Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Important
Attention: All Microsoft Defender for Cloud features will be officially retired in Azure in China region on August 18, 2026 per the announcement posted by 21Vianet.
This article details the changes made to the SQL vulnerability assessment service rules. Rules that are updated, removed, or added will be outlined below. For an updated list of SQL vulnerability assessment rules, see SQL vulnerability assessment rules.
September 2023
| Rule ID | Rule Title | Change details |
|---|---|---|
| VA1018 | Latest updates should be installed | Logic change |
July 2023
| Rule ID | Rule Title | Change details |
|---|---|---|
| VA2129 | Changes to signed modules should be authorized | Logic change |
June 2022
| Rule ID | Rule Title | Change details |
|---|---|---|
| VA2129 | Changes to signed modules should be authorized | Logic change |
| VA1219 | Transparent data encryption should be enabled | Logic change |
| VA1047 | Password expiration check should be enabled for all SQL logins | Logic change |
January 2022
| Rule ID | Rule Title | Change details |
|---|---|---|
| VA1288 | Sensitive data columns should be classified | Removed rule |
| VA1054 | Minimal set of principals should be members of fixed high impact database roles | Logic change |
| VA1220 | Database communication using TDS should be protected through TLS | Logic change |
| VA2120 | Features that may affect security should be disabled | Logic change |
| VA2129 | Changes to signed modules should be authorized | Logic change |
June 2021
| Rule ID | Rule Title | Change details |
|---|---|---|
| VA1220 | Database communication using TDS should be protected through TLS | Logic change |
| VA2108 | Minimal set of principals should be members of fixed high impact database roles | Logic change |
December 2020
| Rule ID | Rule Title | Change details |
|---|---|---|
| VA1017 | Execute permissions on xp_cmdshell from all users (except dbo) should be revoked | Title and description change |
| VA1021 | Global temporary stored procedures should be removed | Removed rule |
| VA1024 | C2 Audit Mode should be enabled | Removed rule |
| VA1042 | Database ownership chaining should be disabled for all databases except for master, msdb, and tempdb |
Description change |
| VA1044 | Remote Admin Connections should be disabled unless specifically required | Title and description change |
| VA1047 | Password expiration check should be enabled for all SQL logins | Title and description change |
| VA1051 | AUTO_CLOSE should be disabled on all databases | Description change |
| VA1053 | Account with default name 'sa' should be renamed or disabled | Description change |
| VA1067 | Database Mail XPs should be disabled when it is not in use | Title and description change |
| VA1068 | Server permissions shouldn't be granted directly to principals | Logic change |
| VA1069 | Permissions to select from system tables and views should be revoked from non-sysadmins | Removed rule |
| VA1090 | Ensure all Government Off The Shelf (GOTS) and Custom Stored Procedures are encrypted | Removed rule |
| VA1091 | Auditing of both successful and failed login attempts (default trace) should be enabled when 'Login auditing' is set up to track logins | Description change |
| VA1098 | Any Existing SSB or Mirroring endpoint should require AES connection | Logic change |
| VA1103 | Use only CLR with SAFE_ACCESS permission | Removed rule |
| VA1219 | Transparent data encryption should be enabled | Description change |
| VA1229 | Filestream setting in registry and in SQL Server configuration should match | Removed rule |
| VA1230 | Filestream should be disabled | Description change |
| VA1231 | Filestream should be disabled (SQL) | Removed rule |
| VA1234 | Common Criteria setting should be enabled | Removed rule |
| VA1235 | Replication XPs should be disabled | Title, description, and Logic change |
| VA1252 | List of events being audited and centrally managed via server audit specifications. | Removed rule |
| VA1253 | List of DB-scoped events being audited and centrally managed via server audit specifications. | Removed rule |
| VA1263 | List all the active audits in the system | Removed rule |
| VA1264 | Auditing of both successful and failed login attempts should be enabled | Description change |
| VA1266 | The 'MUST_CHANGE' option should be set on all SQL logins | Removed rule |
| VA1276 | Agent XPs feature should be disabled | Removed rule |
| VA1281 | All memberships for user-defined roles should be intended | Logic change |
| VA1282 | Orphan roles should be removed | Logic change |
| VA1286 | Database permissions shouldn't be granted directly to principals (OBJECT or COLUMN) | Removed rule |
| VA1288 | Sensitive data columns should be classified | Description change |
| VA2030 | Minimal set of principals should be granted database-scoped SELECT or EXECUTE permissions | Removed rule |
| VA2033 | Minimal set of principals should be granted database-scoped EXECUTE permission on objects or columns | Description change |
| VA2062 | Database-level firewall rules should not grant excessive access | Description change |
| VA2063 | Server-level firewall rules should not grant excessive access | Description change |
| VA2100 | Minimal set of principals should be granted high impact server-scoped permissions | Removed rule |
| VA2101 | Minimal set of principals should be granted medium impact server-scoped permissions | Removed rule |
| VA2102 | Minimal set of principals should be granted low impact server-scoped permissions | Removed rule |
| VA2103 | Unnecessary execute permissions on extended stored procedures should be revoked | Logic change |
| VA2104 | Execute permissions on extended stored procedures should be revoked from PUBLIC | Removed rule |
| VA2105 | Login password should not be easily guessed | Removed rule |
| VA2108 | Minimal set of principals should be members of fixed high impact database roles | Logic change |
| VA2111 | Sample databases should be removed | Logic change |
| VA2112 | Permissions from PUBLIC for Data Transformation Services (DTS) should be revoked | Removed rule |
| VA2113 | Data Transformation Services (DTS) permissions should only be granted to SSIS roles | Description and logic change |
| VA2114 | Minimal set of principals should be members of high impact fixed server roles | Logic change |
| VA2115 | Minimal set of principals should be members of medium impact fixed server roles | Removed rule |
| VA2120 | Features that may affect security should be disabled | Logic change |
| VA2121 | 'OLE Automation Procedures' feature should be disabled | Title and description change |
| VA2123 | 'Remote Access' feature should be disabled | Removed rule |
| VA2126 | Features that may affect security should be disabled | Title, description, and logic change |
| VA2127 | 'External Scripts' feature should be disabled | Removed rule |
| VA2129 | Changes to signed modules should be authorized | Platform update |
| VA2130 | Track all users with access to the database | Description and logic change |