Skip to main content

๐Ÿ›ก๏ธ Azure SQL Server Public Network Access is not disabled๐ŸŸข

  • Contextual name: ๐Ÿ›ก๏ธ Server Public Network Access is not disabled๐ŸŸข
  • ID: /ce/ca/azure/sql-database/disable-server-public-network-access
  • Tags:
  • Policy Type: COMPLIANCE_POLICY
  • Policy Categories: SECURITY

Logicโ€‹

Similar Policiesโ€‹

  • Internal: dec-x-4f30f24e

Similar Internal Rulesโ€‹

RulePoliciesFlags
โœ‰๏ธ dec-x-4f30f24e1

Descriptionโ€‹

Open File

Descriptionโ€‹

Disabling public network access restricts the service from accessing public networks.

Rationaleโ€‹

A secure network architecture requires carefully constructed network segmentation. Public Network Access tends to be overly permissive and introduces unintended vectors for threat activity.

Impactโ€‹

Some architectural consideration may be necessary to ensure that required network connectivity is still made available. No additional cost or performance impact is required to deploy this recommendation.

Auditโ€‹

From Azure Portalโ€‹
  1. Go to SQL servers.
  2. For each SQL server, under Security, click Networking.
  3. Ensure that Public network access is set to Disable.

Default Valueโ€‹

By default, Azure SQL Server's Public network access is set to Disable.

Referencesโ€‹

  1. https://learn.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-network-security#ns-2-secure-cloud-services-with-network-controls
  2. https://learn.microsoft.com/en-us/azure/azure-sql/database/connectivity-settings?view=azuresql&tabs=azure-portal#deny-public-network-access

Remediationโ€‹

Open File

Remediationโ€‹

From Azure Portalโ€‹

  1. Go to SQL servers.
  2. For each SQL server, under Security, click Networking.
  3. Set Public network access to Disable.
  4. Click Save.

policy.yamlโ€‹

Open File

Linked Framework Sectionsโ€‹

SectionSub SectionsInternal RulesPoliciesFlagsCompliance
๐Ÿ’ผ APRA CPG 234 โ†’ ๐Ÿ’ผ 36d access management controls โ€”only authorised users, software and hardware are able to access information assets (refer to Attachment B for further guidance);1414no data
๐Ÿ’ผ APRA CPG 234 โ†’ ๐Ÿ’ผ 36e hardware and software asset controls โ€”appropriate authorisation to prevent security compromises from unauthorised hardware and software assets;1616no data
๐Ÿ’ผ APRA CPG 234 โ†’ ๐Ÿ’ผ 36f network design โ€” to ensure authorised network traffic flows and to reduce the impact of security compromises;2930no data
๐Ÿ’ผ APRA CPG 234 โ†’ ๐Ÿ’ผ 45 An understanding of plausible worst case scenarios can help regulated entities identify and implement additional controls to prevent or reduce the impact of such scenarios. One example is malware that infects computers and encrypts data, both on the infected computer and any connected storage, including (corporate) networks and cloud storage. Such attacks reinforce the importance of protecting the backup environment in the event that the production environment is compromised. Common techniques to achieve this include network segmentation, highly restricted and segregated access controls and network traffic flow restrictions.3537no data
๐Ÿ’ผ APRA CPG 234 โ†’ ๐Ÿ’ผ 52d appropriate segmentation of data, based on sensitivity and access needs;1010no data
๐Ÿ’ผ APRA CPG 234 โ†’ ๐Ÿ’ผ 53 Wholesale access to sensitive data (e.g. contents of customer databases or intellectual property that can be exploited for personal gain) would be highly restricted to reduce the risk exposure to significant data leakage events. Industry experience of actual data leakage incidents include the unauthorised extraction of debit/credit card details, theft of personally identifiable information, loss of unencrypted backup media and the sale/trade or exploitation of customer identity data.1010no data
๐Ÿ’ผ CIS Azure v3.0.0 โ†’ ๐Ÿ’ผ 5.1.7 Ensure Public Network Access is Disabled (Manual)1no data
๐Ÿ’ผ Cloudaware Framework โ†’ ๐Ÿ’ผ Public and Anonymous Access101no data
๐Ÿ’ผ FedRAMP High Security Controls โ†’ ๐Ÿ’ผ AC-4(21) Physical or Logical Separation of Information Flows (M)(H)1148no data
๐Ÿ’ผ FedRAMP Moderate Security Controls โ†’ ๐Ÿ’ผ AC-4(21) Physical or Logical Separation of Information Flows (M)(H)48no data
๐Ÿ’ผ NIST SP 800-53 Revision 5 โ†’ ๐Ÿ’ผ AC-4(21) Information Flow Enforcement _ Physical or Logical Separation of Information Flows3748no data
๐Ÿ’ผ UK Cyber Essentials โ†’ ๐Ÿ’ผ 1.2 Prevent access to the administrative interface from the internet3638no data