SQL 漏洞评估可帮助识别数据库漏洞SQL vulnerability assessment helps you identify database vulnerabilities

适用于: Azure SQL 数据库 Azure SQL 托管实例 Azure Synapse Analytics

SQL 漏洞评估是一项易于配置的服务,可发现、跟踪并帮助修正潜在的数据库漏洞。SQL vulnerability assessment is an easy-to-configure service that can discover, track, and help you remediate potential database vulnerabilities. 可以使用此工具积极提升数据库安全性。Use it to proactively improve your database security.

漏洞评估是 Azure Defender for SQL 产品/服务(高级 SQL 安全功能的统一包)的一部分。Vulnerability assessment is part of the Azure Defender for SQL offering, which is a unified package for advanced SQL security capabilities. 可通过中心 Azure Defender for SQL 门户访问和管理漏洞评估。Vulnerability assessment can be accessed and managed via the central Azure Defender for SQL portal.

备注

Azure SQL 数据库、Azure SQL 托管实例和 Azure Synapse Analytics 支持漏洞评估。Vulnerability assessment is supported for Azure SQL Database, Azure SQL Managed Instance, and Azure Synapse Analytics. 本文其余部分将 Azure SQL 数据库、Azure SQL 托管实例和 Azure Synapse 中的数据库统称为数据库,并且服务器指的是为 Azure SQL 数据库和 Azure Synapse 托管数据库的服务器Databases in Azure SQL Database, Azure SQL Managed Instance, and Azure Synapse Analytics are referred to collectively in the remainder of this article as databases, and the server is referring to the server that hosts databases for Azure SQL Database and Azure Synapse.

什么是 SQL 漏洞评估?What is SQL vulnerability assessment?

SQL 漏洞评估是一种提供对于安全状态的可见性的服务。SQL vulnerability assessment is a service that provides visibility into your security state. 漏洞评估包括用于解决安全问题和增强数据库安全性的可操作步骤。Vulnerability assessment includes actionable steps to resolve security issues and enhance your database security. 它可帮助监视难以跟踪更改的动态数据库环境,并改善 SQL 安全状况。It can help you to monitor a dynamic database environment where changes are difficult to track and improve your SQL security posture.

漏洞评估是一种内置于 Azure SQL 数据库中的扫描服务。Vulnerability assessment is a scanning service built into Azure SQL Database. 该服务采用一个可以标记安全漏洞的规则知识库。The service employs a knowledge base of rules that flag security vulnerabilities. 它会重点列出违背最佳做法的情况,例如配置不当、权限过度分配以及敏感数据未受保护。It highlights deviations from best practices, such as misconfigurations, excessive permissions, and unprotected sensitive data.

这些规则基于 Azure 的最佳做法,并专注于对数据库及其重要数据有最大风险的安全问题。The rules are based on Azure's best practices and focus on the security issues that present the biggest risks to your database and its valuable data. 它们涵盖了数据库级别的问题以及服务器级别的安全问题,例如服务器防火墙设置和服务器级别的权限。They cover database-level issues and server-level security issues, like server firewall settings and server-level permissions.

扫描结果包括旨在解决每个问题的可操作步骤,并提供自定义修正脚本(若适用)。Results of the scan include actionable steps to resolve each issue and provide customized remediation scripts where applicable. 可以通过设置以下各项的可接受基线,来为环境自定义评估报告:You can customize an assessment report for your environment by setting an acceptable baseline for:

  • 权限配置Permission configurations
  • 功能配置Feature configurations
  • 数据库设置Database settings

配置漏洞评估Configure vulnerability assessment

执行以下步骤可配置漏洞评估:Take the following steps to configure the vulnerability assessment:

  1. Azure 门户中打开 Azure SQL 数据库、SQL 托管实例数据库或 Azure Synapse 中的特定资源。In the Azure portal, open the specific resource in Azure SQL Database, SQL Managed Instance Database, or Azure Synapse.

  2. 在“安全性”标题下,选择“安全中心” 。Under the Security heading, select Security Center.

  3. 选择“漏洞评估”以打开整个服务器或托管实例的 Azure Defender for SQL 设置窗格。Select Vulnerability Assessment to open the Azure Defender for SQL settings pane for either the entire server or managed instance.

    备注

    SQL 漏洞评估要求 Azure Defender for SQL 计划能够运行扫描。SQL vulnerability assessment requires Azure Defender for SQL plan to be able to run scans. 有关如何启用 Azure Defender for SQL 的详细信息,请参阅 Azure Defender for SQLFor more information about how to enable Azure Defender for SQL, see Azure Defender for SQL.

  4. 在“服务器设置”页中,定义 Azure Defender for SQL 设置:In the Server settings page, define the Azure Defender for SQL settings:

    配置 SQL 漏洞评估扫描

    1. 配置一个存储帐户,以在其中存储针对服务器或托管实例上所有数据库的扫描结果。Configure a storage account where your scan results for all databases on the server or managed instance will be stored. 有关存储帐户的详细信息,请参阅关于 Azure 存储帐户For information about storage accounts, see About Azure storage accounts.

      提示

      有关在防火墙和 VNet 后面存储漏洞评估扫描的详细信息,请参阅将漏洞评估扫描存储在可从防火墙和 Vnet 后面访问的存储帐户中For more information about storing vulnerability assessment scans behind firewalls and VNets, see Store vulnerability assessment scan results in a storage account accessible behind firewalls and VNets.

    2. 若要将漏洞评估配置为每周自动运行,以检测安全错误配置,请将“定期扫描”设置为“开” 。To configure vulnerability assessments to automatically run weekly scans to detect security misconfigurations, set Periodic recurring scans to On. 结果会发送到你在“发送扫描报告到”中提供的电子邮件地址。The results are sent to the email addresses you provide in Send scan reports to. 你还可通过启用“向管理员和订阅所有者发送电子邮件通知”,将电子邮件通知发送给管理员和订阅所有者。You can also send email notification to admins and subscription owners by enabling Also send email notification to admins and subscription owners.

  5. SQL 漏洞评估扫描也可按需运行:SQL vulnerability assessment scans can also be run on-demand:

    1. 在工具栏中选择“扫描”:Select Scan from the toolbar:

      将扫描选为运行 SQL 资源的按需运行漏洞评估扫描

备注

扫描是轻型的安全功能。The scan is lightweight and safe. 运行扫描只需花费几秒时间,并且完全是只读操作。It takes a few seconds to run and is entirely read-only. 此操作不会对数据库做出任何更改。It doesn't make any changes to your database.

修正漏洞Remediate vulnerabilities

漏洞扫描完成时,报告会显示在 Azure 门户中。When a vulnerability scan completes, the report is displayed in the Azure portal. 报告会显示:The report presents:

  • 安全状态概述An overview of your security state
  • 发现的问题数,以及The number of issues that were found, and
  • 根据风险的严重性整理的摘要A summary by severity of the risks
  • 供进一步调查使用的结果列表A list of the findings for further investigations

SQL 漏洞评估扫描仪中的 Sampl 扫描报告

若要修正发现的漏洞:To remediate the vulnerabilities discovered:

  1. 查看结果并确定报告中发现的哪些问题是环境中真正存在的安全问题。Review your results and determine which of the report's findings are true security issues for your environment.

  2. 选择每个失败的结果以了解其影响,以及安全检查失败的原因。Select each failed result to understand its impact and why the security check failed.

    提示

    结果详细信息页包括了说明如何解决该问题的可操作的修正信息。The findings details page includes actionable remediation information explaining how to resolve the issue.

    检查漏洞扫描的结果

  3. 在查看评估结果时,可将特定结果标记为环境中可接受的基线。As you review your assessment results, you can mark specific results as being an acceptable baseline in your environment. 基线本质上是对结果报告方式的自定义。A baseline is essentially a customization of how the results are reported. 在后续扫描中,与基线相匹配的结果被视为通过。In subsequent scans, results that match the baseline are considered as passes. 建立基线安全状态后,漏洞评估仅报告与基线的偏差。After you've established your baseline security state, vulnerability assessment only reports on deviations from the baseline. 这样,你可以专注于处理相关问题。In this way, you can focus your attention on the relevant issues.

    批准查找作为基线以便将来进行扫描

  4. 如果更改基线,请使用“扫描”按钮来运行按需扫描并查看自定义报告。If you change the baselines, use the Scan button to run an on-demand scan and view the customized report. 添加到基线的任何发现将会出现在“通过”中,其中指示了它们因基线更改而通过。Any findings you've added to the baseline will now appear in Passed with an indication that they've passed because of the baseline changes.

    通过的评估表明它们已通过每个自定义基线

你的漏洞评估扫描现可用于确保数据库维持高级别的安全性,并满足组织策略。Your vulnerability assessment scans can now be used to ensure that your database maintains a high level of security, and that your organizational policies are met.

高级功能Advanced capabilities

导出评估报告Export an assessment report

选择“导出扫描结果”,创建可供下载的扫描结果 Excel 报表。Select Export Scan Results to create a downloadable Excel report of your scan result. 此报告包含显示了评估摘要的摘要选项卡。This report contains a summary tab that displays a summary of the assessment. 此报告包括所有失败的检查。The report includes all failed checks. 它还包括一个“结果”选项,其中包含全部扫描结果。It also includes a Results tab that contains the full set of results from the scan. 结果包括运行的所有检查,以及每项检查的结果详细信息。The results include all checks that were run and the result details for each.

查看扫描历史记录View scan history

选择漏洞评估窗格中的“扫描历史记录”,查看以前对此数据库运行的所有扫描的历史记录。Select Scan History in the vulnerability assessment pane to view a history of all scans previously run on this database. 选择列表中某个特定扫描,查看该扫描的详细结果。Select a particular scan in the list to view the detailed results of that scan.

以编程方式管理漏洞评估Manage vulnerability assessments programmatically

使用 Azure PowerShellUsing Azure PowerShell

备注

本文已经过更新,以便使用 Azure Az PowerShell 模块。This article has been updated to use the Azure Az PowerShell module. 若要与 Azure 交互,建议使用的 PowerShell 模块是 Az PowerShell 模块。The Az PowerShell module is the recommended PowerShell module for interacting with Azure. 若要开始使用 Az PowerShell 模块,请参阅安装 Azure PowerShellTo get started with the Az PowerShell module, see Install Azure PowerShell. 若要了解如何迁移到 Az PowerShell 模块,请参阅 将 Azure PowerShell 从 AzureRM 迁移到 AzTo learn how to migrate to the Az PowerShell module, see Migrate Azure PowerShell from AzureRM to Az.

重要

仍然支持 PowerShell Azure 资源管理器模块,但是所有未来的开发都是针对 Az.Sql 模块。The PowerShell Azure Resource Manager module is still supported, but all future development is for the Az.Sql module. 若要了解这些 cmdlet,请参阅 AzureRM.SqlFor these cmdlets, see AzureRM.Sql. Az 模块和 AzureRm 模块中的命令参数大体上是相同的。The arguments for the commands in the Az module and in the AzureRm modules are substantially identical.

可以使用 Azure PowerShell cmdlet 以编程方式管理漏洞评估。You can use Azure PowerShell cmdlets to programmatically manage your vulnerability assessments. 受支持的 cmdlet 如下:The supported cmdlets are:

Cmdlet 名称(链接)Cmdlet name as a link 说明Description
Clear-AzSqlDatabaseVulnerabilityAssessmentRuleBaselineClear-AzSqlDatabaseVulnerabilityAssessmentRuleBaseline 清除漏洞评估规则基线。Clears the vulnerability assessment rule baseline.
在使用此 cmdlet 清除基线之前请先设置基线。First, set the baseline before you use this cmdlet to clear it.
Clear-AzSqlDatabaseVulnerabilityAssessmentSettingClear-AzSqlDatabaseVulnerabilityAssessmentSetting 清除数据库的漏洞评估设置。Clears the vulnerability assessment settings of a database.
Clear-AzSqlInstanceDatabaseVulnerabilityAssessmentRuleBaselineClear-AzSqlInstanceDatabaseVulnerabilityAssessmentRuleBaseline 清除托管数据库的漏洞评估规则基线。Clears the vulnerability assessment rule baseline of a managed database.
在使用此 cmdlet 清除基线之前请先设置基线。First, set the baseline before you use this cmdlet to clear it.
Clear-AzSqlInstanceDatabaseVulnerabilityAssessmentSettingClear-AzSqlInstanceDatabaseVulnerabilityAssessmentSetting 清除托管数据库的漏洞评估设置。Clears the vulnerability assessment settings of a managed database.
Clear-AzSqlInstanceVulnerabilityAssessmentSettingClear-AzSqlInstanceVulnerabilityAssessmentSetting 清除托管实例的漏洞评估设置。Clears the vulnerability assessment settings of a managed instance.
Convert-AzSqlDatabaseVulnerabilityAssessmentScanConvert-AzSqlDatabaseVulnerabilityAssessmentScan 将数据库的漏洞评估扫描结果转换为 Excel 文件。Converts vulnerability assessment scan results of a database to an Excel file.
Convert-AzSqlInstanceDatabaseVulnerabilityAssessmentScanConvert-AzSqlInstanceDatabaseVulnerabilityAssessmentScan 将托管数据库的漏洞评估扫描结果转换为 Excel 文件。Converts vulnerability assessment scan results of a managed database to an Excel file.
Get-AzSqlDatabaseVulnerabilityAssessmentRuleBaselineGet-AzSqlDatabaseVulnerabilityAssessmentRuleBaseline 获取给定规则的数据库漏洞评估规则基线。Gets the vulnerability assessment rule baseline of a database for a given rule.
Get-AzSqlInstanceDatabaseVulnerabilityAssessmentRuleBaselineGet-AzSqlInstanceDatabaseVulnerabilityAssessmentRuleBaseline 获取给定规则的托管数据库漏洞评估规则基线。Gets the vulnerability assessment rule baseline of a managed database for a given rule.
Get-AzSqlDatabaseVulnerabilityAssessmentScanRecordGet-AzSqlDatabaseVulnerabilityAssessmentScanRecord 获取与给定数据库关联的所有漏洞评估扫描记录。Gets all vulnerability assessment scan records associated with a given database.
Get-AzSqlInstanceDatabaseVulnerabilityAssessmentScanRecordGet-AzSqlInstanceDatabaseVulnerabilityAssessmentScanRecord 获取与给定托管数据库关联的所有漏洞评估扫描记录。Gets all vulnerability assessment scan records associated with a given managed database.
Get-AzSqlDatabaseVulnerabilityAssessmentSettingGet-AzSqlDatabaseVulnerabilityAssessmentSetting 返回数据库的漏洞评估设置。Returns the vulnerability assessment settings of a database.
Get-AzSqlInstanceDatabaseVulnerabilityAssessmentSettingGet-AzSqlInstanceDatabaseVulnerabilityAssessmentSetting 返回托管数据库的漏洞评估设置。Returns the vulnerability assessment settings of a managed database.
Set-AzSqlDatabaseVulnerabilityAssessmentRuleBaselineSet-AzSqlDatabaseVulnerabilityAssessmentRuleBaseline 设置漏洞评估规则基线。Sets the vulnerability assessment rule baseline.
Set-AzSqlInstanceDatabaseVulnerabilityAssessmentRuleBaselineSet-AzSqlInstanceDatabaseVulnerabilityAssessmentRuleBaseline 设置托管数据库的漏洞评估规则基线。Sets the vulnerability assessment rule baseline for a managed database.
Start-AzSqlDatabaseVulnerabilityAssessmentScanStart-AzSqlDatabaseVulnerabilityAssessmentScan 触发对于数据库的漏洞评估扫描的启动。Triggers the start of a vulnerability assessment scan on a database.
Start-AzSqlInstanceDatabaseVulnerabilityAssessmentScanStart-AzSqlInstanceDatabaseVulnerabilityAssessmentScan 触发对于托管数据库的漏洞评估扫描的启动。Triggers the start of a vulnerability assessment scan on a managed database.
Update-AzSqlDatabaseVulnerabilityAssessmentSettingUpdate-AzSqlDatabaseVulnerabilityAssessmentSetting 更新数据库的漏洞评估设置。Updates the vulnerability assessment settings of a database.
Update-AzSqlInstanceDatabaseVulnerabilityAssessmentSettingUpdate-AzSqlInstanceDatabaseVulnerabilityAssessmentSetting 更新托管数据库的漏洞评估设置。Updates the vulnerability assessment settings of a managed database.
Update-AzSqlInstanceVulnerabilityAssessmentSettingUpdate-AzSqlInstanceVulnerabilityAssessmentSetting 更新托管实例的漏洞评估设置。Updates the vulnerability assessment settings of a managed instance.
   

有关脚本示例,请参阅 Azure SQL 漏洞评估 PowerShell 支持For a script example, see Azure SQL vulnerability assessment PowerShell support.

使用资源管理器模板Using Resource Manager templates

若要使用 Azure 资源管理器模板配置漏洞评估基线,请使用 Microsoft.Sql/servers/databases/vulnerabilityAssessments/rules/baselines 类型。To configure vulnerability assessment baselines by using Azure Resource Manager templates, use the Microsoft.Sql/servers/databases/vulnerabilityAssessments/rules/baselines type.

在添加基线之前,请确保已启用 vulnerabilityAssessmentsEnsure that you have enabled vulnerabilityAssessments before you add baselines.

下面是一个示例,演示了如何将 master 数据库的基线规则 VA2065 和 user 数据库的基线规则 VA1143 定义为资源管理器模板中的资源:Here's an example for defining Baseline Rule VA2065 to master database and VA1143 to user database as resources in a Resource Manager template:

   "resources": [
      {
         "type": "Microsoft.Sql/servers/databases/vulnerabilityAssessments/rules/baselines",
         "apiVersion": "2018-06-01-preview",
         "name": "[concat(parameters('server_name'),'/', parameters('database_name') , '/default/VA2065/master')]",
         "properties": {
            "baselineResults": [
               {
                  "result": [
                     "FirewallRuleName3",
                     "StartIpAddress",
                     "EndIpAddress"
                  ]
               },
               {
                  "result": [
                     "FirewallRuleName4",
                     "62.92.15.68",
                     "62.92.15.68"
                  ]
               }
            ]
         },
         "type": "Microsoft.Sql/servers/databases/vulnerabilityAssessments/rules/baselines",
         "apiVersion": "2018-06-01-preview",
         "name": "[concat(parameters('server_name'),'/', parameters('database_name'), '/default/VA2130/Default')]",
         "dependsOn": [
            "[resourceId('Microsoft.Sql/servers/vulnerabilityAssessments', parameters('server_name'), 'Default')]"
         ],
         "properties": {
            "baselineResults": [
               {
                  "result": [
                     "dbo"
                  ]
               }
            ]
         }
      }
   ]

对于 master 数据库和 user 数据库,资源名称的定义方式不同:For master database and user database, the resource names are defined differently:

  • Master 数据库 - "name": "[concat(parameters('server_name'),'/', parameters('database_name') , '/default/VA2065/master')]",Master database - "name": "[concat(parameters('server_name'),'/', parameters('database_name') , '/default/VA2065/master')]",
  • 用户数据库 - "name": "[concat(parameters('server_name'),'/', parameters('database_name') , '/default/VA2065/default')]",User database - "name": "[concat(parameters('server_name'),'/', parameters('database_name') , '/default/VA2065/default')]",

若要将布尔类型处理为 true/false,请使用二进制输入(例如 "1"/"0")设置基线结果。To handle Boolean types as true/false, set the baseline result with binary input like "1"/"0".

   {
      "type": "Microsoft.Sql/servers/databases/vulnerabilityAssessments/rules/baselines",
      "apiVersion": "2018-06-01-preview",
      "name": "[concat(parameters('server_name'),'/', parameters('database_name'), '/default/VA1143/Default')]",

      "dependsOn": [
         "[resourceId('Microsoft.Sql/servers/vulnerabilityAssessments', parameters('server_name'), 'Default')]"
      ],

      "properties": {
         "baselineResults": [
            {
               "result": [
                  "1"
               ]
            }
         ]
      }

   }

后续步骤Next steps