Way back at January 16, 2020, I published a blog post containing a reference list for the many rules checked by the SQL Vulnerability Assessment Tool. The next month, I created a separate, dedicated page for the reference list so that it’d be easier to find and maintain. Today I learned that a few months later, around the beginning of May, Microsoft themselves have also published such a reference list on the Microsoft Docs page.
Microsoft’s version appears to be specifically under the Azure SQL Database section of the documentation. And while it’s more up-to-date compared to the reference list that I published on January and February, it contains less details than what I provide in my version.
Specifically, Microsoft’s version does not contain the “Rationale“, the “Query“, and the “Remediation” sections of the assessment rules, which may provide additional insightful information.
I have also noticed that different sets of rules are evaluated, depending on whether your assessment target is a SQL Server instance (IaaS, on-prem or VM), Azure SQL DB, a SQL Managed Instance, or an Azure Synapse Analytics server (a.k.a. Azure SQL DW). Microsoft’s reference list has a “Platform” column, specifying for each rule the platform types where it can be evaluated.
So, I’ve set out to update my own rules reference list with the missing information:
- I executed a vulnerability assessment scan on a database in each platform type:
- SQL Server VM
- Azure SQL Database
- Azure SQL Managed Instance
- Azure Synapse Analytics
- Building on top of the T-SQL script I used last time, I created a new version which can query from a list of assessment files (instead of just one) where each file represents a certain platform.
- Sprinkle some MERGE magic on the results, specifying for each rule the relevant platforms where it was evaluated.
- Place in the oven for a few moments.
- And voila! I got myself a brand new reference list, containing the complete set of information.
I have updated the SQL Vulnerability Assessment Tool Rules Reference List and it now contains all rules, and all platforms, in a (hopefully) easily digestible format that can be easily referenced from wherever.