More Info:

Ensure that your Microsoft Azure SQL database servers are accessible through private endpoints instead of public IP addresses or service endpoints, in order to eliminate the exposure from the public Internet.

Risk Level

Medium

Address

Security

Compliance Standards

GDPR, CISAZURE, CBP, HITRUST, SOC2

Triage and Remediation

Remediation

Using Console

Sure, here are the step-by-step instructions to remediate the misconfiguration of “Publicly Accessible SQL Servers” in Azure:
  1. Log in to the Azure Portal (https://portal.azure.com/).
  2. Navigate to the SQL servers page by clicking on “SQL servers” in the left-hand menu.
  3. Select the SQL server that is publicly accessible.
  4. Click on the “Firewalls and virtual networks” tab.
  5. Under “Firewall settings,” select “Selected networks.”
  6. Click on the “Add client IP” button to add the IP address of your computer to the list of allowed IPs.
  7. If you want to allow access from other IPs, you can add them by clicking on the “Add IP range” button.
  8. Click on the “Save” button to save the changes.
By following these steps, you have now remediated the misconfiguration of “Publicly Accessible SQL Servers” in Azure and restricted access to only the allowed IPs.

Sure, here are the step-by-step instructions to remediate the “Publicly Accessible SQL Servers” misconfiguration in AZURE using AZURE CLI:
  1. Open the AZURE CLI and login to your AZURE account using the following command:
az login
  1. Run the following command to list all the SQL servers in your subscription:
az sql server list
  1. Identify the SQL server(s) that are publicly accessible and note down their resource group name and server name.
  2. Run the following command to set the “public network access” property to “Disabled” for the identified SQL server(s): 
az sql server update --resource-group <resource-group-name> --name <server-name> --public-network-access Disabled
Make sure to replace <resource-group-name> and <server-name> with the actual names of the resource group and server that you identified in step 3.
  1. Verify that the “public network access” property has been set to “Disabled” for the SQL server(s) by running the following command:
az sql server show --resource-group <resource-group-name> --name <server-name> --query 'publicNetworkAccess'
This command should return “Disabled” for the identified SQL server(s).That’s it! You have successfully remediated the “Publicly Accessible SQL Servers” misconfiguration in AZURE using AZURE CLI.
To remediate publicly accessible SQL servers in Azure using Python, you can follow these steps:
  1. First, you need to import the necessary libraries:
from azure.identity import DefaultAzureCredential
from azure.mgmt.sql import SqlManagementClient
  1. Next, you need to authenticate with Azure using the DefaultAzureCredential class.
credential = DefaultAzureCredential()
  1. Then, you need to create an instance of the SqlManagementClient class.
subscription_id = 'your-subscription-id'
sql_client = SqlManagementClient(credential, subscription_id)
  1. After that, you can use the sql_client instance to get a list of all the SQL servers in your subscription.
servers = sql_client.servers.list()
  1. For each SQL server, you can check if it is publicly accessible by getting its firewall rules.
for server in servers:
    firewall_rules = sql_client.firewall_rules.list_by_server(resource_group_name='<resource-group-name>', server_name=server.name)
    for rule in firewall_rules:
        if rule.start_ip_address == '0.0.0.0' and rule.end_ip_address == '255.255.255.255':
            print(f"Server {server.name} has a publicly accessible firewall rule.")
  1. If you find a SQL server with a publicly accessible firewall rule, you can delete the rule using the delete method of the FirewallRulesOperations class.
if rule.start_ip_address == '0.0.0.0' and rule.end_ip_address == '255.255.255.255':
    print(f"Server {server.name} has a publicly accessible firewall rule. Deleting rule {rule.name}...")
    sql_client.firewall_rules.delete(resource_group_name='<resource-group-name>', server_name=server.name, firewall_rule_name=rule.name)
  1. Finally, you can confirm that the firewall rule has been deleted by checking the list of firewall rules again.
firewall_rules = sql_client.firewall_rules.list_by_server(resource_group_name='<resource-group-name>', server_name=server.name)
for rule in firewall_rules:
    if rule.start_ip_address == '0.0.0.0' and rule.end_ip_address == '255.255.255.255':
        print(f"Server {server.name} still has a publicly accessible firewall rule.")
Note: You will need to replace <resource-group-name> with the name of the resource group containing your SQL servers.