4

Working through an SQL Vulnerability assessment and one of the warnings is "VA2065 - Server-level firewall rules should be tracked and maintained at a strict minimum".

There then is a list of firewall rules in red, with IP addresses next to them (usually just one number but sometimes a range).

I am trying to understand these rules and this assessment. I think these are the IP addresses that we allow to access the server. For example, when I access a db on the server in question from SSMS I will occasionally get an error that to proceed I have to add the IP to the firewall rule. So I say yes. I see some rules with names like "ClientIPAddress_2019-05-21_01:24:15" that are probably the result of this.

I also see some weird rules like "AllowAllWindowsAzureIps" with an IP range of 0.0.0.0 to 0.0.0.0. What is that all about? My guess is that allows any Azure process to access the server, but I do not know.

Assuming my analysis is correct, and that all of the rules are OK, what is remediation is necessary? Set the current rules as a baseline and send out an alert when a new rule is created? Or disallow any automatic rule creation?

Any guidance would be most appreciated.

"AllowAllWindowsAzureIps"

Bryan Schmiedeler
  • 2,977
  • 6
  • 35
  • 74
  • AllowAllWindowsAzureIps is the setting in the Azure SQL logical server firewall "Allow Azure services to access the server" (or something along those lines). It allows any services in Azure to contact the server. – juunas Jan 22 '20 at 18:23

2 Answers2

0

I'm not saying this is the correct answer but since it's been over 2 years and nobody has answered, I'll give it a shot.

This is how we handled/fixed this. You either add the rule to the baseline(saying it's supposed to be here) or you delete the rule(saying it's not supposed to be here). Think of this scan as a reminder that these rules exist and to clean them out when they aren't needed. All your ClientIp rules. The baseline is what is expected.

If you think of it like a party that has a list of attendees it might help. Your party has 2 guests on the list: Martha (your mom) and Jeff (your mom's special friend). If you go into your party and see 3 people there, you know something isn't right, except it is right, because you forgot that you told Samantha (your hot cousin) she could come. So you add her to the list. Now everything is ok to your party advisor because 3 names are on the list and 3 people are in the party.

But then you come back later and now there are 4 people at the party. Chad (Samantha's boyfriend) showed up! Your party administrator knows Chad's gotta go because he's not on the list. He got in to the party because Samantha let him in. But it's not Samantha's party and she shouldn't have done that.

Good thing we have this list that tells us who's actually supposed to be at the party or we wouldn't be able to spend alone time with Samantha.

Kevin
  • 457
  • 4
  • 12
  • 31
0

So, you can baseline these rules from the UI:

[![BaseLine 2065][1]][1]

If you want to integrate is as part of a CICD pipeline, then the following powershell will help.

$UserRolesBaseline_VA2065 = @("my_rule_name","0.0.0.0","0.0.0.0")

Set-AzSqlDatabaseVulnerabilityAssessmentRuleBaseline -RuleId "VA2065" `
-ResourceGroupName $SqlServerResourceGroupName -ServerName $SqlServerShortName -DatabaseName "master" `
-BaselineResult $UserRolesBaseline_VA2065

Note the master DB name

I think there are also terraform modules that will do this for you as well.

I also see some weird rules like "AllowAllWindowsAzureIps" with an IP range of 0.0.0.0 to 0.0.0.0. What is that all about? My guess is that allows any Azure process to access the server, but I do not know.

This covers the following setting in Azure SQL Server (under 'Networking' menu for the SQL Server Resource).

[![AllowAllWindowsAzureIps][2]][2]

This is about allowing internal Microsoft Services access, e.g. SQL Data Sync agent. [1]: https://i.stack.imgur.com/5TAKQ.png [2]: https://i.stack.imgur.com/gyNQl.png

James Wiseman
  • 29,946
  • 17
  • 95
  • 158