Network misconfigurations

Sql database server allows ingress from any ip

Risk Level

Hazardous (3)

Platform(s)
Compliance Frameworks

Description

{AzureSqlDbServer}, SQL Database Server, allows ingress any ip (0.0.0.0/0). SQL Server includes a firewall that allows to define which connections are authorized and unauthorized. By default, for a SQL Server, a Firewall exists with StartIp of 0.0.0.0 and EndIP of 0.0.0.0 allowing access to all the Azure services. Additionally, a custom rule can be set up with StartIp of 0.0.0.0 and EndIP of 255.255.255.255 allowing access from any ip over the internet. In order to reduce the potential attacks of a SQL server, firewall rules should be defined with more restricted ip addresses by referencing the range of addresses available for a specific SQL Server.
  • Recommended Mitigation

    For each SQL server, click on Firewall/Virtual Networks and set Allow access to azure services to `OFF'. Ensure that no firewall rule exists with Start IP of 0.0.0.0 and End IP of 255.255.255.255. Set firewall rules to limit access to only authorized connections. By default, setting allows access to azure services and is set to ON allowing access to all Windows azure ip ranges.