More Info:

Ensure that all your Microsoft Azure network security groups (NSGs) restrict inbound/ingress access on TCP port 1433 to trusted IP addresses only in order to implement the principle of least privilege and significantly reduce the attack surface. TCP port 1433 is used by Microsoft Azure SQL Server, the relational database management system developed by Microsoft.

Risk Level

High

Address

Security

Compliance Standards

SOC2, GDPR, HIPAA, NISTCSF, PCIDSS, FedRAMP

Triage and Remediation

Remediation

To remediate the unrestricted MSSQL Server Access misconfiguration in AZURE, please follow the below steps:

  1. Open the Azure Portal and login with your credentials.

  2. Navigate to the Azure SQL Server that you want to remediate.

  3. Click on “Firewalls and virtual networks” under the “Security” section in the left-hand menu.

  4. Ensure that the “Allow Azure services and resources to access this server” option is turned off.

  5. Under the “Firewall rules” section, click on “Add client IP”.

  6. Enter the IP address of the client that needs to access the SQL server.

  7. Click on “Save” to apply the changes.

  8. Repeat steps 5-7 for all the clients that require access to the SQL server.

  9. Once you have added all the required client IP addresses, turn on the “Allow Azure services and resources to access this server” option.

  10. Click on “Save” to apply the changes.

With these steps, you have now remediated the unrestricted MSSQL Server Access misconfiguration in AZURE.