SQL Vulnerability Assessment Tool Reference List – Updated!

Way back at January 16, 2020, I published a blog post containing a reference list for the many rules checked by the SQL Vulnerability Assessment Tool. The next month, I created a separate, dedicated page for the reference list so that it’d be easier to find and maintain. Today I learned that a few months later, around the beginning of May, Microsoft themselves have also published such a reference list on the Microsoft Docs page.

Microsoft’s version appears to be specifically under the Azure SQL Database section of the documentation. And while it’s more up-to-date compared to the reference list that I published on January and February, it contains less details than what I provide in my version.

Specifically, Microsoft’s version does not contain the “Rationale“, the “Query“, and the “Remediation” sections of the assessment rules, which may provide additional insightful information.

I have also noticed that different sets of rules are evaluated, depending on whether your assessment target is a SQL Server instance (IaaS, on-prem or VM), Azure SQL DB, a SQL Managed Instance, or an Azure Synapse Analytics server (a.k.a. Azure SQL DW). Microsoft’s reference list has a “Platform” column, specifying for each rule the platform types where it can be evaluated.

So, I’ve set out to update my own rules reference list with the missing information:

  • I executed a vulnerability assessment scan on a database in each platform type:
    • SQL Server VM
    • Azure SQL Database
    • Azure SQL Managed Instance
    • Azure Synapse Analytics
  • Building on top of the T-SQL script I used last time, I created a new version which can query from a list of assessment files (instead of just one) where each file represents a certain platform.
  • Sprinkle some MERGE magic on the results, specifying for each rule the relevant platforms where it was evaluated.
  • Place in the oven for a few moments.
  • And voila! I got myself a brand new reference list, containing the complete set of information.

I have updated the SQL Vulnerability Assessment Tool Rules Reference List and it now contains all rules, and all platforms, in a (hopefully) easily digestible format that can be easily referenced from wherever.

Click here to view the updated Rules Reference List

One comment

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.