Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Enable Microsoft Defender for Cloud for SQL Server Virtual Machines

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: High (not acceptable risk)
Rule ID: SecurityCenter-035

Ensure that Microsoft Defender for Cloud is enabled for the Microsoft SQL servers running on virtual machines (VMs). Defender for Cloud for SQL servers on virtual machines provides functionalities for discovering and mitigating potential database vulnerabilities, and detecting abnormal activities that could indicate a threat to your Microsoft SQL database servers. Defender for Cloud extends the protections for your SQL VM servers to fully support hybrid environments and protect SQL servers hosted within Microsoft Azure cloud, other cloud environments, and even on-premises machines.

This rule resolution is part of the Conformity Security & Compliance tool for Azure.

Security

By default, Microsoft Defender for Cloud is disabled for the Microsoft SQL servers running on virtual machines. Defender for Cloud for SQL Server virtual machines continuously monitors your SQL database servers for threats such as SQL injection, brute-force attacks, and privilege abuse. The security service provides security alerts together with details of the suspicious activity and guidance on how to mitigate to the security threats.


Audit

To determine if the Microsoft Defender for Cloud security service is enabled for the SQL servers running on virtual machines, perform the following actions:

Using Azure Console

01 Sign in to the Microsoft Azure Portal.

02 Navigate to Microsoft Defender for Cloud blade at https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/0.

03 In the main navigation panel, under Management, choose Environment settings.

04 Click on the name (link) of the Azure subscription that you want to examine.

05 In the navigation panel, under Settings, choose Defender plans to access the Defender for Cloud pricing plans available for the selected subscription.

06 On the Defender plans page, check the Defender for Cloud pricing plan status available for the SQL servers on machines resource type, listed in the Plan column. If the pricing plan status for SQL servers on machines is set to Off, Microsoft Defender for Cloud is not enabled for the SQL servers provisioned on virtual machines, in the selected Azure subscription.

07 Repeat step no. 4 – 6 for each Microsoft Azure subscription available within your cloud account.

Using Azure CLI

01 Run account get-access-token command (Windows/macOS/Linux) with custom query filters to describe the name of the Defender for Cloud pricing plan configured for the Microsoft SQL servers running on virtual machines, provisioned within the current subscription:

az account get-access-token
  --query "{subscription:subscription,accessToken:accessToken}"
  --out tsv | xargs -L1 bash -c 'curl -X GET -H "Authorization: Bearer $1" -H "Content-Type: application/json" https://management.azure.com/subscriptions/$0/providers/Microsoft.Security/pricings?api-version=2018-06-01' | jq '.|.value[] | select(.name=="SqlServerVirtualMachines")'|jq '.properties.pricingTier'

02 The command output should return the name of the configured pricing tier:

"Free"

If the account get-access-token command output does not return "Standard" for the name of the pricing tier, Microsoft Defender for Cloud is not enabled for the SQL servers provisioned on virtual machines, within the current Azure subscription.

03 Repeat steps no. 1 and 2 for each Microsoft Azure subscription available in your cloud account.

Remediation / Resolution

To enable Microsoft Defender for Cloud for SQL servers running on virtual machines (VMs), perform the following actions:

Note: Turning on Defender for Cloud for the specified resource type (i.e. SQL servers) incurs an additional cost per resource.

Using Azure Console

01 Sign in to the Microsoft Azure Portal.

02 Navigate to Microsoft Defender for Cloud blade at https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/0.

03 In the main navigation panel, under Management, choose Environment settings.

04 Click on the name (link) of the Azure subscription that you want to access.

05 In the navigation panel, under Settings, choose Defender plans to access the Defender for Cloud pricing plans available for the selected subscription.

06 On the Defender plans configuration page, under Microsoft Defender for, choose On for the SQL servers on machines pricing plan listed in the Plan column, to enable Microsoft Defender for Cloud for SQL servers provisioned on virtual machines. Choose Save from the top menu to apply the changes.

07 Repeat step no. 4 – 6 for each Microsoft Azure subscription available within your cloud account.

Using Azure CLI

01 Define the configuration parameters for the account get-access-token command, where the "pricingTier" parameter value is set to "Standard" to turn on the Defender for Cloud pricing plan for SQL servers on virtual machines. Save the configuration document to a JSON file named enable-defender-for-sql-vm-servers.json and replace the highlighted details, i.e. <azure-subscription-id>, with your own Azure account subscription ID:

{
"id": "/subscriptions/<azure-subscription-id>/providers/Microsoft.Security/pricings/SqlServerVirtualMachines",
  "name": "SqlServerVirtualMachines",
  "type": "Microsoft.Security/pricings",
  "properties": {
    "pricingTier": "Standard"
  }
}

02 Run account get-access-token command (Windows/macOS/Linux) using the configuration document defined at the previous step (i.e. enable-defender-for-sql-vm-servers.json file), to enable Microsoft Defender for Cloud for all the SQL servers running on virtual machines, in the selected subscription:

az account get-access-token
  --query "{subscription:subscription,accessToken:accessToken}"
  --out tsv | xargs -L1 bash -c 'curl -X PUT -H "Authorization: Bearer $1" -H "Content-Type: application/json" https://management.azure.com/subscriptions/$0/providers/Microsoft.Security/pricings/SqlServerVirtualMachines?api-version=2018-06-01 -d@"enable-defender-for-sql-vm-servers.json"'

03 The command output should return the information available for the enabled pricing tier:

{
  "id":
  "/subscriptions/abcd1234-abcd-1234-abcd-1234abcd1234/providers/Microsoft.Security/pricings/SqlServerVirtualMachines",
  "name": "SqlServerVirtualMachines",
  "type": "Microsoft.Security/pricings",
  "properties": {
    "pricingTier": "Standard",
    "freeTrialRemainingTime": "PT0S"
  }
}

04 Repeat steps no. 1 – 3 for each Microsoft Azure subscription available in your cloud account.

References

Publication date Feb 19, 2022