SQL vulnerability assessment rules reference guide
This article lists the set of built-in rules that are used to flag security vulnerabilities and highlight deviations from best practices, such as misconfigurations and excessive permissions. The rules are based on Microsoft's best practices and focus on the security issues that present the biggest risks to your database and its valuable data. They cover both database-level issues as well as server-level security issues, like server firewall settings and server-level permissions. These rules also represent many of the requirements from various regulatory bodies to meet their compliance standards.
Applies to: 
Azure SQL Database
Azure SQL Managed Instance
Azure Synapse Analytics
SQL Server (all supported versions)
The rules shown in your database scans depend on the SQL version and platform that was scanned.
To learn about how to implement vulnerability assessment in Azure, see Implement vulnerability assessment.
For a list of changes to these rules, see SQL vulnerability assessment rules changelog.
Rule categories
SQL vulnerability assessment rules have five categories, which are in the following sections:
- Authentication and Authorization
- Auditing and Logging
- Data Protection
- Installation Updates and Patches
- Surface Area Reduction
1 SQL Server 2012+ refers to all versions of SQL Server 2012 and above.
2 SQL Server 2017+ refers to all versions of SQL Server 2017 and above.
3 SQL Server 2016+ refers to all versions of SQL Server 2016 and above.
Authentication and Authorization
| Rule ID | Rule Title | Rule Severity | Rule Description | Platform |
|---|---|---|---|---|
| VA1017 | Execute permissions on xp_cmdshell from all users (except dbo) should be revoked | High | The xp_cmdshell extended stored procedure spawns a Windows command shell, passing in a string for execution. This rule checks that no users (other than users with the CONTROL SERVER permission like members of the sysadmin server role) have permission to execute the xp_cmdshell extended stored procedure. | |
| VA1020 | Database user GUEST should not be a member of any role | High | The guest user permits access to a database for any logins that are not mapped to a specific database user. This rule checks that no database roles are assigned to the Guest user. | SQL Database |
| VA1042 | Database ownership chaining should be disabled for all databases except for master, msdb, and tempdb |
High | Cross database ownership chaining is an extension of ownership chaining, except it does cross the database boundary. This rule checks that this option is disabled for all databases except for master, msdb, and tempdb . For master, msdb, and tempdb, cross database ownership chaining is enabled by default. |
SQL Managed Instance |
| VA1043 | Principal GUEST should not have access to any user database | Medium | The guest user permits access to a database for any logins that are not mapped to a specific database user. This rule checks that the guest user cannot connect to any database. | SQL Managed Instance |
| VA1046 | CHECK_POLICY should be enabled for all SQL logins | Low | CHECK_POLICY option enables verifying SQL logins against the domain policy. This rule checks that CHECK_POLICY option is enabled for all SQL logins. | SQL Managed Instance |
| VA1047 | Password expiration check should be enabled for all SQL logins | Low | Password expiration policies are used to manage the lifespan of a password. When SQL Server enforces password expiration policy, users are reminded to change old passwords, and accounts that have expired passwords are disabled. This rule checks that password expiration policy is enabled for all SQL logins. | SQL Managed Instance |
| VA1048 | Database principals should not be mapped to the sa account |
High | A database principal that is mapped to the sa account can be exploited by an attacker to elevate permissions to sysadmin |
SQL Managed Instance |
| VA1052 | Remove BUILTIN\Administrators as a server login | Low | The BUILTIN\Administrators group contains the Windows Local Administrators group. In older versions of Microsoft SQL Server, this group has administrator rights by default. This rule checks that this group is removed from SQL Server. | |
| VA1053 | Account with default name sa should be renamed or disabled |
Low | sa is a well-known account with principal ID 1. This rule verifies that the sa account is either renamed or disabled. |
SQL Managed Instance |
| VA1054 | Excessive permissions should not be granted to PUBLIC role on objects or columns | Low | Every SQL Server login belongs to the public server role. When a server principal has not been granted or denied specific permissions on a securable object the user inherits the permissions granted to public on that object. This rule displays a list of all securable objects or columns that are accessible to all users through the PUBLIC role. | SQL Database |
| VA1058 | sa login should be disabled |
High | sa is a well-known account with principal ID 1. This rule verifies that the sa account is disabled. |
SQL Managed Instance |
| VA1059 | xp_cmdshell should be disabled | High | xp_cmdshell spawns a Windows command shell and passes it a string for execution. This rule checks that xp_cmdshell is disabled. | SQL Managed Instance |
| VA1067 | Database Mail XPs should be disabled when it is not in use | Medium | This rule checks that Database Mail is disabled when no database mail profile is configured. Database Mail can be used for sending e-mail messages from the SQL Server Database Engine and is disabled by default. If you are not using this feature, it is recommended to disable it to reduce the surface area. | |
| VA1068 | Server permissions shouldn't be granted directly to principals | Low | Server level permissions are associated with a server level object to regulate which users can gain access to the object. This rule checks that there are no server level permissions granted directly to logins. | SQL Managed Instance |
| VA1070 | Database users shouldn't share the same name as a server login | Low | Database users might share the same name as a server login. This rule validates that there are no such users. | SQL Managed Instance |
| VA1072 | Authentication mode should be Windows Authentication | Medium | There are two possible authentication modes: Windows Authentication mode and mixed mode. Mixed mode means that SQL Server enables both Windows authentication and SQL Server authentication. This rule checks that the authentication mode is set to Windows Authentication. | |
| VA1094 | Database permissions shouldn't be granted directly to principals | Low | Permissions are rules associated with a securable object to regulate which users can gain access to the object. This rule checks that there are no DB permissions granted directly to users. | SQL Managed Instance |
| VA1095 | Excessive permissions should not be granted to PUBLIC role | Medium | Every SQL Server login belongs to the public server role. When a server principal has not been granted or denied specific permissions on a securable object, the user inherits the permissions granted to public on that object. This displays a list of all permissions that are granted to the PUBLIC role. | SQL Managed Instance SQL Database |
| VA1096 | Principal GUEST should not be granted permissions in the database | Low | Each database includes a user called GUEST. Permissions granted to GUEST are inherited by users who have access to the database but who do not have a user account in the database. This rule checks that all permissions have been revoked from the GUEST user. | SQL Managed Instance SQL Database |
| VA1097 | Principal GUEST should not be granted permissions on objects or columns | Low | Each database includes a user called GUEST. Permissions granted to GUEST are inherited by users who have access to the database but who do not have a user account in the database. This rule checks that all permissions have been revoked from the GUEST user. | SQL Managed Instance SQL Database |
| VA1099 | GUEST user should not be granted permissions on database securables | Low | Each database includes a user called GUEST. Permissions granted to GUEST are inherited by users who have access to the database but who do not have a user account in the database. This rule checks that all permissions have been revoked from the GUEST user. | SQL Managed Instance SQL Database |
| VA1246 | Application roles should not be used | Low | An application role is a database principal that enables an application to run with its own user-like permissions. Application roles enable that only users connecting through a particular application can access specific data. Application roles are password-based (which applications typically hardcode) and not permission based which exposes the database to app role impersonation by password-guessing. This rule checks that no application roles are defined in the database. | SQL Managed Instance SQL Database |
| VA1248 | User-defined database roles should not be members of fixed roles | Medium | To easily manage the permissions in your databases SQL Server provides several roles, which are security principals that group other principals. They are like groups in the Microsoft Windows operating system. Database accounts and other SQL Server roles can be added into database-level roles. Each member of a fixed-database role can add other users to that same role. This rule checks that no user-defined roles are members of fixed roles. | SQL Managed Instance SQL Database Azure Synapse |
| VA1267 | Contained users should use Windows Authentication | Medium | Contained users are users that exist within the database and do not require a login mapping. This rule checks that contained users use Windows Authentication. | SQL Managed Instance |
| VA1280 | Server Permissions granted to public should be minimized | Medium | Every SQL Server login belongs to the public server role. When a server principal has not been granted or denied specific permissions on a securable object the user inherits the permissions granted to public on that object. This rule checks that server permissions granted to public are minimized. | SQL Managed Instance |
| VA1282 | Orphan roles should be removed | Low | Orphan roles are user-defined roles that have no members. Eliminate orphaned roles as they are not needed on the system. This rule checks whether there are any orphan roles. | SQL Managed Instance SQL Database Azure Synapse |
| VA2020 | Minimal set of principals should be granted ALTER or ALTER ANY USER database-scoped permissions | High | Every SQL Server securable has permissions associated with it that can be granted to principals. Permissions can be scoped at the server level (assigned to logins and server roles) or at the database level (assigned to database users and database roles). These rules check that only a minimal set of principals are granted ALTER or ALTER ANY USER database-scoped permissions. | SQL Managed Instance SQL Database Azure Synapse |
| VA2033 | Minimal set of principals should be granted database-scoped EXECUTE permission on objects or columns | Low | This rule checks which principals are granted EXECUTE permission on objects or columns to ensure this permission is granted to a minimal set of principals. Every SQL Server securable has permissions associated with it that can be granted to principals. Permissions can be scoped at the server level (assigned to logins and server roles) or at the database level (assigned to database users, database roles, or application roles). The EXECUTE permission applies to both stored procedures and scalar functions, which can be used in computed columns. | SQL Managed Instance SQL Database Azure Synapse |
| VA2103 | Unnecessary execute permissions on extended stored procedures should be revoked | Medium | Extended stored procedures are DLLs that an instance of SQL Server can dynamically load and run. SQL Server is packaged with many extended stored procedures that allow for interaction with the system DLLs. This rule checks that unnecessary execute permissions on extended stored procedures have been revoked. | SQL Managed Instance |
| VA2107 | Minimal set of principals should be members of fixed Azure SQL DB master database roles | High | SQL Database provides two restricted administrative roles in the master database to which user accounts can be added that grant permissions to either create databases or manage logins. This rule check that a minimal set of principals are members of these administrative roles. | Azure Synapse |
| VA2108 | Minimal set of principals should be members of fixed high impact database roles | High | SQL Server provides roles to help manage the permissions. Roles are security principals that group other principals. Database-level roles are database-wide in their permission scope. This rule checks that a minimal set of principals are members of the fixed database roles. | SQL Managed Instance SQL Database Azure Synapse |
| VA2109 | Minimal set of principals should be members of fixed low impact database roles | Low | SQL Server provides roles to help manage the permissions. Roles are security principals that group other principals. Database-level roles are database-wide in their permission scope. This rule checks that a minimal set of principals are members of the fixed database roles. | SQL Managed Instance SQL Database Azure Synapse |
| VA2110 | Execute permissions to access the registry should be revoked | High | Registry extended stored procedures allow Microsoft SQL Server to read write and enumerate values and keys in the registry. They are used by Enterprise Manager to configure the server. This rule checks that the permissions to execute registry extended stored procedures have been revoked from all users (other than dbo). | SQL Managed Instance |
| VA2113 | Data Transformation Services (DTS) permissions should only be granted to SSIS roles | Medium | Data Transformation Services (DTS), is a set of objects and utilities that allow the automation of extract, transform, and load operations to or from a database. The objects are DTS packages and their components, and the utilities are called DTS tools. This rule checks that only the SSIS roles are granted permissions to use the DTS system stored procedures and the permissions for the PUBLIC role to use the DTS system stored procedures have been revoked. | SQL Managed Instance |
| VA2114 | Minimal set of principals should be members of high impact fixed server roles | High | SQL Server provides roles to help manage permissions. Roles are security principals that group other principals. Server-level roles are server-wide in their permission scope. This rule checks that a minimal set of principals are members of the fixed server roles. | SQL Managed Instance |
| VA2129 | Changes to signed modules should be authorized | High | You can sign a stored procedure, function, or trigger with a certificate or an asymmetric key. This is designed for scenarios when permissions cannot be inherited through ownership chaining or when the ownership chain is broken, such as dynamic SQL. This rule checks for changes made to signed modules, which could be an indication of malicious use. | SQL Database SQL Managed Instance |
| VA2130 | Track all users with access to the database | Low | This check tracks all users with access to a database. Make sure that these users are authorized according to their current role in the organization. | Azure Synapse |
| VA2201 | SQL logins with commonly used names should be disabled | High | This rule checks the accounts with database owner permission for commonly used names. Assigning commonly used names to accounts with database owner permission increases the likelihood of successful brute force attacks. |
Auditing and Logging
| Rule ID | Rule Title | Rule Severity | Rule Description | Platform |
|---|---|---|---|---|
| VA1045 | Default trace should be enabled | Medium | Default trace provides troubleshooting assistance to database administrators by ensuring that they have the log data necessary to diagnose problems the first time they occur. This rule checks that the default trace is enabled. | SQL Managed Instance |
| VA1091 | Auditing of both successful and failed login attempts (default trace) should be enabled when 'Login auditing' is set up to track logins | Low | SQL Server Login auditing configuration enables administrators to track the users logging into SQL Server instances. If the user chooses to count on 'Login auditing' to track users logging into SQL Server instances, then it is important to enable it for both successful and failed login attempts. | |
| VA1093 | Maximum number of error logs should be 12 or more | Low | Each SQL Server Error log will have all the information related to failures / errors that have occurred since SQL Server was last restarted or since the last time you have recycled the error logs. This rule checks that the maximum number of error logs is 12 or more. | |
| VA1258 | Database owners are as expected | High | Database owners can perform all configuration and maintenance activities on the database and can also drop databases in SQL Server. Tracking database owners is important to avoid having excessive permission for some principals. Create a baseline that defines the expected database owners for the database. This rule checks whether the database owners are as defined in the baseline. | SQL Database Azure Synapse |
| VA1264 | Auditing of both successful and failed login attempts should be enabled | Low | SQL Server auditing configuration enables administrators to track the users logging into SQL Server instances that they're responsible for. This rule checks that auditing is enabled for both successful and failed login attempts. | SQL Managed Instance |
| VA1265 | Auditing of both successful and failed login attempts for contained DB authentication should be enabled | Medium | SQL Server auditing configuration enables administrators to track users logging to SQL Server instances that they're responsible for. This rule checks that auditing is enabled for both successful and failed login attempts for contained DB authentication. | SQL Managed Instance |
| VA1281 | All memberships for user-defined roles should be intended | Medium | User-defined roles are security principals defined by the user to group principals to easily manage permissions. Monitoring these roles is important to avoid having excessive permissions. Create a baseline that defines expected membership for each user-defined role. This rule checks whether all memberships for user-defined roles are as defined in the baseline. | SQL Managed Instance SQL Database Azure Synapse |
| VA1283 | There should be at least 1 active audit in the system | Low | Auditing an instance of the SQL Server Database Engine or an individual database involves tracking and logging events that occur on the Database Engine. The SQL Server Audit object collects a single instance of server or database-level actions and groups of actions to monitor. This rule checks that there is at least one active audit in the system. | SQL Managed Instance |
| VA2061 | Auditing should be enabled at the server level | High | Azure SQL Database Auditing tracks database events and writes them to an audit log in your Azure storage account. Auditing helps you understand database activity and gain insight into discrepancies and anomalies that could indicate business concerns or suspected security violations as well as helps you meet regulatory compliance. For more information, see Azure SQL Auditing. This rule checks that auditing is enabled. | Azure Synapse |
Data Protection
| Rule ID | Rule Title | Rule Severity | Rule Description | Platform |
|---|---|---|---|---|
| VA1098 | Any Existing SSB or Mirroring endpoint should require AES connection | High | Service Broker and Mirroring endpoints support different encryption algorithms including no-encryption. This rule checks that any existing endpoint requires AES encryption. | |
| VA1219 | Transparent data encryption should be enabled | Medium | Transparent data encryption (TDE) helps to protect the database files against information disclosure by performing real-time encryption and decryption of the database, associated backups, and transaction log files 'at rest', without requiring changes to the application. This rule checks that TDE is enabled on the database. | SQL Managed Instance SQL Database Azure Synapse |
| VA1220 | Database communication using TDS should be protected through TLS | High | Microsoft SQL Server can use Secure Sockets Layer (SSL) or Transport Layer Security (TLS) to encrypt data that is transmitted across a network between an instance of SQL Server and a client application. This rule checks that all connections to the SQL Server are encrypted through TLS. | SQL Managed Instance |
| VA1221 | Database Encryption Symmetric Keys should use AES algorithm | High | SQL Server uses encryption keys to help secure data credentials and connection information that is stored in a server database. SQL Server has two kinds of keys: symmetric and asymmetric. This rule checks that Database Encryption Symmetric Keys use AES algorithm. | SQL Managed Instance SQL Database Azure Synapse |
| VA1222 | Cell-Level Encryption keys should use AES algorithm | High | Cell-Level Encryption (CLE) allows you to encrypt your data using symmetric and asymmetric keys. This rule checks that Cell-Level Encryption symmetric keys use AES algorithm. | SQL Managed Instance |
| VA1223 | Certificate keys should use at least 2048 bits | High | Certificate keys are used in RSA and other encryption algorithms to protect data. These keys need to be of enough length to secure the user's data. This rule checks that the key's length is at least 2048 bits for all certificates. | SQL Managed Instance SQL Database Azure Synapse |
| VA1224 | Asymmetric keys' length should be at least 2048 bits | High | Database asymmetric keys are used in many encryption algorithms these keys need to be of enough length to secure the encrypted data this rule checks that all asymmetric keys stored in the database are of length of at least 2048 bits | SQL Database |
| VA1279 | Force encryption should be enabled for TDS | High | When the Force Encryption option for the Database Engine is enabled all communications between client and server is encrypted regardless of whether the 'Encrypt connection' option (such as from SSMS) is checked or not. This rule checks that Force Encryption option is enabled. | |
| VA2060 | SQL Threat Detection should be enabled at the server level | Medium | SQL Threat Detection provides a layer of security that detects potential vulnerabilities and anomalous activity in databases such as SQL injection attacks and unusual behavior patterns. When a potential threat is detected Threat Detection sends an actionable real-time alert by email and in Microsoft Defender for Cloud, which includes clear investigation and remediation steps for the specific threat. For more information, please see Configure threat detection. This check verifies that SQL Threat Detection is enabled | SQL Managed Instance SQL Database Azure Synapse |
Installation Updates and Patches
| Rule ID | Rule Title | Rule Severity | Rule Description | Platform |
|---|---|---|---|---|
| VA1018 | Latest updates should be installed | High | Microsoft periodically releases Cumulative Updates (CUs) for each version of SQL Server. This rule checks whether the latest CU has been installed for the particular version of SQL Server being used, by passing in a string for execution. This rule checks that all users (except dbo) do not have permission to execute the xp_cmdshell extended stored procedure. | SQL Server 2017 SQL Server 2019 SQL Server 2022 |
| VA2128 | Vulnerability assessment is not supported for SQL Server versions lower than SQL Server 2012 | High | To run a vulnerability assessment scan on your SQL Server the server needs to be upgraded to SQL Server 2012 or higher, SQL Server 2008 R2 and below are no longer supported by Microsoft. For more information, see | SQL Managed Instance SQL Database Azure Synapse |
Surface Area Reduction
| Rule ID | Rule Title | Rule Severity | Rule Description | Platform |
|---|---|---|---|---|
| VA1022 | Ad hoc distributed queries should be disabled | Medium | Ad hoc distributed queries use the OPENROWSET and OPENDATASOURCE functions to connect to remote data sources that use OLE DB. This rule checks that ad hoc distributed queries are disabled. |
|
| VA1023 | CLR should be disabled | High | The CLR allows managed code to be hosted by and run in the Microsoft SQL Server environment. This rule checks that CLR is disabled. | |
| VA1026 | CLR should be disabled | Medium | The CLR allows managed code to be hosted by and run in the Microsoft SQL Server environment. CLR strict security treats SAFE and EXTERNAL_ACCESS assemblies as if they were marked UNSAFE and requires all assemblies be signed by a certificate or asymmetric key with a corresponding login that has been granted UNSAFE ASSEMBLY permission in the master database. This rule checks that CLR is disabled. | SQL Managed Instance |
| VA1027 | Untracked trusted assemblies should be removed | High | Assemblies marked as UNSAFE are required to be signed by a certificate or asymmetric key with a corresponding login that has been granted UNSAFE ASSEMBLY permission in the master database. Trusted assemblies might bypass this requirement. | SQL Managed Instance |
| VA1044 | Remote Admin Connections should be disabled unless specifically required | Medium | This rule checks that remote dedicated admin connections are disabled if they are not being used for clustering to reduce attack surface area. SQL Server provides a dedicated administrator connection (DAC). The DAC lets an administrator access a running server to execute diagnostic functions or Transact-SQL statements, or to troubleshoot problems on the server and it becomes an attractive target to attack when it is enabled remotely. | SQL Managed Instance |
| VA1051 | AUTO_CLOSE should be disabled on all databases | Medium | The AUTO_CLOSE option specifies whether the database shuts down gracefully and frees resources after the last user disconnects. Regardless of its benefits it can cause denial of service by aggressively opening and closing the database, thus it is important to keep this feature disabled. This rule checks that this option is disabled on the current database. | |
| VA1066 | Unused service broker endpoints should be removed | Low | Service Broker provides queuing and reliable messaging for SQL Server. Service Broker is used both for applications that use a single SQL Server instance and applications that distribute work across multiple instances. Service Broker endpoints provide options for transport security and message forwarding. This rule enumerates all the service broker endpoints. Remove those that are not used. | |
| VA1071 | 'Scan for startup stored procedures' option should be disabled | Medium | When 'Scan for startup procs' is enabled SQL Server scans for and runs all automatically run stored procedures defined on the server. If this option is enabled SQL Server scans for and runs all automatically run stored procedures defined on the server. This rule checks that this option is disabled. | |
| VA1092 | SQL Server instance shouldn't be advertised by the SQL Server Browser service | Low | SQL Server uses the SQL Server Browser service to enumerate instances of the Database Engine installed on the computer. This enables client applications to browse for a server and helps clients distinguish between multiple instances of the Database Engine on the same computer. This rule checks that the SQL instance is hidden. | |
| VA1102 | The Trustworthy bit should be disabled on all databases except MSDB | High | The TRUSTWORTHY database property is used to indicate whether the instance of SQL Server trusts the database and the contents within it. If this option is enabled database modules (for example user-defined functions or stored procedures) that use an impersonation context can access resources outside the database. This rule verifies that the TRUSTWORTHY bit is disabled on all databases except MSDB. | SQL Managed Instance |
| VA1143 | 'dbo' user should not be used for normal service operation | Medium | The 'dbo' or database owner is a user account that has implied permissions to perform all activities in the database. Members of the sysadmin fixed server role are automatically mapped to dbo. This rule checks that dbo is not the only account allowed to access this database. Note that on a newly created clean database this rule will fail until additional roles are created. | SQL Managed Instance SQL Database Azure Synapse |
| VA1144 | Model database should only be accessible by 'dbo' | Medium | The Model database is used as the template for all databases created on the instance of SQL Server. Modifications made to the model database such as database size recovery model and other database options are applied to any databases created afterward. This rule checks that dbo is the only account allowed to access the model database. | SQL Managed Instance |
| VA1230 | Filestream should be disabled | High | FILESTREAM integrates the SQL Server Database Engine with an NTFS file system by storing varbinary (max) binary large object (BLOB) data as files on the file system. Transact-SQL statements can insert, update, query, search, and back up FILESTREAM data. Enabling Filestream on SQL server exposes additional NTFS streaming API, which increases its attack surface and makes it prone to malicious attacks. This rule checks that Filestream is disabled. | |
| VA1235 | Server configuration 'Replication XPs' should be disabled | Medium | Disable the deprecated server configuration 'Replication XPs' to limit the attack surface area. This is an internal only configuration setting. | SQL Managed Instance |
| VA1244 | Orphaned users should be removed from SQL server databases | Medium | A database user that exists on a database but has no corresponding login in the master database or as an external resource (for example, a Windows user) is referred to as an orphaned user and it should either be removed or remapped to a valid login. This rule checks that there are no orphaned users. | SQL Managed Instance |
| VA1245 | The dbo information should be consistent between the target DB and master | High | There is redundant information about the dbo identity for any database: metadata stored in the database itself and metadata stored in master DB. This rule checks that this information is consistent between the target DB and master. | SQL Managed Instance |
| VA1247 | There should be no SPs marked as auto-start | High | When SQL Server has been configured to 'scan for startup procs' the server will scan master DB for stored procedures marked as auto-start. This rule checks that there are no SPs marked as auto-start. | |
| VA1256 | User CLR assemblies should not be defined in the database | High | CLR assemblies can be used to execute arbitrary code on SQL Server process. This rule checks that there are no user-defined CLR assemblies in the database. | SQL Managed Instance |
| VA1277 | Polybase network encryption should be enabled | High | PolyBase is a technology that accesses and combines both non-relational and relational data all from within SQL Server. Polybase network encryption option configures SQL Server to encrypt control and data channels when using Polybase. This rule verifies that this option is enabled. | |
| VA1278 | Create a baseline of External Key Management Providers | Medium | The SQL Server Extensible Key Management (EKM) enables third-party EKM / Hardware Security Modules (HSM) vendors to register their modules in SQL Server. When registered SQL Server users can use the encryption keys stored on EKM modules, this rule displays a list of EKM providers being used in the system. | SQL Managed Instance |
| VA2062 | Database-level firewall rules should not grant excessive access | High | The Azure SQL Database-level firewall helps protect your data by preventing all access to your database until you specify which IP addresses have permission. Database-level firewall rules grant access to the specific database based on the originating IP address of each request. Database-level firewall rules for master and user databases can only be created and managed through Transact-SQL (unlike server-level firewall rules, which can also be created and managed using the Azure portal or PowerShell). For more information, see Azure SQL Database and Azure Synapse Analytics IP firewall rules. This check verifies that database-level firewall rules do not grant access to more than 255 IP addresses. | Azure Synapse |
| VA2063 | Server-level firewall rules should not grant excessive access | High | The Azure SQL server-level firewall helps protect your server by preventing all access to your databases until you specify which IP addresses have permission. Server-level firewall rules grant access to all databases that belong to the server based on the originating IP address of each request. Server-level firewall rules can only be created and managed through Transact-SQL as well as through the Azure portal or PowerShell. For more information, see Azure SQL Database and Azure Synapse Analytics IP firewall rules. This check verifies that server-level firewall rules do not grant access to more than 255 IP addresses. | Azure Synapse |
| VA2064 | Database-level firewall rules should be tracked and maintained at a strict minimum | High | The Azure SQL Database-level firewall helps protect your data by preventing all access to your database until you specify which IP addresses have permission. Database-level firewall rules grant access to the specific database based on the originating IP address of each request. Database-level firewall rules for master and user databases can only be created and managed through Transact-SQL (unlike server-level firewall rules, which can also be created and managed using the Azure portal or PowerShell). For more information, see Azure SQL Database and Azure Synapse Analytics IP firewall rules. This check enumerates all the database-level firewall rules so that any changes made to them can be identified and addressed. | Azure Synapse |
| VA2065 | Server-level firewall rules should be tracked and maintained at a strict minimum | High | The Azure SQL server-level firewall helps protect your data by preventing all access to your databases until you specify which IP addresses have permission. Server-level firewall rules grant access to all databases that belong to the server based on the originating IP address of each request. Server-level firewall rules can be created and managed through Transact-SQL as well as through the Azure portal or PowerShell. For more information, see Azure SQL Database and Azure Synapse Analytics IP firewall rules. This check enumerates all the server-level firewall rules so that any changes made to them can be identified and addressed. | Azure Synapse |
| VA2111 | Sample databases should be removed | Low | Microsoft SQL Server comes shipped with several sample databases. This rule checks whether the sample databases have been removed. | SQL Managed Instance |
| VA2120 | Features that may affect security should be disabled | High | SQL Server is capable of providing a wide range of features and services. Some of the features and services provided by default might not be necessary and enabling them could adversely affect the security of the system. This rule checks that these features are disabled. | SQL Managed Instance |
| VA2121 | 'OLE Automation Procedures' feature should be disabled | High | SQL Server is capable of providing a wide range of features and services. Some of the features and services, provided by default, might not be necessary, and enabling them could adversely affect the security of the system. The OLE Automation Procedures option controls whether OLE Automation objects can be instantiated within Transact-SQL batches. These are extended stored procedures that allow SQL Server users to execute functions external to SQL Server. Regardless of its benefits it can also be used for exploits, and is known as a popular mechanism to plant files on the target machines. It is advised to use PowerShell as a replacement for this tool. This rule checks that 'OLE Automation Procedures' feature is disabled. | SQL Managed Instance |
| VA2122 | 'User Options' feature should be disabled | Medium | SQL Server is capable of providing a wide range of features and services. Some of the features and services provided by default might not be necessary and enabling them could adversely affect the security of the system. The user options specifies global defaults for all users. A list of default query processing options is established for the duration of a user's work session. The user options allows you to change the default values of the SET options (if the server's default settings are not appropriate). This rule checks that 'user options' feature is disabled. | SQL Managed Instance |
| VA2126 | Extensibility-features that might affect security should be disabled if not needed | Medium | SQL Server provides a wide range of features and services. Some of the features and services, provided by default, might not be necessary, and enabling them could adversely affect the security of the system. This rule checks that configurations that allow extraction of data to an external data source and the execution of scripts with certain remote language extensions are disabled. |
Removed rules
| Rule ID | Rule Title |
|---|---|
| VA1021 | Global temporary stored procedures should be removed |
| VA1024 | C2 Audit Mode should be enabled |
| VA1069 | Permissions to select from system tables and views should be revoked from non-sysadmins |
| VA1090 | Ensure all Government Off The Shelf (GOTS) and Custom Stored Procedures are encrypted |
| VA1103 | Use only CLR with SAFE_ACCESS permission |
| VA1229 | Filestream setting in registry and in SQL Server configuration should match |
| VA1231 | Filestream should be disabled (SQL) |
| VA1234 | Common Criteria setting should be enabled |
| VA1252 | List of events being audited and centrally managed via server audit specifications. |
| VA1253 | List of DB-scoped events being audited and centrally managed via server audit specifications |
| VA1263 | List all the active audits in the system |
| VA1266 | The 'MUST_CHANGE' option should be set on all SQL logins |
| VA1276 | Agent XPs feature should be disabled |
| VA1286 | Database permissions shouldn't be granted directly to principals (OBJECT or COLUMN) |
| VA2000 | Minimal set of principals should be granted high impact database-scoped permissions |
| VA2001 | Minimal set of principals should be granted high impact database-scoped permissions on objects or columns |
| VA2002 | Minimal set of principals should be granted high impact database-scoped permissions on various securables |
| VA2010 | Minimal set of principals should be granted medium impact database-scoped permissions |
| VA2021 | Minimal set of principals should be granted database-scoped ALTER permissions on objects or columns |
| VA2022 | Minimal set of principals should be granted database-scoped ALTER permission on various securables |
| VA2030 | Minimal set of principals should be granted database-scoped SELECT or EXECUTE permissions |
| VA2031 | Minimal set of principals should be granted database-scoped SELECT |
| VA2032 | Minimal set of principals should be granted database-scoped SELECT or EXECUTE permissions on schema |
| VA2034 | Minimal set of principals should be granted database-scoped EXECUTE permission on XML Schema Collection |
| VA2040 | Minimal set of principals should be granted low impact database-scoped permissions |
| VA2041 | Minimal set of principals should be granted low impact database-scoped permissions on objects or columns |
| VA2042 | Minimal set of principals should be granted low impact database-scoped permissions on schema |
| VA2050 | Minimal set of principals should be granted database-scoped VIEW DEFINITION permissions |
| VA2051 | Minimal set of principals should be granted database-scoped VIEW DEFINITION permissions on objects or columns |
| VA2052 | Minimal set of principals should be granted database-scoped VIEW DEFINITION permission on various securables |
| VA2100 | Minimal set of principals should be granted high impact server-scoped permissions |
| VA2101 | Minimal set of principals should be granted medium impact server-scoped permissions |
| VA2102 | Minimal set of principals should be granted low impact server-scoped permissions |
| VA2104 | Execute permissions on extended stored procedures should be revoked from PUBLIC |
| VA2105 | Login password should not be easily guessed |
| VA2112 | Permissions from PUBLIC for Data Transformation Services (DTS) should be revoked |
| VA2115 | Minimal set of principals should be members of medium impact fixed server roles |
| VA2123 | 'Remote Access' feature should be disabled |
| VA2127 | 'External Scripts' feature should be disabled |
Next steps
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for