Skip to main content

πŸ“ Azure SQL Server Public Network Access is not disabled 🟒

  • Contextual name: πŸ“ Server Public Network Access is not disabled 🟒
  • ID: /ce/ca/azure/sql-database/disable-server-public-network-access
  • Located in: πŸ“ Azure SQL Database

Flags​

Our Metadata​

  • Policy Type: COMPLIANCE_POLICY
  • Policy Category:
    • SECURITY

Similar Policies​

  • Internal
    • dec-x-4f30f24e

Similar Internal Rules​

RulePoliciesFlags
βœ‰οΈ dec-x-4f30f24e1

Logic​

Description​

Open File

Description​

Disabling public network access restricts the service from accessing public networks.

Rationale​

A secure network architecture requires carefully constructed network segmentation. Public Network Access tends to be overly permissive and introduces unintended vectors for threat activity.

Impact​

Some architectural consideration may be necessary to ensure that required network connectivity is still made available. No additional cost or performance impact is required to deploy this recommendation.

Audit​

From Azure Portal​
  1. Go to SQL servers.
  2. For each SQL server, under Security, click Networking.
  3. Ensure that Public network access is set to Disable.

Default Value​

By default, Azure SQL Server's Public network access is set to Disable.

References​

  1. https://learn.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-network-security#ns-2-secure-cloud-services-with-network-controls
  2. https://learn.microsoft.com/en-us/azure/azure-sql/database/connectivity-settings?view=azuresql&tabs=azure-portal#deny-public-network-access

Remediation​

Open File

Remediation​

From Azure Portal​

  1. Go to SQL servers.
  2. For each SQL server, under Security, click Networking.
  3. Set Public network access to Disable.
  4. Click Save.

policy.yaml​

Open File

Linked Framework Sections​

SectionSub SectionsInternal RulesPoliciesFlags
πŸ’Ό APRA CPG 234 β†’ πŸ’Ό 36d access management controls β€”only authorised users, software and hardware are able to access information assets (refer to Attachment B for further guidance);1313
πŸ’Ό APRA CPG 234 β†’ πŸ’Ό 36e hardware and software asset controls β€”appropriate authorisation to prevent security compromises from unauthorised hardware and software assets;1515
πŸ’Ό APRA CPG 234 β†’ πŸ’Ό 36f network design β€” to ensure authorised network traffic flows and to reduce the impact of security compromises;2829
πŸ’Ό APRA CPG 234 β†’ πŸ’Ό 45 An understanding of plausible worst case scenarios can help regulated entities identify and implement additional controls to prevent or reduce the impact of such scenarios. One example is malware that infects computers and encrypts data, both on the infected computer and any connected storage, including (corporate) networks and cloud storage. Such attacks reinforce the importance of protecting the backup environment in the event that the production environment is compromised. Common techniques to achieve this include network segmentation, highly restricted and segregated access controls and network traffic flow restrictions.3436
πŸ’Ό APRA CPG 234 β†’ πŸ’Ό 52d appropriate segmentation of data, based on sensitivity and access needs;1010
πŸ’Ό APRA CPG 234 β†’ πŸ’Ό 53 Wholesale access to sensitive data (e.g. contents of customer databases or intellectual property that can be exploited for personal gain) would be highly restricted to reduce the risk exposure to significant data leakage events. Industry experience of actual data leakage incidents include the unauthorised extraction of debit/credit card details, theft of personally identifiable information, loss of unencrypted backup media and the sale/trade or exploitation of customer identity data.1010
πŸ’Ό CIS Azure v3.0.0 β†’ πŸ’Ό 5.1.7 Ensure Public Network Access is Disabled (Manual)1
πŸ’Ό Cloudaware Framework β†’ πŸ’Ό Public and Anonymous Access24
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό AC-4(21) Physical or Logical Separation of Information Flows (M)(H)1139
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό AC-4(21) Physical or Logical Separation of Information Flows (M)(H)39
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό AC-4(21) Information Flow Enforcement _ Physical or Logical Separation of Information Flows3539
πŸ’Ό UK Cyber Essentials β†’ πŸ’Ό 1.2 Prevent access to the administrative interface from the internet3537