. You can also create and manage additional server-level IP firewall rules by using Transact-SQL.

This rule resolution is part of the Cloud Conformity Real-Time Threat Monitoring

Security

As a cloud security best practice, you need to be aware of all the configuration changes performed at the SQL server firewall level. The activity detected by Trend Micro Cloud One™ – Conformity RTMA could be, for example, a user action initiated through the Microsoft Azure Portal or an API request initiated programmatically using Azure CLI, that is triggering any of the SQL server firewall operational events listed below:

"Create SQL Server Firewall Rule" – Creates a new SQL server-level IP firewall rule.

"Update SQL Server Firewall Rule" – Modifies an existing SQL server firewall rule. For example, change the configured IP address (IPv4 format) to allow access from all Azure cloud services (i.e. '0.0.0.0').

"Delete SQL Server Firewall Rule" – Deletes an SQL server-level IP firewall rule.

To protect against unauthorized access, maintain service availability, and implement the Principle of Least Privilege, Trend Micro Cloud One™ – Conformity strongly recommends that you avoid as much as possible providing your non-privileged Azure users the permission to change SQL server firewall configuration in your Azure cloud account.

The communication channels for sending RTMA notifications can be quickly configured within your Conformity account. The list of supported communication channels that you can use to receive notification alerts for SQL server firewall rule configuration changes are SMS, Email, Slack, ServiceNow, Zendesk, and PagerDuty.

Rationale

A high visibility into Azure SQL Server firewall activity is a key aspect of security and operational best practices and helps you secure the access to your SQL databases. Therefore, monitoring your Microsoft Azure account for "Create SQL Server Firewall Rule", "Update SQL Server Firewall Rule", and "Delete SQL Server Firewall Rule" events, can give you insight into the configuration changes made at the SQL server firewall level and can help you reduce the time it takes to detect suspicious activity.

References

Publication date Feb 16, 2021

Unlock the Remediation Steps


Gain free unlimited access
to our full Knowledge Base


Over 750 rules & best practices
for AWS and Azure

You are auditing:

Detect Create, Update, and Delete SQL Server Firewall Rule Events

Risk level: High