SQL vulnerability assessment helps you identify database vulnerabilities
SQL vulnerability assessment is an easy-to-configure service that can discover, track, and help you remediate potential database vulnerabilities. Use it to proactively improve your database security for:
Azure SQL Database Azure SQL Managed Instance Azure Synapse Analytics
Vulnerability assessment is part of Microsoft Defender for Azure SQL, which is a unified package for advanced SQL security capabilities. Vulnerability assessment can be accessed and managed from each SQL database resource in the Azure portal.
Vulnerability assessment is supported for Azure SQL Database, Azure SQL Managed Instance, and Azure Synapse Analytics. Databases in Azure SQL Database, Azure SQL Managed Instance, and Azure Synapse Analytics are referred to collectively in the remainder of this article as databases, and the server is referring to the server that hosts databases for Azure SQL Database and Azure Synapse.
What is SQL vulnerability assessment?
SQL vulnerability assessment is a service that provides visibility into your security state. Vulnerability assessment includes actionable steps to resolve security issues and enhance your database security. It can help you to monitor a dynamic database environment where changes are difficult to track and improve your SQL security posture.
Vulnerability assessment is a scanning service built into Azure SQL Database. The service employs a knowledge base of rules that flag security vulnerabilities. It highlights deviations from best practices, such as misconfigurations, excessive permissions, and unprotected sensitive data.
The rules are based on Microsoft's best practices and focus on the security issues that present the biggest risks to your database and its valuable data. They cover database-level issues and server-level security issues, like server firewall settings and server-level permissions.
Results of the scan include actionable steps to resolve each issue and provide customized remediation scripts where applicable. You can customize an assessment report for your environment by setting an acceptable baseline for:
- Permission configurations
- Feature configurations
- Database settings
What are the express and classic configurations?
You can configure vulnerability assessment for your SQL databases with either:
Express configuration (preview) – The default procedure that lets you configure vulnerability assessment without dependency on external storage to store baseline and scan result data.
Classic configuration – The legacy procedure that requires you to manage an Azure storage account to store baseline and scan result data.
What's the difference between the express and classic configuration?
Configuration modes benefits and limitations comparison:
|Parameter||Express configuration||Classic configuration|
|Supported SQL Flavors||Azure SQL Database (preview)
• Azure Synapse Dedicated SQL Pools (formerly SQL DW) (preview)
|• Azure SQL Database
• Azure SQL Managed Instance
• Azure Synapse Analytics
|Supported Policy Scope||• Subscription
|Dependencies||None||Azure storage account|
|Recurring scan||• Always active
• Scan scheduling is internal and not configurable
|• Configurable on/off
Scan scheduling is internal and not configurable
|Supported Rules||All vulnerability assessment rules for the supported resource type.||All vulnerability assessment rules for the supported resource type.|
|Baseline Settings||• Batch – several rules in one command
• Set by latest scan results
• Single rule
|• Single rule|
|Apply baseline||Will take effect without rescanning the database||Will take effect only after rescanning the database|
|Single rule scan result size||Maximum of 1 MB||Unlimited|
|Email notifications||• Logic Apps||• Internal scheduler
• Logic Apps
|Scan export||Not supported||Excel format|
- Enable SQL vulnerability assessments
- Learn more about Microsoft Defender for Azure SQL.
- Learn more about data discovery and classification.
- Learn more about storing vulnerability assessment scan results in a storage account accessible behind firewalls and VNets.