Azure SQL Database must only use approved firewall settings deemed by the organization to be secure, including denying azure services access to the server.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-255347	ASQL-00-011950	SV-255347r961470_rule		Medium

Description
Use of nonsecure firewall settings, such as allowing azure services to access the server, exposes the system to avoidable threats.

STIG	Date
Microsoft Azure SQL Database Security Technical Implementation Guide	2024-06-10

Details

Check Text ( C-59020r877261_chk )
Azure SQL Database must only use approved firewall settings, including denying access to azure services and resources to the server. This option is denied by default in Azure SQL Database and should be left disabled if not otherwise documented and approved. Obtain a list of approved firewall settings from the database documentation. Verify that the "Allow Azure services and resources to access this server" option is disabled. 1. From the Azure Portal, navigate to the Azure SQL Database Dashboard. 2. Select "Set Server Firewall" on the top menu. 3. Under "Exceptions", review the "Allow Azure services and resources to access this server" option and verify that the value is not checked. If the "Allow Azure services and resources to access this server" option is enabled, it must be necessary and specifically approved in the database documentation, otherwise this is a finding.

Check Text ( C-59020r877261_chk )

Azure SQL Database must only use approved firewall settings, including denying access to azure services and resources to the server. This option is denied by default in Azure SQL Database and should be left disabled if not otherwise documented and approved.

Obtain a list of approved firewall settings from the database documentation.

Verify that the "Allow Azure services and resources to access this server" option is disabled.
1. From the Azure Portal, navigate to the Azure SQL Database Dashboard.
2. Select "Set Server Firewall" on the top menu.
3. Under "Exceptions", review the "Allow Azure services and resources to access this server" option and verify that the value is not checked.

If the "Allow Azure services and resources to access this server" option is enabled, it must be necessary and specifically approved in the database documentation, otherwise this is a finding.

Fix Text (F-58964r871166_fix)
Assign the approved policy to Azure SQL Database. 1. From the Azure Portal Dashboard, click "Set Server Firewall". 2. Review the Allow Azure services and resources to access this server option. 3. Uncheck the box to "Deny Azure" services and resources to access this server. 4. Click "Save". For more information about connection policies: https://docs.microsoft.com/en-us/azure/azure-sql/database/connectivity-architecture

Fix Text (F-58964r871166_fix)

Assign the approved policy to Azure SQL Database.
1. From the Azure Portal Dashboard, click "Set Server Firewall".
2. Review the Allow Azure services and resources to access this server option.
3. Uncheck the box to "Deny Azure" services and resources to access this server.
4. Click "Save".

For more information about connection policies:
https://docs.microsoft.com/en-us/azure/azure-sql/database/connectivity-architecture