Skip to content

0xbythesecond/Securing-Azure-SQL-Database

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

6 Commits
 
 

Repository files navigation

Securing Azure SQL Database

Securing Azure SQL Database

Introduction

In this lesson, you will learn how to implement various security features for an Azure SQL Database. The exercise consists of four tasks: deploying an Azure SQL Database, configuring advanced data protection, configuring data classification, and configuring auditing. These tasks will help you enhance the security of your SQL Database and protect sensitive data.

Prerequisites:

  • An Azure subscription with Owner or Contributor role access.
  • Basic understanding of Azure portal navigation.

Lesson Steps:

Step 1: Deploy an Azure SQL Database

  • Sign in to the Azure portal using your Azure account.
  • Open the Azure portal at https://portal.azure.com/. -In the search bar at the top of the portal, type "Deploy a custom template" and press Enter.
  • On the Custom deployment blade, select "Build your own template in the editor."
build a template
  • On the Edit template blade, click "Load file" and locate the file JSON file. Click Open.
load json template
  • Review the template content that describes the deployment of an Azure SQL Database.
  • Click Save on the Edit template blade.
  • On the Custom deployment blade, configure the following settings:
  • Subscription: Select the Azure subscription you will use for this lab.
  • Resource group: Click "Create new" and type the name "AZ500LAB11".
create resource group for custom deployement
  • Location: Select "(US) South Central US" or your preferred location that is nearest to you. This has to match the location that is in the template.

  • Click "Review + Create" and then click Create.

  • Wait for the deployment to complete.

Step 2: Configure Advanced Data Protection

In the Azure portal, search for "Resource groups" and select it from the results.

  • On the Resource groups blade, locate and click on the "AZ500LAB11" entry.

  • On the AZ500LAB11 blade, click the entry representing the newly created SQL Server.

  • On the SQL server blade, go to the Security section and click "Microsoft Defender for Cloud".

  • Select "Enable Microsoft Defender for SQL" and wait for the notification indicating that Azure Defender for SQL has been successfully enabled.

    Enable Defender for SQL under Microsoft Defender for Cloud

  • On the SQL server blade, in the Security section, click on the "Microsoft Defender for Cloud" page.

  • In the "Microsoft Defender for SQL: Enabled at the subscription-level (Configure)" parameter, click "(configure)". Refresh the browser if it's not displaying.

    Confirm Microsoft Defender for SQL has been Enabled
  • On the Server Settings blade, review the information about pricing, trial period, vulnerability assessment settings, and advanced threat protection settings.

  • Go back to the Microsoft Defender for Cloud blade and review recommendations and security alerts.

    Note: Recommendations may take some time to appear. You can proceed to the next task while waiting.

Step 3: Configure Data Classification

On the SQL server blade, in the Settings section, click "SQL Databases".

  • Select the "AZ500LabDb" entry from the list of databases.

  • On the AZ500LabDb SQL database blade, in the Security section, click "Data Discovery & Classification".

  • On the Data Discovery & Classification blade, click the "Classification" tab.

    Note: The classification engine scans your database for columns containing potentially sensitive data and provides recommended column classifications.

  • Click the text message "We have found 15 columns with classification recommendations" displayed on the blue bar at the top of the blade.

Data and Discovery Classification
  • Review the listed columns and the recommended sensitivity labels.
  • Enable the "Select all" checkbox and then click "Accept Selected Recommendations".
Classification Select All

Note: Alternatively, you can select specific columns and dismiss others.

Note: You can also change the information type and sensitivity label. Once you have completed your review, click "Save".

 Save Selected Data Classifications

Note: This will complete the classification and persistently label the database columns with the new classification metadata.

  • Back on the Data Discovery & Classification blade, go to the "Overview" tab and note the updated classification information.

Step 4: Configure Auditing

In the Azure portal, navigate back to the SQL Server blade.

  • In the Security section, click "Auditing".

    Note: This is server-level auditing, and the default settings include auditing queries, stored procedures, successful and failed logins.

  • Set the "Enable Azure SQL Auditing" switch to "ON" to enable auditing.

  • Select the Storage checkbox, and the entry boxes for Subscription and Storage Account will appear.

  • Choose your Subscription from the dropdown list.

  • Click "Storage account" and choose "Create new".

  • On the Create storage account blade, enter a globally unique name consisting of between 3 and 24 lowercase letters and digits. Click OK.

Create Storage Account

Note: Refresh the browser if the storage account doesn't immediately become available.

  • Back on the Auditing blade, under Advanced properties, set "Retention (days)" to 5.
  • Click "Save" to save the auditing settings.
Enable Azure SQL Auditing

Note: If you receive an error message regarding an invalid storage container path, wait a few minutes and click "Storage account". On the Choose storage account blade, select the newly created storage account, and then click "Save".

  • On the SQL Server blade, go to the Settings section and click "SQL Databases".

  • Select the "AZ500LabDb" entry from the list of databases.

  • On the AZ500LabDb SQL database blade, in the Security section, click "Auditing".

    Note: This is database-level auditing, and server-level auditing is already enabled.

    Note: Audits can be written to an Azure storage account, Log Analytics workspace, or Event Hub.

  • Click "View Audit Logs".

View Audit Logs for SQL Database
  • On the Audit records blade, you can switch between Server audit and Database audit.
Audit Records

Note: Since the SQL server and database were created recently, there may not be any events available at this point.

Conclusion

Congratulations! You have successfully completed the exercise on implementing SQL Database security features. In this lesson, you learned how to deploy an Azure SQL Database, configure advanced data protection, configure data classification, and configure auditing. These security measures will help you protect your SQL Database and sensitive data. Remember to clean up your resources to avoid unexpected costs.

Clean Up Resources:

Open the Azure Cloud Shell by clicking the first icon in the top right of the Azure portal. If prompted, select PowerShell and Create storage. In the PowerShell session within the Cloud Shell pane, run the following command to remove the resource group created in this lab:

Remove-AzResourceGroup -Name "AZ500LAB11" -Force -AsJob

Close the Cloud Shell pane. Now you can confidently implement SQL Database security features and ensure the protection of your valuable data.

Releases

No releases published

Packages

No packages published