SQL 漏洞评估可帮助识别数据库漏洞SQL Vulnerability Assessment helps you identify database vulnerabilities

适用于:是 Azure SQL 数据库 是Azure SQL 托管实例 APPLIES TO: yesAzure SQL Database yesAzure SQL Managed Instance

SQL 漏洞评估是一项易于配置的服务,可以发现、跟踪并帮助修正潜在的数据库漏洞。SQL Vulnerability Assessment is an easy-to-configure service that can discover, track, and help you remediate potential database vulnerabilities. 可以使用此工具积极提升数据库安全性。Use it to proactively improve your database security.

漏洞评估是高级数据安全产品/服务(它是高级 SQL 安全功能的一个统一包)的一部分。Vulnerability Assessment is part of the Advanced Data Security offering, which is a unified package for advanced SQL security capabilities. 可通过中心 SQL 高级数据安全门户访问和管理漏洞评估。Vulnerability Assessment can be accessed and managed via the central SQL Advanced Data Security portal.

备注

Azure SQL 数据库、Azure SQL 托管实例和 Azure Synapse Analytics(以前称为 Azure SQL 数据仓库)支持漏洞评估。Vulnerability Assessment is supported for Azure SQL Database, Azure SQL Managed Instance, and Azure Synapse Analytics (formerly Azure SQL Data Warehouse). 本文其余部分将 Azure SQL 数据库、Azure SQL 托管实例和 Azure Synapse 中的数据库统称为数据库,并且服务器指的是为 Azure SQL 数据库和 Azure Synapse 托管数据库的服务器Databases in Azure SQL Database, Azure SQL Managed Instance, and Azure Synapse Analytics are referred to collectively in the remainder of this article as databases, and the server is referring to the server that hosts databases for Azure SQL Database and Azure Synapse.

漏洞评估Vulnerability Assessment

SQL 漏洞评估是提供安全状态见解的服务。SQL Vulnerability Assessment is a service that provides visibility into your security state. 漏洞评估包括用于解决安全问题和增强数据库安全性的可行步骤。Vulnerability Assessment includes actionable steps to resolve security issues and enhance your database security. 此工具有助于:It can help you:

  • 满足必须生成数据库扫描报告的符合性要求。Meet compliance requirements that require database scan reports.
  • 满足数据隐私标准。Meet data privacy standards.
  • 监视变化难以跟踪的动态数据库环境。Monitor a dynamic database environment where changes are difficult to track.

漏洞评估是内置于 Azure SQL 数据库中的扫描服务。Vulnerability Assessment is a scanning service built into Azure SQL Database. 该服务采用一个可以标记安全漏洞的规则知识库。The service employs a knowledge base of rules that flag security vulnerabilities. 它会重点列出违背最佳做法的情况,例如配置不当、权限过度分配以及敏感数据未受保护。It highlights deviations from best practices, such as misconfigurations, excessive permissions, and unprotected sensitive data.

这些规则基于 Azure 的最佳做法,并专注于对数据库及其重要数据有最大风险的安全问题。The rules are based on Azure's best practices and focus on the security issues that present the biggest risks to your database and its valuable data. 它们涵盖了数据库级别的问题以及服务器级别的安全问题,例如服务器防火墙设置和服务器级别的权限。They cover database-level issues and server-level security issues, like server firewall settings and server-level permissions. 这些规则还体现了各个监管机构提出的许多要求,旨在满足它们的符合性标准。These rules also represent many of the requirements from various regulatory bodies to meet their compliance standards.

扫描结果包括旨在解决每个问题的可操作步骤,并提供自定义修正脚本(若适用)。Results of the scan include actionable steps to resolve each issue and provide customized remediation scripts where applicable. 可以通过设置以下各项的可接受基线,来为环境自定义评估报告:You can customize an assessment report for your environment by setting an acceptable baseline for:

  • 权限配置Permission configurations
  • 功能配置Feature configurations
  • 数据库设置Database settings

实施漏洞评估Implement Vulnerability Assessment

可通过以下步骤实现漏洞评估:The following steps implement the vulnerability assessment:

1.运行扫描1. Run a scan

  1. Azure门户中,转到 Azure SQL 数据库、SQL 托管实例或 Azure Synapse 资源。Go to your Azure SQL Database, SQL Managed Instance, or Azure Synapse resource in the Azure portal.

  2. 在“安全”标题下,选择“高级数据安全” 。Under the Security heading, select Advanced Data Security.

  3. 然后单击“漏洞评估”窗格中的“选择存储”,打开整个服务器或托管实例的“漏洞评估”设置窗格 。Then click Select Storage on the Vulnerability Assessment pane to open the Vulnerability Assessment settings pane for either the entire server or managed instance.

    备注

    若要详细了解如何在防火墙和 VNet 后面存储漏洞评估扫描,请参阅将漏洞评估扫描结果存储在可从防火墙和 VNet 后面访问的存储帐户中For more information about storing Vulnerability Assessment scans behind firewalls and VNets, see Store Vulnerability Assessment scan results in a storage account accessible behind firewalls and VNets.

  4. 配置一个存储帐户,以在其中存储针对服务器或托管实例上所有数据库的扫描结果。Configure a storage account where your scan results for all databases on the server or managed instance will be stored. 有关存储帐户的详细信息,请参阅关于 Azure 存储帐户For information about storage accounts, see About Azure storage accounts. 配置存储后,选择“扫描”以扫描数据库中的漏洞。After storage is configured, select Scan to scan your database for vulnerabilities.

扫描数据库

备注

扫描是轻型的安全功能。The scan is lightweight and safe. 运行扫描只需花费几秒时间,并且完全是只读操作。It takes a few seconds to run and is entirely read-only. 此操作不会对数据库做出任何更改。It doesn't make any changes to your database.

2.查看报告2. View the report

扫描完成后,扫描报告将自动显示在 Azure 门户中,When your scan is finished, your scan report is automatically displayed in the Azure portal. 该报告提供安全状态的概况。The report presents an overview of your security state. 其中会列出发现的问题个数及其各自的严重性。It lists how many issues were found and their respective severities. 结果包括未遵循最佳做法的警告,以及安全相关设置(例如数据库主体和角色及其相关权限)的快照。Results include warnings on deviations from best practices and a snapshot of your security-related settings, such as database principals and roles and their associated permissions. 扫描报告还会提供数据库中发现的敏感数据的映射。The scan report also provides a map of sensitive data discovered in your database. 其中包括有关使用数据发现和分类对该数据进行分类的建议。It includes recommendations to classify that data by using data discovery and classification.

查看报告

3.分析结果并解决问题3. Analyze the results and resolve issues

查看结果,并确定报告中的哪些结果是环境中真实存在的安全问题。Review your results and determine the findings in the report that are true security issues in your environment. 深入查看每个失败的结果,了解该结果的影响,以及每个安全检查失败的原因。Drill down to each failed result to understand the impact of the finding and why each security check failed. 使用报告提供的可操作修正信息来解决问题。Use the actionable remediation information provided by the report to resolve the issue.

分析报告

4.设置基线4. Set your baseline

在查看评估结果时,可将特定结果标记为环境中可接受的基线。As you review your assessment results, you can mark specific results as being an acceptable baseline in your environment. 基线其实就是自定义结果的报告方式。The baseline is essentially a customization of how the results are reported. 与基线匹配的结果被视为通过后续扫描。Results that match the baseline are considered as passing in subsequent scans. 建立基线安全状态后,漏洞评估只会报告与基线的偏差。After you've established your baseline security state, Vulnerability Assessment only reports on deviations from the baseline. 这样,你可以专注于处理相关问题。In this way, you can focus your attention on the relevant issues.

设置基线

5.运行新扫描以查看自定义跟踪报告5. Run a new scan to see your customized tracking report

完成规则基线设置后,运行新的扫描以查看自定义报告。After you finish setting up your Rule Baselines, run a new scan to view the customized report. 漏洞评估现在仅报告与批准的基线状态偏离的安全问题。Vulnerability Assessment now reports only the security issues that deviate from your approved baseline state.

查看自定义报告

漏洞评估现在可用于监视数据库是否始终保持高级别的安全性,并且是否满足组织策略。Vulnerability Assessment can now be used to monitor that your database maintains a high level of security at all times, and that your organizational policies are met. 如果要求必须有合规性报告,则漏洞评估报告有助于推动执行合规性流程。If compliance reports are required, Vulnerability Assessment reports can be helpful to facilitate the compliance process.

6.设置定期扫描6. Set up periodic recurring scans

转到漏洞评估设置,开启“定期扫描”。Go to the Vulnerability Assessment settings to turn on Periodic recurring scans. 此设置会将漏洞评估配置为每周自动运行一次数据库扫描。This setting configures Vulnerability Assessment to automatically run a scan on your database once per week. 扫描结果摘要会发送到你提供的电子邮件地址。A scan result summary is sent to the email addresses you provide.

查看自定义报告

7.导出评估报告7. Export an assessment report

选择“导出扫描结果”,创建可供下载的扫描结果 Excel 报表。Select Export Scan Results to create a downloadable Excel report of your scan result. 此报告包含显示了评估摘要的摘要选项卡。This report contains a summary tab that displays a summary of the assessment. 此报告包括所有失败的检查。The report includes all failed checks. 它还包括一个“结果”选项,其中包含全部扫描结果。It also includes a Results tab that contains the full set of results from the scan. 结果包括运行的所有检查,以及每项检查的结果详细信息。The results include all checks that were run and the result details for each.

8.查看扫描历史记录8. View scan history

在“漏洞评估”窗格中选择“扫描历史记录”,查看以前对此数据库运行的所有扫描的历史记录。Select Scan History in the Vulnerability Assessment pane to view a history of all scans previously run on this database. 选择列表中某个特定扫描,查看该扫描的详细结果。Select a particular scan in the list to view the detailed results of that scan.

漏洞评估现在可用于监视数据库是否始终保持高级别的安全性,并且是否满足组织策略。Vulnerability Assessment can now be used to monitor that your database maintains a high level of security at all times, and that your organizational policies are met. 如果要求必须有合规性报告,则漏洞评估报告有助于推动执行合规性流程。If compliance reports are required, Vulnerability Assessment reports can be helpful to facilitate the compliance process.

使用 Azure PowerShell 管理漏洞评估Manage vulnerability assessments by using Azure PowerShell

备注

本文进行了更新,以便使用新的 Azure PowerShell Az 模块。This article has been updated to use the new Azure PowerShell Az module. 你仍然可以使用 AzureRM 模块,至少在 2020 年 12 月之前,它将继续接收 bug 修补程序。You can still use the AzureRM module, which will continue to receive bug fixes until at least December 2020. 若要详细了解新的 Az 模块和 AzureRM 兼容性,请参阅新 Azure Powershell Az 模块简介To learn more about the new Az module and AzureRM compatibility, see Introducing the new Azure PowerShell Az module. 有关 Az 模块安装说明,请参阅安装 Azure PowerShellFor Az module installation instructions, see Install Azure PowerShell.

重要

仍然支持 PowerShell Azure 资源管理器模块,但所有后续开发都针对 Az.Sql 模块。The PowerShell Azure Resource Manager module is still supported, but all future development is for the Az.Sql module. 若要了解这些 cmdlet,请参阅 AzureRM.SqlFor these cmdlets, see AzureRM.Sql. Az 模块和 AzureRm 模块中的命令参数大体上是相同的。The arguments for the commands in the Az module and in the AzureRm modules are substantially identical.

可以使用 Azure PowerShell cmdlet 以编程方式管理漏洞评估。You can use Azure PowerShell cmdlets to programmatically manage your vulnerability assessments. 受支持的 cmdlet 如下:The supported cmdlets are:

Cmdlet 名称(链接)Cmdlet name as a link 说明Description
Clear-AzSqlDatabaseVulnerabilityAssessmentRuleBaselineClear-AzSqlDatabaseVulnerabilityAssessmentRuleBaseline 清除漏洞评估规则基线。Clears the Vulnerability Assessment rule baseline.
在使用此 cmdlet 清除基线之前请先设置基线。First, set the baseline before you use this cmdlet to clear it.
Clear-AzSqlDatabaseVulnerabilityAssessmentSettingClear-AzSqlDatabaseVulnerabilityAssessmentSetting 清除数据库的漏洞评估设置。Clears the Vulnerability Assessment settings of a database.
Clear-AzSqlInstanceDatabaseVulnerabilityAssessmentRuleBaselineClear-AzSqlInstanceDatabaseVulnerabilityAssessmentRuleBaseline 清除托管数据库的漏洞评估规则基线。Clears the Vulnerability Assessment rule baseline of a managed database.
在使用此 cmdlet 清除基线之前请先设置基线。First, set the baseline before you use this cmdlet to clear it.
Clear-AzSqlInstanceDatabaseVulnerabilityAssessmentSettingClear-AzSqlInstanceDatabaseVulnerabilityAssessmentSetting 清除托管数据库的漏洞评估设置。Clears the Vulnerability Assessment settings of a managed database.
Clear-AzSqlInstanceVulnerabilityAssessmentSettingClear-AzSqlInstanceVulnerabilityAssessmentSetting 清除托管实例的漏洞评估设置。Clears the Vulnerability Assessment settings of a managed instance.
Convert-AzSqlDatabaseVulnerabilityAssessmentScanConvert-AzSqlDatabaseVulnerabilityAssessmentScan 将数据库的漏洞评估扫描结果转换为 Excel 文件。Converts Vulnerability Assessment scan results of a database to an Excel file.
Convert-AzSqlInstanceDatabaseVulnerabilityAssessmentScanConvert-AzSqlInstanceDatabaseVulnerabilityAssessmentScan 将托管数据库的漏洞评估扫描结果转换为 Excel 文件。Converts Vulnerability Assessment scan results of a managed database to an Excel file.
Get-AzSqlDatabaseVulnerabilityAssessmentRuleBaselineGet-AzSqlDatabaseVulnerabilityAssessmentRuleBaseline 获取给定规则的数据库漏洞评估规则基线。Gets the Vulnerability Assessment rule baseline of a database for a given rule.
Get-AzSqlInstanceDatabaseVulnerabilityAssessmentRuleBaselineGet-AzSqlInstanceDatabaseVulnerabilityAssessmentRuleBaseline 获取给定规则的托管数据库漏洞评估规则基线。Gets the Vulnerability Assessment rule baseline of a managed database for a given rule.
Get-AzSqlDatabaseVulnerabilityAssessmentScanRecordGet-AzSqlDatabaseVulnerabilityAssessmentScanRecord 获取与给定数据库关联的所有漏洞评估扫描记录。Gets all Vulnerability Assessment scan records associated with a given database.
Get-AzSqlInstanceDatabaseVulnerabilityAssessmentScanRecordGet-AzSqlInstanceDatabaseVulnerabilityAssessmentScanRecord 获取与给定托管数据库关联的所有漏洞评估扫描记录。Gets all Vulnerability Assessment scan records associated with a given managed database.
Get-AzSqlDatabaseVulnerabilityAssessmentSettingGet-AzSqlDatabaseVulnerabilityAssessmentSetting 返回数据库的漏洞评估设置。Returns the Vulnerability Assessment settings of a database.
Get-AzSqlInstanceDatabaseVulnerabilityAssessmentSettingGet-AzSqlInstanceDatabaseVulnerabilityAssessmentSetting 返回托管数据库的漏洞评估设置。Returns the Vulnerability Assessment settings of a managed database.
Set-AzSqlDatabaseVulnerabilityAssessmentRuleBaselineSet-AzSqlDatabaseVulnerabilityAssessmentRuleBaseline 设置漏洞评估规则基线。Sets the Vulnerability Assessment rule baseline.
Set-AzSqlInstanceDatabaseVulnerabilityAssessmentRuleBaselineSet-AzSqlInstanceDatabaseVulnerabilityAssessmentRuleBaseline 设置托管数据库的漏洞评估规则基线。Sets the Vulnerability Assessment rule baseline for a managed database.
Start-AzSqlDatabaseVulnerabilityAssessmentScanStart-AzSqlDatabaseVulnerabilityAssessmentScan 触发在数据库上启动漏洞评估扫描。Triggers the start of a Vulnerability Assessment scan on a database.
Start-AzSqlInstanceDatabaseVulnerabilityAssessmentScanStart-AzSqlInstanceDatabaseVulnerabilityAssessmentScan 触发在托管数据库上启动漏洞评估扫描。Triggers the start of a Vulnerability Assessment scan on a managed database.
Update-AzSqlDatabaseVulnerabilityAssessmentSettingUpdate-AzSqlDatabaseVulnerabilityAssessmentSetting 更新数据库的漏洞评估设置。Updates the Vulnerability Assessment settings of a database.
Update-AzSqlInstanceDatabaseVulnerabilityAssessmentSettingUpdate-AzSqlInstanceDatabaseVulnerabilityAssessmentSetting 更新托管数据库的漏洞评估设置。Updates the Vulnerability Assessment settings of a managed database.
Update-AzSqlInstanceVulnerabilityAssessmentSettingUpdate-AzSqlInstanceVulnerabilityAssessmentSetting 更新托管实例的漏洞评估设置。Updates the Vulnerability Assessment settings of a managed instance.
   

有关脚本示例,请参阅 Azure SQL 漏洞评估 PowerShell 支持For a script example, see Azure SQL Vulnerability Assessment PowerShell support.

使用资源管理器模板管理漏洞评估基线规则。Manage Vulnerability Assessment baseline rules by using Resource Manager templates

若要使用 Azure 资源管理器模板配置漏洞评估基线,请使用 Microsoft.Sql/servers/databases/vulnerabilityAssessments/rules/baselines 类型。To configure Vulnerability Assessment baselines by using Azure Resource Manager templates, use the Microsoft.Sql/servers/databases/vulnerabilityAssessments/rules/baselines type.

在添加基线之前,请确保已启用 vulnerabilityAssessmentsEnsure that you have enabled vulnerabilityAssessments before you add baselines.

下面是一个示例,演示了如何将 master 数据库的基线规则 VA2065 和 user 数据库的基线规则 VA1143 定义为资源管理器模板中的资源:Here's an example for defining Baseline Rule VA2065 to master database and VA1143 to user database as resources in a Resource Manager template:

   "resources": [
      {
         "type": "Microsoft.Sql/servers/databases/vulnerabilityAssessments/rules/baselines",
         "apiVersion": "2018-06-01-preview",
         "name": "[concat(parameters('server_name'),'/', parameters('database_name') , '/default/VA2065/master')]",
         "properties": {
            "baselineResults": [
               {
                  "result": [
                     "FirewallRuleName3",
                     "StartIpAddress",
                     "EndIpAddress"
                  ]
               },
               {
                  "result": [
                     "FirewallRuleName4",
                     "62.92.15.68",
                     "62.92.15.68"
                  ]
               }
            ]
         },
         "type": "Microsoft.Sql/servers/databases/vulnerabilityAssessments/rules/baselines",
         "apiVersion": "2018-06-01-preview",
         "name": "[concat(parameters('server_name'),'/', parameters('database_name'), '/default/VA2130/Default')]",
         "dependsOn": [
            "[resourceId('Microsoft.Sql/servers/vulnerabilityAssessments', parameters('server_name'), 'Default')]"
         ],
         "properties": {
            "baselineResults": [
               {
                  "result": [
                     "dbo"
                  ]
               }
            ]
         }
      }
   ]

对于 master 数据库和 user 数据库,资源名称的定义方式不同:For master database and user database, the resource names are defined differently:

  • Master 数据库 - "name": "[concat(parameters('server_name'),'/', parameters('database_name') , '/default/VA2065/master')]",Master database - "name": "[concat(parameters('server_name'),'/', parameters('database_name') , '/default/VA2065/master')]",
  • 用户数据库 - "name": "[concat(parameters('server_name'),'/', parameters('database_name') , '/default/VA2065/default')]",User database - "name": "[concat(parameters('server_name'),'/', parameters('database_name') , '/default/VA2065/default')]",

若要将布尔类型处理为 true/false,请使用二进制输入(例如 "1"/"0")设置基线结果。To handle Boolean types as true/false, set the baseline result with binary input like "1"/"0".

   {
      "type": "Microsoft.Sql/servers/databases/vulnerabilityAssessments/rules/baselines",
      "apiVersion": "2018-06-01-preview",
      "name": "[concat(parameters('server_name'),'/', parameters('database_name'), '/default/VA1143/Default')]",

      "dependsOn": [
         "[resourceId('Microsoft.Sql/servers/vulnerabilityAssessments', parameters('server_name'), 'Default')]"
      ],

      "properties": {
         "baselineResults": [
            {
               "result": [
                  "1"
               ]
            }
         ]
      }

   }

后续步骤Next steps