You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/sql-database/sql-database-vulnerability-assessment-rules.md
+3-3Lines changed: 3 additions & 3 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -27,7 +27,7 @@ To learn about how to implement Vulnerability Assessment in Azure, see [Implemen
27
27
| VA1018 |Latest updates should be installed |Installation Updates and Patches |High |Microsoft periodically releases Cumulative Updates (CUs) for each version of SQL Server. This rule checks whether the latest CU has been installed for the particular version of SQL Server being used, by passing in a string for execution. This rule checks that all users (except dbo) do not have permission to execute the xp_cmdshell extended stored procedure. |<nobr>SQL Server 2005<nobr/><br/><br/><nobr>SQL Server 2008<nobr/><br/><br/><nobr>SQL Server 2008<nobr/><br/><br/><nobr>SQL Server 2012<nobr/><br/><br/><nobr>SQL Server 2014<nobr/><br/><br/><nobr>SQL Server 2016<nobr/><br/><br/>SQL Server 2017<br/>|
28
28
|VA1020 |Database user GUEST should not be a member of any role |Authentication and Authorization |High |The guest user permits access to a database for any logins that are not mapped to a specific database user. This rule checks that no database roles are assigned to the Guest user. |<nobr>SQL Server 2012+<nobr/> |
29
29
|VA1021 |Global temporary stored procedures should be removed |Data Protection |High |A global temporary stored procedure is visible to all sessions and is dropped when the session of the user that created it is closed. This rule checks that there are no global stored procedures. |<nobr>SQL Server 2012+<nobr/> |
30
-
|VA1022 |Ad-hoc distributed queries should be disabled |Surface Area Reduction |Medium |Ad-hoc distributed queries use the `OPENROWSET` and `OPENDATASOURCE` functions to connect to remote data sources that use OLE DB. This rule checks that ad-hoc distributed queries are disabled. |<nobr>SQL Server 2012+<nobr/> |
30
+
|VA1022 |Adhoc distributed queries should be disabled |Surface Area Reduction |Medium |Adhoc distributed queries use the `OPENROWSET` and `OPENDATASOURCE` functions to connect to remote data sources that use OLE DB. This rule checks that adhoc distributed queries are disabled. |<nobr>SQL Server 2012+<nobr/> |
31
31
|VA1023 |CLR should be disabled |Surface Area Reduction |High |The CLR allows managed code to be hosted by and run in the Microsoft SQL Server environment. This rule checks that CLR is disabled. |<nobr>SQL Server 2012+<nobr/> |
32
32
|VA1026 |CLR should be disabled |Surface Area Reduction |Medium |The CLR allows managed code to be hosted by and run in the Microsoft SQL Server environment. CLR strict security treats SAFE and EXTERNAL_ACCESS assemblies as if they were marked UNSAFE and requires all assemblies be signed by a certificate or asymmetric key with a corresponding login that has been granted UNSAFE ASSEMBLY permission in the master database. This rule checks that CLR is disabled. |<nobr>SQL Server 2017+<sup>2</sup><nobr/><br/><br/>SQL Managed <br/>Instance |
33
33
|VA1027 |Untracked trusted assemblies should be removed |Surface Area Reduction |High |Assemblies marked as UNSAFE are required to be signed by a certificate or asymmetric key with a corresponding login that has been granted UNSAFE ASSEMBLY permission in the master database. Trusted assemblies may bypass this requirement. |<nobr>SQL Server 2017+<nobr/><br/><br/>SQL Managed <br/>Instance |
@@ -76,7 +76,7 @@ To learn about how to implement Vulnerability Assessment in Azure, see [Implemen
76
76
|VA1235 |Replication XPs should be disabled |Surface Area Reduction |Medium |Disable Replication XPs attack surface area |<nobr>SQL Server 2012+<nobr/><br/><br/>SQL Managed <br/>Instance |
77
77
|VA1244 |Orphaned users should be removed from SQL server databases |Surface Area Reduction |Medium |A database user that exists on a database but has no corresponding login in the master database or as an external resource (for example, a Windows user) is referred to as an orphaned user and it should either be removed or remapped to a valid login. This rule checks that there are no orphaned users. |<nobr>SQL Server 2012+<nobr/><br/><br/>SQL Managed <br/>Instance |
78
78
|VA1245 |The dbo information should be consistent between the target DB and master |Surface Area Reduction |High |There is redundant information about the dbo identity for any database: metadata stored in the database itself and metadata stored in master DB. This rule checks that this information is consistent between the target DB and master. |<nobr>SQL Server 2012+<nobr/><br/><br/>SQL Managed <br/>Instance |
79
-
|VA1246 |Application roles should not be used |Authentication and Authorization |Low |An application role is a database principal that enables an application to run with its own user-like permissions. Application roles enable that only users connecting through a particular application can access specific data. Application roles are password-based (which applications typically hardcode) and not permission based which exposes the database to approle impersonation by password-guessing. This rule checks that no application roles are defined in the database. |<nobr>SQL Server 2012+<nobr/><br/><br/>SQL Managed <br/>Instance<br/><br/>SQL Database |
79
+
|VA1246 |Application roles should not be used |Authentication and Authorization |Low |An application role is a database principal that enables an application to run with its own user-like permissions. Application roles enable that only users connecting through a particular application can access specific data. Application roles are password-based (which applications typically hardcode) and not permission based which exposes the database to app role impersonation by password-guessing. This rule checks that no application roles are defined in the database. |<nobr>SQL Server 2012+<nobr/><br/><br/>SQL Managed <br/>Instance<br/><br/>SQL Database |
80
80
|VA1247 |There should be no SPs marked as auto-start |Surface Area Reduction |High |When SQL Server has been configured to 'scan for startup procs' the server will scan master DB for stored procedures marked as auto-start. This rule checks that there are no SPs marked as auto-start. |<nobr>SQL Server 2012+<nobr/> |
81
81
|VA1248 |User-defined database roles should not be members of fixed roles |Authentication and Authorization |Medium |To easily manage the permissions in your databases SQL Server provides several roles, which are security principals that group other principals. They are like groups in the Microsoft Windows operating system. Database accounts and other SQL Server roles can be added into database-level roles. Each member of a fixed-database role can add other users to that same role. This rule checks that no user-defined roles are members of fixed roles. |<nobr>SQL Server 2012+<nobr/><br/><br/>SQL Managed <br/>Instance<br/><br/>SQL Database<br/><br/>Azure Synapse |
82
82
|VA1252 |List of events being audited and centrally managed via server audit specifications. |Auditing and Logging |Low |Auditing an instance of the SQL Server Database Engine or an individual database involves tracking and logging events that occur on the Database Engine. This rule displays a list of events being audited. |<nobr>SQL Server 2012+<nobr/><br/><br/>SQL Managed <br/>Instance |
@@ -155,4 +155,4 @@ To learn about how to implement Vulnerability Assessment in Azure, see [Implemen
0 commit comments