Enable SSL/TLS for SQL Server Incoming Connections

Trend Micro Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 750 automated best practice checks.

Risk level: Medium (should be achieved)

Enforce all incoming connections to your Cloud SQL Server database instances to use SSL/TLS only. If the SSL/TLS protocol is not enforced for all SQL Server connections, clients without a valid certificate are allowed to connect to the database.

Security

When SQL Server database connections are subjected to Man-in-the-Middle (MITM) attacks (also known as hijack attacks), the compromised database can reveal sensitive data such as user credentials, database queries and query outputs. To ensure that your data is encrypted in transit, it is strongly recommended that you enforce using the SSL/TLS protocol for all incoming connections to your SQL Server database instances, especially if these are using public IPs.


Audit

To determine if your SQL Server database instances requires all incoming connections to use SSL/TLS, perform the following actions:

Using GCP Console

01 Sign in to Google Cloud Management Console.

02 Select the Google Cloud Platform (GCP) project that you want to access from the console top navigation bar.

03 Navigate to Cloud SQL Instances dashboard at https://console.cloud.google.com/sql/instances.

04 Click inside the Filter tree box, select Type and SQL Server then press Enter, to list only the SQL Server database instances provisioned for the selected GCP project.

05 Click on the name (ID) of the database instance that you want to examine.

06 In the navigation panel, select Connections to access the connectivity configuration details available for the selected instance.

07 In the SSL section, under SSL connections, check the configuration status of the SSL Connections feature. If the feature status is set to "Unsecured connections are allowed to connect to this instance.", the selected Cloud SQL Server database instance is not configured to require all incoming connections to use SSL/TLS.

08 Repeat step no. 5 – 7 to check the feature status for other SQL Server instances available within the selected project.

09 Repeat steps no. 2 – 8 for each project deployed in your Google Cloud account.

Using GCP CLI

01 Run projects list command (Windows/macOS/Linux) using custom query filters to list the IDs of all the Google Cloud Platform (GCP) projects available in your Google Cloud account:

gcloud projects list
	--format="table(projectId)"

02 The command output should return the requested GCP project identifiers:

PROJECT_ID
cc-ms-web-project-123123
cc-mobile-project-123123

03 Run sql instances list command (Windows/macOS/Linux) using custom filtering to describe the name of each SQL Server database instance provisioned for the selected Google Cloud project:

gcloud sql instances list
	--project cc-ms-web-project-123123
	--filter='DATABASE_VERSION:SQLSERVER*'
	--format="(NAME)"

04 The command output should return the requested database instance name(s):

NAME
cc-web-sql-server-instance
cc-app-sql-server-instance

05 Run sql instances describe command (Windows/macOS/Linux) using the name of the SQL Server database instance that you want to examine as identifier parameter and custom query filters to describe the SSL Connections feature configuration status set for the selected database instance:

gcloud sql instances describe cc-web-sql-server-instance
	--format="table(settings.ipConfiguration.requireSsl)"

06 The command output should return the requested configuration status (true for enabled, false for disabled):

REQUIRE_SSL
False

If the sql instances describe command output returns false for the REQUIRE_SSL configuration attribute, the selected Cloud SQL Server database instance is not configured to enforce the SSL/TLS protocol for all the incoming connections.

07 Repeat step no. 5 and 6 to check the SSL Connections feature status for other SQL Server instances created for the selected project.

08 Repeat steps no. 3 – 7 for each project available within your Google Cloud account.

Remediation / Resolution

To configure your Cloud SQL Server database instances to enforce SSL/TLS for all incoming connections, perform the following actions:

Using GCP Console

01 Sign in to Google Cloud Management Console.

02 Select the Google Cloud Platform (GCP) project that you want to access from the console top navigation bar.

03 Navigate to Cloud SQL Instances dashboard at https://console.cloud.google.com/sql/instances.

04 Click inside the Filter tree box, select Type and SQL Server then press Enter, to display only the SQL Server instances available for the selected project.

05 Click on the name/ID of the database instance that you want to reconfigure.

06 In the navigation panel, select Connections to access the connectivity configuration details available for the selected instance.

07 In the SSL section, under SSL connections, click Allow only SSL connections to allow only secured connections to connect to the selected Cloud SQL Server database instance. Cloud SQL service creates an SSL server certificate automatically when you create your SQL Server database instance. As long as the server certificate is valid, you don't have to actively manage this certificate.

08 Once the SSL/TLS protocol is enforced for all incoming connections, if the selected database instance is using a public IP address, you need to add the IP addresses of your SQL Server client(s) as authorized network(s) by performing the following operations:

  1. In the Connectivity section, under Public IP, click Add network button to configure a new authorized network for the selected instance.
  2. On the New network panel, in the Network box, enter the IP address or IP address range you want to allow connections from. The authorized IP address/IP range must use the CIDR format (e.g. 10.50.51.3/32 or 10.50.51.0/24). Optionally, enter a name for the new entry in the Name box. Click Done to close the configuration panel. If necessary, repeat this step to configure new authorized networks.
  3. Click Save to apply the changes.

09 Repeat step no. 5 – 8 to enforce SSL/TLS connections for other SQL Server database instances available within the selected project.

10 Repeat steps no. 2 – 9 for each project deployed in your Google Cloud account.

Using GCP CLI

01 Run sql instances patch command (Windows/macOS/Linux) using the name of the Cloud SQL Server database instance that you want to reconfigure as identifier parameter (see Audit section part II to identify the right resource), to enforce SSL/TLS for all the incoming requests made to the selected database instance:

gcloud sql instances patch cc-web-sql-server-instance
	--require-ssl

02 The output should return the sql instances patch command request status:

The following message will be used for the patch API method.
{"name": "cc-web-sql-server-instance", "project": "cc-ms-web-project-123123", "settings": {"ipConfiguration": {"requireSsl": true}}}
Patching Cloud SQL instance...done.
Updated [https://sqladmin.googleapis.com/sql/v1beta4/projects/cc-ms-web-project-123123/instances/cc-web-sql-server-instance].

03 If the reconfigured database instance is using a public IP address, you need to add the IP addresses of your SQL Server client(s) as authorized network(s). To configure authorized networks, run sql instances patch command (Windows/macOS/Linux) using the trusted IP address/IP address range you want to allow connections from, as value of the --authorized-networks configuration parameter (CIDR format). IMPORTANT: When adding new IP addresses/ranges to the authorized networks, make sure to also include any IP addresses/ranges that have been already authorized, otherwise, the existing ones will be overwritten and de-authorized:

gcloud sql instances patch cc-web-sql-server-instance
	--authorized-networks="xxx.xxx.xxx.xxx/24"

04 Type Y to confirm the instance configuration change:

The following message will be used for the patch API method.
When adding a new IP address to authorized networks, make sure to also include any IP addresses that have already been authorized. Otherwise, they will be overwritten and de-authorized.
Do you want to continue (Y/n)? Y

05 The output should return the sql instances patch command request status:

The following message will be used for the patch API method.
{"name": "cc-web-sql-server-instance", "project": "cc-ms-web-project-123123", "settings": {"ipConfiguration": {"authorizedNetworks": [{"value": "xxx.xxx.xxx.xxx/24"}]}}}
Patching Cloud SQL instance...done.
Updated [https://sqladmin.googleapis.com/sql/v1beta4/projects/cc-ms-web-project-123123/instances/cc-web-sql-server-instance].

06 Repeat step no. 1 – 5 to enforce SSL/TLS connections for other SQL Server database instances provisioned for the selected project.

07 Repeat steps no. 1 – 6 for each project created within your Google Cloud account.

References

Publication date Apr 12, 2021

Unlock the Remediation Steps


Gain free unlimited access
to our full Knowledge Base


Over 750 rules & best practices
for AWS and Azure

You are auditing:

Enable SSL/TLS for SQL Server Incoming Connections

Risk level: Medium