Azure 虚拟机中的 SQL Server 的安全注意事项Security Considerations for SQL Server in Azure Virtual Machines

本主题包括总体安全指南,可帮助建立对 Azure 虚拟机 (VM) 中 SQL Server 实例的安全访问。This topic includes overall security guidelines that help establish secure access to SQL Server instances in an Azure virtual machine (VM).

Azure 遵守多个行业法规和标准,使用户能够使用虚拟机中运行的 SQL Server 生成符合规定的解决方案。Azure complies with several industry regulations and standards that can enable you to build a compliant solution with SQL Server running in a virtual machine. 有关 Azure 合规性的信息,请参阅 Azure 信任中心For information about regulatory compliance with Azure, see Azure Trust Center.

Note

Azure 具有用于创建和处理资源的两个不同的部署模型:资源管理器部署模型和经典部署模型Azure has two different deployment models for creating and working with resources: Resource Manager and classic. 这篇文章介绍了如何使用这两种模型,但 Azure 建议大多数最新部署使用 Resource Manager 模型。This article covers using both models, but Azure recommends that most new deployments use the Resource Manager model.

控制对 SQL VM 的访问Control access to the SQL VM

创建 SQL Server 虚拟机时,请考虑如何谨慎控制有权访问虚拟机和 SQL Server 的人员。When you create your SQL Server virtual machine, consider how to carefully control who has access to the machine and to SQL Server. 通常,应执行以下操作:In general, you should do the following:

  • 仅限对此有需要的应用程序和客户端拥有 SQL Server 访问权限。Restrict access to SQL Server to only the applications and clients that need it.
  • 遵循管理用户帐户和密码的最佳做法。Follow best practices for managing user accounts and passwords.

在考虑这些要点时,以下部分提供了相关建议。The following sections provide suggestions on thinking through these points.

安全连接Secure connections

创建具有库映像的 SQL Server 虚拟机时,“SQL Server 连接”选项提供以下选择:“本地(VM 内)”、“专用(虚拟网络内)”或“公共 (Internet)”。When you create a SQL Server virtual machine with a gallery image, the SQL Server Connectivity option gives you the choice of Local (inside VM), Private (within Virtual Network), or Public (Internet).

SQL Server 连接

为了达到最佳安全性,请为方案选择最严格的选项。For the best security, choose the most restrictive option for your scenario. 例如,如果正在运行访问同一 VM 上的 SQL Server 的应用程序,则“本地”选项最安全。For example, if you are running an application that accesses SQL Server on the same VM, then Local is the most secure choice. 如果正在运行需要访问 SQL Server 的 Azure 应用程序,选择“专用”选项可确保与 SQL Server 的通信仅在指定的 Azure 虚拟网络内安全进行。If you are running an Azure application that requires access to the SQL Server, then Private secures communication to SQL Server only within the specified Azure Virtual Network. 如果需要使用“公共(Internet)”选项访问 SQL Server VM,请确保遵照本主题中的其他最佳做法,以减小受攻击面。If you require Public (internet) access to the SQL Server VM, then make sure to follow other best practices in this topic to reduce your attack surface area.

在门户中选择的选项使用 VM 网络安全组 (NSG) 上的入站安全规则来允许或拒绝发往虚拟机的网络流量。The selected options in the portal use inbound security rules on the VM's network security group (NSG) to allow or deny network traffic to your virtual machine. 可修改或创建新的入站 NSG 规则,允许到 SQL Server 端口(默认为 1433)的流量。You can modify or create new inbound NSG rules to allow traffic to the SQL Server port (default 1433). 还可指定允许通过此端口进行通信的特定 IP 地址。You can also specify specific IP addresses that are allowed to communicate over this port.

网络安全组规则

除了使用 NSG 规则限制网络流量外,还可以对虚拟机使用 Windows 防火墙。In addition to NSG rules to restrict network traffic, you can also use the Windows Firewall on the virtual machine.

如果通过经典部署模型使用终结点,不使用它们时,请删除虚拟机上的所有终结点。If you are using endpoints with the classic deployment model, remove any endpoints on the virtual machine if you do not use them.

最后,考虑为 Azure 虚拟机中的 SQL Server 数据库引擎实例启用加密连接。Finally, consider enabling encrypted connections for the instance of the SQL Server Database Engine in your Azure virtual machine. 使用签名证书配置 SQL Server 实例。Configure SQL server instance with a signed certificate. 有关详细信息,请参阅启用到数据库引擎的加密连接连接字符串语法For more information, see Enable Encrypted Connections to the Database Engine and Connection String Syntax.

使用非默认端口Use a non-default port

默认情况下,SQL Server 侦听已知端口 1433。By default, SQL Server listens on a well-known port, 1433. 为了提高安全性,请将 SQL Server 配置为侦听 1401 等非默认端口。For increased security, configure SQL Server to listen on a non-default port, such as 1401. 如果在 Azure 门户中配置 SQL Server 库映像,则可在“SQL Server 设置”边栏选项卡中指定此端口。If you provision a SQL Server gallery image in the Azure portal, you can specify this port in the SQL Server settings blade.

配置后,可通过两种方式进行预配:To configure this after provisioning, you have two options:

  • 对于 Resource Manager VM,可以在 VM 概述边栏选项卡中选择“SQL Server配置”。For Resource Manager VMs, you can select SQL Server configuration from the VM overview blade. 这提供了更改端口的选项。This provides an option to change the port.

    在门户中更改 TCP 端口

  • 对于经典 VM 或未通过门户进行配置的 SQL Server VM,可通过远程连接到 VM 来手动配置端口。For Classic VMs or for SQL Server VMs that were not provisioned with the portal, you can manually configure the port by connecting remotely to the VM. 有关配置步骤,请参阅将服务器配置为侦听特定 TCP 端口For the configuration steps, see Configure a Server to Listen on a Specific TCP Port. 如果使用此手动方法,还需添加 Windows 防火墙规则,允许该 TCP 端口上的传入流量。If you use this manual technique, you also need to add a Windows Firewall rule to allow incoming traffic on that TCP port.

Important

如果 SQL Server 端口对公共 Internet 连接打开,则最好指定非默认端口。Specifying a non-default port is a good idea if your SQL Server port is open to public internet connections.

SQL Server 侦听非默认端口时,必须在连接时指定该端口。When SQL Server is listening on a non-default port, you must specify the port when you connect. 例如,考虑下服务器 IP 地址为 13.55.255.255,SQL Server 侦听端口 1401 的情况。For example, consider a scenario where the server IP address is 13.55.255.255 and SQL Server is listening on port 1401. 若要连接到 SQL Server,需在连接字符串中指定 13.55.255.255,1401To connect to SQL Server, you would specify 13.55.255.255,1401 in the connection string.

管理帐户Manage accounts

希望攻击者难以猜测帐户名或密码。You don't want attackers to easily guess account names or passwords. 使用以下技巧会有所帮助:Use the following tips to help:

  • 创建一个唯一的本地管理员帐户,不要命名为 AdministratorCreate a unique local administrator account that is not named Administrator.

  • 对所有帐户使用复杂的强密码。Use complex strong passwords for all your accounts. 若要深入了解如何创建强密码,请参阅创建强密码一文。For more information about how to create a strong password, see Create a strong password article.

  • 默认情况下,Azure 在 SQL Server 虚拟机安装期间会选择 Windows 身份验证。By default, Azure selects Windows Authentication during SQL Server Virtual Machine setup. 因此,会禁用 SA 登录名,并由安装程序分配密码。Therefore, the SA login is disabled and a password is assigned by setup. 建议不要使用或启用 SA 登录名。We recommend that the SA login should not be used or enabled. 如果必须使用 SQL 登录名,请使用以下策略之一:If you must have a SQL login, use one of the following strategies:

    • 创建一个名称唯一且具有 sysadmin 成员资格的 SQL 帐户。Create a SQL account with a unique name that has sysadmin membership. 可通过在预配期间启用 SQL 身份验证,从门户执行此操作。You can do this from the portal by enabling SQL Authentication during provisioning.

      Tip

      如果预配期间未启用 SQL 身份验证,则必须手动将身份验证模式更改为 SQL Server 和 Windows 身份验证模式。If you do not enable SQL Authentication during provisioning, you must manually change the authentication mode to SQL Server and Windows Authentication Mode. 有关详细信息,请参阅 更改服务器身份验证模式For more information, see Change Server Authentication Mode.

    • 如果必须使用 SA 登录名,请在预配后启用该登录名,并分配新的强密码。If you must use the SA login, enable the login after provisioning and assign a new strong password.

遵循本地最佳做法进行操作Follow on-premises best practices

除了本主题中描述的做法之外,建议在适用的情况下查看和实施传统的本地安全操作。In addition to the practices described in this topic, we recommend that you review and implement the traditional on-premises security practices where applicable. 有关详细信息,请参阅安装 SQL Server 的安全注意事项For more information, see Security Considerations for a SQL Server Installation

后续步骤Next Steps

如果还对性能最佳做法感兴趣,请参阅 Azure 虚拟机中 SQL Server 的性能最佳做法If you are also interested in best practices around performance, see Performance Best Practices for SQL Server in Azure Virtual Machines.

若要了解与在 Azure VM 中运行 SQL Server 相关的其他主题,请参阅 Azure 虚拟机上的 SQL Server 概述For other topics related to running SQL Server in Azure VMs, see SQL Server on Azure Virtual Machines overview. 如果对 SQL Server 虚拟机有任何疑问,请参阅常见问题解答If you have questions about SQL Server virtual machines, see the Frequently Asked Questions.