Vulnerability Assessments Are Not Enabled On SQL Server

Overview

Enabling Microsoft Defender for SQL server does not enable Vulnerability Assessment capability for individual SQL databases unless storage account is set to store the scanning data and reports.

The Vulnerability Assessment service scans databases for known security vulnerabilities and highlights deviations from best practices, such as misconfigurations, excessive permissions, and unprotected sensitive data. Results of the scan include actionable steps to resolve each issue and provide customized remediation scripts where applicable. Additionally, an assessment report can be customized by setting an acceptable baseline for permission configurations, feature configurations, and database settings.

Enabling the Microsoft Defender for SQL features will incur additional costs for each SQL server.

Vendor

Azure

Cloud Service

MsSqlDatabase

CIS Azure v2.0.0 4.2.2

References

https://docs.microsoft.com/en-us/azure/sql-database/sql-vulnerability-assessment, https://docs.microsoft.com/en-us/rest/api/sql/servervulnerabilityassessments/listbyserver, https://docs.microsoft.com/en-in/powershell/module/Az.Sql/Update-AzSqlServerVulnerabilityAssessmentSetting?view=azps-2.6.0, https://docs.microsoft.com/en-in/powershell/module/Az.Sql/Get-AzSqlServerVulnerabilityAssessmentSetting?view=azps-2.6.0, https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-posture-vulnerability-management#pv-6-perform-software-vulnerability-assessments

Severity

Item Types

Microsoft.Sql.servers

Overview​

Vendor​

Cloud Service​

Related Controls​

References​

Severity​

Item Types​