SQL Vulnerability Assessment rules reference guide

APPLIES TO: Azure SQL Database Azure SQL Managed Instance

This article lists the set of built-in rules that are used to flag security vulnerabilities and highlight deviations from best practices, such as misconfigurations, excessive permissions, and unprotected sensitive data. The rules are based on Microsoft's best practices and focus on the security issues that present the biggest risks to your database and its valuable data. They cover both database-level issues as well as server-level security issues, like server firewall settings and server-level permissions. These rules also represent many of the requirements from various regulatory bodies to meet their compliance standards.

The rules shown in your database scans depend on the SQL version and platform that was scanned.

To learn about how to implement Vulnerability Assessment in Azure, see Implement Vulnerability Assessment.

Rules

Rule ID Rule Title Rule Category Rule Severity Rule Description Platform
VA1017 Execute permissions on xp_cmdshell from all users (except dbo) should be revoked Authentication and Authorization High The xp_cmdshell extended stored procedure spawns a Windows command shell SQL Server 2012+1
VA1018 Latest updates should be installed Installation Updates and Patches High Microsoft periodically releases Cumulative Updates (CUs) for each version of SQL Server. This rule checks whether the latest CU has been installed for the particular version of SQL Server being used, by passing in a string for execution. This rule checks that all users (except dbo) do not have permission to execute the xp_cmdshell extended stored procedure. SQL Server 2005

SQL Server 2008

SQL Server 2008

SQL Server 2012

SQL Server 2014

SQL Server 2016

SQL Server 2017
VA1020 Database user GUEST should not be a member of any role Authentication and Authorization High The guest user permits access to a database for any logins that are not mapped to a specific database user. This rule checks that no database roles are assigned to the Guest user. SQL Server 2012+
VA1021 Global temporary stored procedures should be removed Data Protection High A global temporary stored procedure is visible to all sessions and is dropped when the session of the user that created it is closed. This rule checks that there are no global stored procedures. SQL Server 2012+
VA1022 Ad hoc distributed queries should be disabled Surface Area Reduction Medium Ad hoc distributed queries use the OPENROWSET and OPENDATASOURCE functions to connect to remote data sources that use OLE DB. This rule checks that ad hoc distributed queries are disabled. SQL Server 2012+
VA1023 CLR should be disabled Surface Area Reduction High The CLR allows managed code to be hosted by and run in the Microsoft SQL Server environment. This rule checks that CLR is disabled. SQL Server 2012+
VA1026 CLR should be disabled Surface Area Reduction Medium The CLR allows managed code to be hosted by and run in the Microsoft SQL Server environment. CLR strict security treats SAFE and EXTERNAL_ACCESS assemblies as if they were marked UNSAFE and requires all assemblies be signed by a certificate or asymmetric key with a corresponding login that has been granted UNSAFE ASSEMBLY permission in the master database. This rule checks that CLR is disabled. SQL Server 2017+2

SQL Managed Instance
VA1027 Untracked trusted assemblies should be removed Surface Area Reduction High Assemblies marked as UNSAFE are required to be signed by a certificate or asymmetric key with a corresponding login that has been granted UNSAFE ASSEMBLY permission in the master database. Trusted assemblies may bypass this requirement. SQL Server 2017+

SQL Managed Instance
VA1042 Database ownership chaining should be disabled for all databases except for master, msdb, and tempdb Authentication and Authorization High Cross database ownership chaining is an extension of ownership chaining except it does cross the database boundary. This rule checks that this option is disabled for all databases except for master, msdb, and tempdb . For master, msdb, and tempdb, cross database ownership chaining is enabled by default. SQL Server 2012+

SQL Managed Instance
VA1043 Principal GUEST should not have access to any user database Authentication and Authorization Medium The guest user permits access to a database for any logins that are not mapped to a specific database user. This rule checks that the guest user cannot connect to any database. SQL Server 2012+

SQL Managed Instance
VA1044 Remote Admin Connections should be disabled Surface Area Reduction Medium SQL Server provides a dedicated administrator connection (DAC). The DAC lets an administrator access a running server to execute diagnostic functions or Transact-SQL statements or to troubleshoot problems on the server. This rule checks that remote dedicated admin connections are disabled. SQL Server 2012+

SQL Managed Instance
VA1045 Default trace should be enabled Auditing and Logging Medium Default trace provides troubleshooting assistance to database administrators by ensuring that they have the log data necessary to diagnose problems the first time they occur. This rule checks that the default trace is enabled. SQL Server 2012+

SQL Managed Instance
VA1046 CHECK_POLICY should be enabled for all SQL logins Authentication and Authorization Low CHECK_POLICY option enables verifying SQL logins against the domain policy. This rule checks that CHECK_POLICY option is enabled for all SQL logins. SQL Server 2012+

SQL Managed Instance
VA1047 Password expiration check should be enabled for all SQL logins Authentication and Authorization Low Password expiration policies are used to manage the lifespan of a password. When SQL Server enforces password expiration policy users are reminded to change old passwords and accounts that have expired passwords are disabled. This rule checks that password expiration policy is enabled for all SQL logins. SQL Server 2012+

SQL Managed Instance
VA1048 Database principals should not be mapped to the sa account Authentication and Authorization High A database principal that is mapped to the sa account can be exploited by an attacker to elevate permissions to sysadmin SQL Server 2012+

SQL Managed Instance
VA1051 AUTO_CLOSE should be disabled on all databases Surface Area Reduction Medium The AUTO_CLOSE option specifies whether the database shuts down cleanly and frees resources after the last user exits. This rule checks that this option is disabled on all databases. SQL Server 2012+
VA1052 Remove BUILTIN\Administrators as a server login Authentication and Authorization Low The BUILTIN\Administrators group contains the Windows Local Administrators group. In older versions of Microsoft SQL Server this group has administrator rights by default. This rule checks that this group is removed from SQL Server. SQL Server 2012+
VA1053 Account with default name sa should be renamed or disabled Authentication and Authorization Low sa is a well-known account with principal ID 1. This rule verifies that the sa account is either renamed or disabled SQL Server 2012+

SQL Managed Instance
VA1054 Excessive permissions should not be granted to PUBLIC role on objects or columns Authentication and Authorization Low Every SQL Server login belongs to the public server role. When a server principal has not been granted or denied specific permissions on a securable object the user inherits the permissions granted to public on that object. This rule displays a list of all securable objects or columns that are accessible to all users through the PUBLIC role. SQL Server 2012+
VA1058 sa login should be disabled Authentication and Authorization High sa is a well-known account with principal ID 1. This rule verifies that the sa account is disabled. SQL Server 2012+

SQL Managed Instance
VA1059 xp_cmdshell should be disabled Authentication and Authorization High xp_cmdshell spawns a Windows command shell and passes it a string for execution. This rule checks that xp_cmdshell is disabled. SQL Server 2012+

SQL Managed Instance
VA1066 Unused service broker endpoints should be removed Surface Area Reduction Low Service Broker provides queuing and reliable messaging for SQL Server. Service Broker is used both for applications that use a single SQL Server instance and applications that distribute work across multiple instances. Service Broker endpoints provide options for transport security and message forwarding. This rule enumerates all the service broker endpoints. Remove those that are not used. SQL Server 2012+
VA1067 Database Mail XPs should be disabled Authentication and Authorization Medium Database Mail is an enterprise solution for sending e-mail messages from the SQL Server. SQL Server 2012+
VA1068 Server permissions shouldn't be granted directly to principals Authentication and Authorization Low Server level permissions are associated with a server level object to regulate which users can gain access to the object. This rule checks that there are no server level permissions granted directly to logins. SQL Server 2012+

SQL Managed Instance
VA1069 Permissions to select from system tables and views should be revoked from non-sysadmins Authentication and Authorization Low Non-sysadmin permissions to select from system tables and views exist out of the box and are typically used by tools such as SSMS. This rule enumerates which system tables and views can be accessed by non-sysadmins. SQL Server 2012+

SQL Managed Instance
VA1070 Database users shouldn't share the same name as a server login Authentication and Authorization Low Database users may share the same name as a server login. This rule validates that there are no such users. SQL Server 2012+

SQL Managed Instance
VA1071 'Scan for startup stored procedures' option should be disabled Surface Area Reduction Medium When 'Scan for startup procs' is enabled SQL Server scans for and runs all automatically run stored procedures defined on the server. If this option is enabled SQL Server scans for and runs all automatically run stored procedures defined on the server. This rule checks that this option is disabled. SQL Server 2012+
VA1072 Authentication mode should be Windows Authentication Authentication and Authorization Medium There are two possible authentication modes: Windows Authentication mode and mixed mode. Mixed mode means that SQL Server enables both Windows authentication and SQL Server authentication. This rule checks that the authentication mode is set to Windows Authentication. SQL Server 2012+
VA1091 Auditing of both successful and failed login attempts (default trace) should be enabled when 'Login auditing' is set up to track logins Auditing and Logging Low SQL Server Login auditing configuration enables administrators to track the users logging into SQL Server instances. If the user chooses to count on 'Login auditing' to track users logging into SQL Server instances, then it is important to enable it for both successful and failed login attempts. SQL Server 2012+
VA1092 SQL Server instance shouldn't be advertised by the SQL Server Browser service Surface Area Reduction Low SQL Server uses the SQL Server Browser service to enumerate instances of the Database Engine installed on the computer. This enables client applications to browse for a server and helps clients distinguish between multiple instances of the Database Engine on the same computer. This rule checks that the SQL instance is hidden. SQL Server 2012+
VA1093 Maximum number of error logs should be 12 or more Auditing and Logging Low Each SQL Server Error log will have all the information related to failures / errors that have occurred since SQL Server was last restarted or since the last time you have recycled the error logs. This rule checks that the maximum number of error logs is 12 or more. SQL Server 2012+
VA1094 Database permissions shouldn't be granted directly to principals Authentication and Authorization Low Permissions are rules associated with a securable object to regulate which users can gain access to the object. This rule checks that there are no DB permissions granted directly to users. SQL Server 2012+

SQL Managed Instance
VA1095 Excessive permissions should not be granted to PUBLIC role Authentication and Authorization Medium Every SQL Server login belongs to the public server role. When a server principal has not been granted or denied specific permissions on a securable object the user inherits the permissions granted to public on that object. This displays a list of all permissions that are granted to the PUBLIC role. SQL Server 2012+

SQL Managed Instance
VA1096 Principal GUEST should not be granted permissions in the database Authentication and Authorization Low Each database includes a user called GUEST. Permissions granted to GUEST are inherited by users who have access to the database but who do not have a user account in the database. This rule checks that all permissions have been revoked from the GUEST user. SQL Server 2012+

SQL Managed Instance
VA1097 Principal GUEST should not be granted permissions on objects or columns Authentication and Authorization Low Each database includes a user called GUEST. Permissions granted to GUEST are inherited by users who have access to the database but who do not have a user account in the database. This rule checks that all permissions have been revoked from the GUEST user. SQL Server 2012+

SQL Managed Instance
VA1098 Any Existing SSB or Mirroring endpoint should require AES connection Data Protection High Service Broker and Mirroring endpoints support different encryption algorithms including no-encryption. This rule checks that any existing endpoint requires AES encryption. SQL Server 2012+
VA1099 GUEST user should not be granted permissions on database securables Authentication and Authorization Low Each database includes a user called GUEST. Permissions granted to GUEST are inherited by users who have access to the database but who do not have a user account in the database. This rule checks that all permissions have been revoked from the GUEST user. SQL Server 2012+

SQL Managed Instance
VA1102 The Trustworthy bit should be disabled on all databases except MSDB Surface Area Reduction High The TRUSTWORTHY database property is used to indicate whether the instance of SQL Server trusts the database and the contents within it. If this option is enabled database modules (for example user-defined functions or stored procedures) that use an impersonation context can access resources outside the database. This rule verifies that the TRUSTWORTHY bit is disabled on all databases except MSDB. SQL Server 2012+

SQL Managed Instance
VA1143 'dbo' user should not be used for normal service operation Surface Area Reduction Medium The 'dbo' or database owner is a user account that has implied permissions to perform all activities in the database. Members of the sysadmin fixed server role are automatically mapped to dbo. This rule checks that dbo is not the only account allowed to access this database. Note that on a newly created clean database this rule will fail until additional roles are created. SQL Server 2012+

SQL Managed Instance

SQL Database

Azure Synapse
VA1144 Model database should only be accessible by 'dbo' Surface Area Reduction Medium The Model database is used as the template for all databases created on the instance of SQL Server. Modifications made to the model database such as database size recovery model and other database options are applied to any databases created afterward. This rule checks that dbo is the only account allowed to access the model database. SQL Server 2012+

SQL Managed Instance
VA1219 Transparent data encryption should be enabled Data Protection Medium Transparent data encryption (TDE) helps protect against the threat of malicious activity by performing real-time encryption and decryption of the database associated backups and transaction log files 'at rest' without requiring changes to the application. This rule checks that TDE is enabled on the database. SQL Server 2012+

SQL Managed Instance

SQL Database

Azure Synapse
VA1220 Database communication using TDS should be protected through TLS Data Protection High Microsoft SQL Server can use Secure Sockets Layer (SSL) or Transport Layer Security (TLS) to encrypt data that is transmitted across a network between an instance of SQL Server and a client application. This rule checks that all connections to the SQL Server are encrypted through TLS. SQL Server 2012+

SQL Managed Instance
VA1221 Database Encryption Symmetric Keys should use AES algorithm Data Protection High SQL Server uses encryption keys to help secure data credentials and connection information that is stored in a server database. SQL Server has two kinds of keys: symmetric and asymmetric. This rule checks that Database Encryption Symmetric Keys use AES algorithm. SQL Server 2012+

SQL Managed Instance

SQL Database

Azure Synapse
VA1222 Cell-Level Encryption keys should use AES algorithm Data Protection High Cell-Level Encryption (CLE) allows you to encrypt your data using symmetric and asymmetric keys. This rule checks that Cell-Level Encryption symmetric keys use AES algorithm. SQL Server 2012+

SQL Managed Instance
VA1223 Certificate keys should use at least 2048 bits Data Protection High Certificate keys are used in RSA and other encryption algorithms to protect data. These keys need to be of enough length to secure the user's data. This rule checks that the key's length is at least 2048 bits for all certificates. SQL Server 2012+

SQL Managed Instance

SQL Database

Azure Synapse
VA1224 Asymmetric keys' length should be at least 2048 bits Data Protection High Database asymmetric keys are used in many encryption algorithms these keys need to be of enough length to secure the encrypted data this rule checks that all asymmetric keys stored in the database are of length of at least 2048 bits SQL Server 2012

SQL Server 2014

SQL Database
VA1229 Filestream setting in registry and in SQL Server configuration should match Surface Area Reduction High There are two settings governing Filestream option one in the registry (OS level) and one in SQL Server configuration. This rule checks that the two settings match. SQL Server 2012+

SQL Managed Instance
VA1230 Filestream should be disabled Surface Area Reduction High FILESTREAM integrates the SQL Server Database Engine with an NTFS file system by storing varbinary(max) binary large object (BLOB) data as files on the file system. Transact-SQL statements can insert update query search and back up FILESTREAM data. This rule checks that Filestream is disabled. SQL Server 2012+
VA1231 Filestream should be disabled (SQL) Surface Area Reduction High FILESTREAM integrates the SQL Server Database Engine with an NTFS file system by storing varbinary(max) binary large object (BLOB) data as files on the file system. Transact-SQL statements can insert update query search and back up FILESTREAM data. This rule checks that Filestream SQL specific option is disabled SQL Server 2012+
VA1234 Common Criteria setting should be enabled Auditing and Logging Low The Common Criteria enabled setting enables several elements and behaviors that are required for common criteria compliance. This rule checks that this option is enabled. Notice this option isn't available in standard edition. For full details Please visit: Common Criteria Compliance Enabled Server Configuration and SQL Server Resources. SQL Server 2012+
VA1235 Replication XPs should be disabled Surface Area Reduction Medium Disable Replication XPs attack surface area SQL Server 2012+

SQL Managed Instance
VA1244 Orphaned users should be removed from SQL server databases Surface Area Reduction Medium A database user that exists on a database but has no corresponding login in the master database or as an external resource (for example, a Windows user) is referred to as an orphaned user and it should either be removed or remapped to a valid login. This rule checks that there are no orphaned users. SQL Server 2012+

SQL Managed Instance
VA1245 The dbo information should be consistent between the target DB and master Surface Area Reduction High There is redundant information about the dbo identity for any database: metadata stored in the database itself and metadata stored in master DB. This rule checks that this information is consistent between the target DB and master. SQL Server 2012+

SQL Managed Instance
VA1246 Application roles should not be used Authentication and Authorization Low An application role is a database principal that enables an application to run with its own user-like permissions. Application roles enable that only users connecting through a particular application can access specific data. Application roles are password-based (which applications typically hardcode) and not permission based which exposes the database to app role impersonation by password-guessing. This rule checks that no application roles are defined in the database. SQL Server 2012+

SQL Managed Instance

SQL Database
VA1247 There should be no SPs marked as auto-start Surface Area Reduction High When SQL Server has been configured to 'scan for startup procs' the server will scan master DB for stored procedures marked as auto-start. This rule checks that there are no SPs marked as auto-start. SQL Server 2012+
VA1248 User-defined database roles should not be members of fixed roles Authentication and Authorization Medium To easily manage the permissions in your databases SQL Server provides several roles, which are security principals that group other principals. They are like groups in the Microsoft Windows operating system. Database accounts and other SQL Server roles can be added into database-level roles. Each member of a fixed-database role can add other users to that same role. This rule checks that no user-defined roles are members of fixed roles. SQL Server 2012+

SQL Managed Instance

SQL Database

Azure Synapse
VA1252 List of events being audited and centrally managed via server audit specifications. Auditing and Logging Low Auditing an instance of the SQL Server Database Engine or an individual database involves tracking and logging events that occur on the Database Engine. This rule displays a list of events being audited. SQL Server 2012+

SQL Managed Instance
VA1253 List of DB-scoped events being audited and centrally managed via server audit specifications Auditing and Logging Low Auditing an instance of the SQL Server Database Engine or an individual database involves tracking and logging events that occur on the Database Engine. This rule displays a comprehensive list of all events currently being audited (that is, linked to an audit that is enabled) that are DB-specific managed. SQL Server 2012+

SQL Managed Instance
VA1256 User CLR assemblies should not be defined in the database Surface Area Reduction High CLR assemblies can be used to execute arbitrary code on SQL Server process. This rule checks that there are no user-defined CLR assemblies in the database. SQL Server 2012+

SQL Managed Instance
VA1258 Database owners are as expected Auditing and Logging High Database owners can perform all configuration and maintenance activities on the database and can also drop databases in SQL Server. Tracking database owners is important to avoid having excessive permission for some principals. Create a baseline that defines the expected database owners for the database. This rule checks whether the database owners are as defined in the baseline. SQL Server 2016+3

SQL Database

Azure Synapse
VA1263 List all the active audits in the system Auditing and Logging Low Auditing an instance of the SQL Server Database Engine or an individual database involves tracking and logging events that occur on the Database Engine. This rule displays a comprehensive list of all events currently being audited (for example, linked to an audit that is enabled). SQL Server 2012+

SQL Managed Instance
VA1264 Auditing of both successful and failed login attempts should be enabled Auditing and Logging Low SQL Server auditing configuration enables administrators to track the users logging into SQL Server instances that they're responsible for. This rule checks that auditing is enabled for both successful and failed login attempts. SQL Server 2012+

SQL Managed Instance
VA1265 Auditing of both successful and failed login attempts for contained DB authentication should be enabled Auditing and Logging Medium SQL Server auditing configuration enables administrators to track users logging to SQL Server instances that they're responsible for. This rule checks that auditing is enabled for both successful and failed login attempts for contained DB authentication. SQL Server 2012+

SQL Managed Instance
VA1266 The 'MUST_CHANGE' option should be set on all SQL logins Authentication and Authorization Low If MUST_CHANGE option is set on a login SQL Server will require establishing a new password upon the first time the login is used for authentication. This rule checks that this option is set on all the logins. SQL Server 2012+

SQL Managed Instance
VA1267 Contained users should use Windows Authentication Authentication and Authorization Medium Contained users are users that exist within the database and do not require a login mapping. This rule checks that contained users use Windows Authentication. SQL Server 2012+

SQL Managed Instance
VA1276 Agent XPs feature should be disabled Auditing and Logging Medium SQL Server Agent is a Microsoft Windows service that executes scheduled administrative tasks in SQL Server. The Agent XPs are extended stored procedures used by the SQL Server Agent that provide privileged actions that run externally to the DBMS under the security context of the SQL Server Agent service account. This rule checks that the Agent XPs feature is disabled. SQL Server 2012+
VA1277 Polybase network encryption should be enabled Surface Area Reduction High PolyBase is a technology that accesses and combines both non-relational and relational data all from within SQL Server. Polybase network encryption option configures SQL Server to encrypt control and data channels when using Polybase. This rule verifies that this option is enabled. SQL Server 2016+
VA1278 Create a baseline of External Key Management Providers Surface Area Reduction Medium The SQL Server Extensible Key Management (EKM) enables third-party EKM / Hardware Security Modules (HSM) vendors to register their modules in SQL Server. When registered SQL Server users can use the encryption keys stored on EKM modules. This rule displays a list of EKM providers being used in the system. SQL Server 2012+

SQL Managed Instance
VA1279 Force encryption should be enabled for TDS Data Protection High When the Force Encryption option for the Database Engine is enabled all communications between client and server is encrypted regardless of whether the 'Encrypt connection' option (such as from SSMS) is checked or not. This rule checks that Force Encryption option is enabled. SQL Server 2012+
VA1280 Server Permissions granted to public should be minimized Authentication and Authorization Medium Every SQL Server login belongs to the public server role. When a server principal has not been granted or denied specific permissions on a securable object the user inherits the permissions granted to public on that object. This rule checks that server permissions granted to public are minimized. SQL Server 2012+

SQL Managed Instance
VA1281 All memberships for user-defined roles should be intended Auditing and Logging Medium User-defined roles are security principals defined by the user to group principals to easily manage permissions. Monitoring these roles is important to avoid having excessive permissions. Create a baseline that defines expected membership for each user-defined role. This rule checks whether all memberships for user-defined roles are as defined in the baseline. SQL Server 2012+

SQL Managed Instance

SQL Database

Azure Synapse
VA1282 Orphan roles should be removed Authentication and Authorization Low Orphan roles are user-defined roles that have no members. Eliminate orphaned roles as they are not needed on the system. This rule checks whether there are any orphan roles. SQL Server 2012+

SQL Managed Instance

SQL Database

Azure Synapse
VA1283 There should be at least 1 active audit in the system Auditing and Logging Low Auditing an instance of the SQL Server Database Engine or an individual database involves tracking and logging events that occur on the Database Engine. The SQL Server Audit object collects a single instance of server or database-level actions and groups of actions to monitor. This rule checks that there is at least one active audit in the system. SQL Server 2012+

SQL Managed Instance
VA1286 Database permissions shouldn't be granted directly to principals (OBJECT or COLUMN) Authentication and Authorization Low Permissions are rules associated with a securable object to regulate which users can gain access to the object. This rule checks that there are no DB permissions granted directly to users. SQL Server 2012+

SQL Managed Instance
VA1288 Sensitive data columns should be classified Data Protection Medium This rule discovers and characterizes potentially sensitive data in the database. The result is a collection of sensitive database columns, which should be reviewed and classified using SQL Data Discovery & Classification. This allows database columns to be persistently labeled according to their sensitivity, which enables tracking (auditing) the use of classified data and creating reports. If your sensitive database columns are unprotected, you should also consider applying one of SQL Database's built-in security capabilities to restrict access to and protect your sensitive data. SQL Database
VA2000 Minimal set of principals should be granted high impact database-scoped permissions Authentication and Authorization High Every SQL Server securable has permissions associated with it that can be granted to principals. Permissions can be scoped at the server level (assigned to logins and server roles) or at the database level (assigned to database users and database roles). These rules check that only a minimal set of principals are granted high impact database-scoped permissions. SQL Server 2012+

SQL Managed Instance

SQL Database

Azure Synapse
VA2001 Minimal set of principals should be granted high impact database-scoped permissions on objects or columns Authentication and Authorization High Every SQL Server securable has permissions associated with it that can be granted to principals. Permissions can be scoped at the server level (assigned to logins and server roles) or at the database level (assigned to database users and database roles). These rules check that only a minimal set of principals are granted high impact database-scoped permissions on objects or columns. SQL Server 2012+

SQL Managed Instance

SQL Database

Azure Synapse
VA2002 Minimal set of principals should be granted high impact database-scoped permissions on various securables Authentication and Authorization High Every SQL Server securable has permissions associated with it that can be granted to principals. Permissions can be scoped at the server level (assigned to logins and server roles) or at the database level (assigned to database users and database roles). These rules check that only a minimal set of principals are granted high impact database-scoped permissions on various securable. SQL Server 2012+

SQL Managed Instance

SQL Database

Azure Synapse
VA2010 Minimal set of principals should be granted medium impact database-scoped permissions Authentication and Authorization Medium Every SQL Server securable has permissions associated with it that can be granted to principals. Permissions can be scoped at the server level (assigned to logins and server roles) or at the database level (assigned to database users and database roles). These rules check that only a minimal set of principals are granted medium impact database-scoped permissions. SQL Server 2012+

SQL Managed Instance

SQL Database

Azure Synapse
VA2020 Minimal set of principals should be granted ALTER or ALTER ANY USER database-scoped permissions Authentication and Authorization High Every SQL Server securable has permissions associated with it that can be granted to principals. Permissions can be scoped at the server level (assigned to logins and server roles) or at the database level (assigned to database users and database roles). These rules check that only a minimal set of principals are granted ALTER or ALTER ANY USER database-scoped permissions. SQL Server 2012+

SQL Managed Instance

SQL Database

Azure Synapse
VA2021 Minimal set of principals should be granted database-scoped ALTER permissions on objects or columns Authentication and Authorization High Every SQL Server securable has permissions associated with it that can be granted to principals. Permissions can be scoped at the server level (assigned to logins and server roles) or at the database level (assigned to database users and database roles). These rules check that only a minimal set of principals are granted ALTER database-scoped permissions on objects or columns. SQL Server 2012+

SQL Managed Instance

SQL Database

Azure Synapse
VA2022 Minimal set of principals should be granted database-scoped ALTER permission on various securables Authentication and Authorization High Every SQL Server securable has permissions associated with it that can be granted to principals. Permissions can be scoped at the server level (assigned to logins and server roles) or at the database level (assigned to database users and database roles). These rules check that only a minimal set of principals are granted database-scoped ALTER permissions on various securable. SQL Server 2012+

SQL Managed Instance

SQL Database

Azure Synapse
VA2030 Minimal set of principals should be granted database-scoped SELECT or EXECUTE permissions Authentication and Authorization Low Every SQL Server securable has permissions associated with it that can be granted to principals. Permissions can be scoped at the server level (assigned to logins and server roles) or at the database level (assigned to database users and database roles). These rules check that only a minimal set of principals are granted database-scoped SELECT or EXECUTE permissions. SQL Server 2012+

SQL Managed Instance

SQL Database

Azure Synapse
VA2031 Minimal set of principals should be granted database-scoped SELECT Authentication and Authorization Low Every SQL Server securable has permissions associated with it that can be granted to principals. Permissions can be scoped at the server level (assigned to logins and server roles) or at the database level (assigned to database users and database roles). These rules check that only a minimal set of principals are granted database-scoped SELECT permission on objects or columns. SQL Server 2012+

SQL Managed Instance

SQL Database

Azure Synapse
VA2032 Minimal set of principals should be granted database-scoped SELECT or EXECUTE permissions on schema Authentication and Authorization Low Every SQL Server securable has permissions associated with it that can be granted to principals. Permissions can be scoped at the server level (assigned to logins and server roles) or at the database level (assigned to database users and database roles). These rules check that only a minimal set of principals are granted database-scoped SELECT or EXECUTE permissions on schema. SQL Server 2012+

SQL Managed Instance

SQL Database

Azure Synapse
VA2033 Minimal set of principals should be granted database-scoped EXECUTE permission on objects or columns Authentication and Authorization Low Every SQL Server securable has permissions associated with it that can be granted to principals. Permissions can be scoped at the server level (assigned to logins and server roles) or at the database level (assigned to database users and database roles). These rules check that only a minimal set of principals are granted database-scoped EXECUTE permission on objects or columns. SQL Server 2012+

SQL Managed Instance

SQL Database

Azure Synapse
VA2034 Minimal set of principals should be granted database-scoped EXECUTE permission on XML Schema Collection Authentication and Authorization Low Every SQL Server securable has permissions associated with it that can be granted to principals. Permissions can be scoped at the server level (assigned to logins and server roles) or at the database level (assigned to database users and database roles). These rules check that only a minimal set of principals are granted database-scoped EXECUTE permission on XML Schema Collection. SQL Server 2012+

SQL Managed Instance

SQL Database
VA2040 Minimal set of principals should be granted low impact database-scoped permissions Authentication and Authorization Low Every SQL Server securable has permissions associated with it that can be granted to principals. Permissions can be scoped at the server level (assigned to logins and server roles) or at the database level (assigned to database users and database roles). These rules check that only a minimal set of principals are granted low impact database-scoped permissions. SQL Server 2012+

SQL Managed Instance

SQL Database

Azure Synapse
VA2041 Minimal set of principals should be granted low impact database-scoped permissions on objects or columns Authentication and Authorization Low Every SQL Server securable has permissions associated with it that can be granted to principals. Permissions can be scoped at the server level (assigned to logins and server roles) or at the database level (assigned to database users and database roles). These rules check that only a minimal set of principals are granted low impact database-scoped permissions on objects or columns. SQL Server 2012+

SQL Managed Instance

SQL Database

Azure Synapse
VA2042 Minimal set of principals should be granted low impact database-scoped permissions on schema Authentication and Authorization Low Every SQL Server securable has permissions associated with it that can be granted to principals. Permissions can be scoped at the server level (assigned to logins and server roles) or at the database level (assigned to database users and database roles). These rules check that only a minimal set of principals are granted low impact database-scoped permissions on schema. SQL Server 2012+

SQL Managed Instance

SQL Database

Azure Synapse
VA2050 Minimal set of principals should be granted database-scoped VIEW DEFINITION permissions Authentication and Authorization Medium Every SQL Server securable has permissions associated with it that can be granted to principals. Permissions can be scoped at the server level (assigned to logins and server roles) or at the database level (assigned to database users and database roles). These rules check that only a minimal set of principals are granted database-scoped VIEW DEFINITION permissions. SQL Server 2012+

SQL Managed Instance

SQL Database

Azure Synapse
VA2051 Minimal set of principals should be granted database-scoped VIEW DEFINITION permissions on objects or columns Authentication and Authorization Medium Every SQL Server securable has permissions associated with it that can be granted to principals. Permissions can be scoped at the server level (assigned to logins and server roles) or at the database level (assigned to database users and database roles). These rules check that only a minimal set of principals are granted database-scoped VIEW DEFINITION permissions on objects or columns. SQL Server 2012+

SQL Managed Instance

SQL Database

Azure Synapse
VA2052 Minimal set of principals should be granted database-scoped VIEW DEFINITION permission on various securables Authentication and Authorization Medium Every SQL Server securable has permissions associated with it that can be granted to principals. Permissions can be scoped at the server level (assigned to logins and server roles) or at the database level (assigned to database users and database roles). These rules check that only a minimal set of principals are granted database-scoped VIEW DEFINITION permission on various securables. SQL Server 2012+

SQL Managed Instance

SQL Database

Azure Synapse
VA2060 SQL Threat Detection should be enabled at the server level Data Protection Medium SQL Threat Detection provides a layer of security that detects potential vulnerabilities and anomalous activity in databases such as SQL injection attacks and unusual behavior patterns. When a potential threat is detected Threat Detection sends an actionable real-time alert by email and in Azure Security Center, which includes clear investigation and remediation steps for the specific threat. For more information, please see Configure threat detection. This check verifies that SQL Threat Detection is enabled
SQL Managed Instance

SQL Database

Azure Synapse
VA2061 Auditing should be enabled at the server level Auditing and Logging High Azure SQL Database Auditing tracks database events and writes them to an audit log in your Azure storage account. Auditing helps you understand database activity and gain insight into discrepancies and anomalies that could indicate business concerns or suspected security violations as well as helps you meet regulatory compliance. For more information, see Azure SQL Auditing. This rule checks that auditing is enabled. SQL Database

Azure Synapse
VA2062 Database-level firewall rules should not grant excessive access Surface Area Reduction High The Azure SQL Database-level firewall helps protect your data by preventing all access to your database until you specify which IP addresses have permission. Database-level firewall rules grant access to the specific database based on the originating IP address of each request. Database-level firewall rules for master and user databases can only be created and managed through Transact-SQL (unlike server-level firewall rules, which can also be created and managed using the Azure portal or PowerShell). For more information, see Azure SQL Database and Azure Synapse Analytics IP firewall rules. This check verifies that database-level firewall rules do not grant excessive access. SQL Database

Azure Synapse
VA2063 Server-level firewall rules should not grant excessive access Surface Area Reduction High The Azure SQL server-level firewall helps protect your server by preventing all access to your databases until you specify which IP addresses have permission. Server-level firewall rules grant access to all databases that belong to the server based on the originating IP address of each request. Server-level firewall rules can only be created and managed through Transact-SQL as well as through the Azure portal or PowerShell. For more information, see Azure SQL Database and Azure Synapse Analytics IP firewall rules. This check verifies that server-level firewall rules do not grant excessive access. SQL Database

Azure Synapse
VA2064 Database-level firewall rules should be tracked and maintained at a strict minimum Surface Area Reduction High The Azure SQL Database-level firewall helps protect your data by preventing all access to your database until you specify which IP addresses have permission. Database-level firewall rules grant access to the specific database based on the originating IP address of each request. Database-level firewall rules for master and user databases can only be created and managed through Transact-SQL (unlike server-level firewall rules, which can also be created and managed using the Azure portal or PowerShell). For more information, see Azure SQL Database and Azure Synapse Analytics IP firewall rules. This check enumerates all the database-level firewall rules so that any changes made to them can be identified and addressed. SQL Database

Azure Synapse
VA2065 Server-level firewall rules should be tracked and maintained at a strict minimum Surface Area Reduction High The Azure SQL server-level firewall helps protect your data by preventing all access to your databases until you specify which IP addresses have permission. Server-level firewall rules grant access to all databases that belong to the server based on the originating IP address of each request. Server-level firewall rules can be created and managed through Transact-SQL as well as through the Azure portal or PowerShell. For more information, see Azure SQL Database and Azure Synapse Analytics IP firewall rules. This check enumerates all the server-level firewall rules so that any changes made to them can be identified and addressed. SQL Database

Azure Synapse
VA2100 Minimal set of principals should be granted high impact server-scoped permissions Authentication and Authorization High Every SQL Server securable has permissions associated with it that can be granted to principals. Permissions can be scoped at the server level (assigned to logins and server roles) or at the database level (assigned to database users and database roles). These rules check that only a minimal set of principals are granted high impact server-scoped permissions. SQL Server 2012+

SQL Managed Instance
VA2101 Minimal set of principals should be granted medium impact server-scoped permissions Authentication and Authorization Medium Every SQL Server securable has permissions associated with it that can be granted to principals. Permissions can be scoped at the server level (assigned to logins and server roles) or at the database level (assigned to database users and database roles). These rules check that only a minimal set of principals are granted medium impact server-scoped permissions. SQL Server 2012+

SQL Managed Instance
VA2102 Minimal set of principals should be granted low impact server-scoped permissions Authentication and Authorization Low Every SQL Server securable has permissions associated with it that can be granted to principals. Permissions can be scoped at the server level (assigned to logins and server roles) or at the database level (assigned to database users and database roles). These rules check that only a minimal set of principals are granted low impact server-scoped permissions. SQL Server 2012+

SQL Managed Instance
VA2103 Unnecessary execute permissions on extended stored procedures should be revoked Authentication and Authorization Medium Extended stored procedures are DLLs that an instance of SQL Server can dynamically load and run. SQL Server is packaged with many extended stored procedures that allow for interaction with the system DLLs. This rule checks that unnecessary execute permissions on extended stored procedures have been revoked. SQL Server 2012+

SQL Managed Instance
VA2104 Execute permissions on extended stored procedures should be revoked from PUBLIC Authentication and Authorization Medium Extended stored procedures are DLLs that an instance of SQL Server can dynamically load and run. SQL Server is packaged with many extended stored procedures that allow for interaction with the system DLLs. This rule checks that unnecessary execute permissions are not granted to the PUBLIC role. SQL Server 2012+

SQL Managed Instance
VA2105 Login password should not be easily guessed Authentication and Authorization High This rule checks that login passwords are not easily guessed. SQL Server 2012+

SQL Managed Instance
VA2107 Minimal set of principals should be members of fixed Azure SQL DB master database roles Authentication and Authorization High SQL Database provides two restricted administrative roles in the master database to which user accounts can be added that grant permissions to either create databases or manage logins. This rule check that a minimal set of principals are members of these administrative roles. SQL Database

Azure Synapse
VA2108 Minimal set of principals should be members of fixed high impact database roles Authentication and Authorization High SQL Server provides roles to help manage the permissions. Roles are security principals that group other principals. Database-level roles are database-wide in their permission scope. This rule checks that a minimal set of principals are members of the fixed database roles. SQL Server 2012+

SQL Managed Instance

SQL Database

Azure Synapse
VA2109 Minimal set of principals should be members of fixed low impact database roles Authentication and Authorization Low SQL Server provides roles to help manage the permissions. Roles are security principals that group other principals. Database-level roles are database-wide in their permission scope. This rule checks that a minimal set of principals are members of the fixed database roles. SQL Server 2012+

SQL Managed Instance

SQL Database

Azure Synapse
VA2110 Execute permissions to access the registry should be revoked Authentication and Authorization High Registry extended stored procedures allow Microsoft SQL Server to read write and enumerate values and keys in the registry. They are used by Enterprise Manager to configure the server. This rule checks that the permissions to execute registry extended stored procedures have been revoked from all users (other than dbo). SQL Server 2012+

SQL Managed Instance
VA2111 Sample databases should be removed Surface Area Reduction Low Microsoft SQL Server comes shipped with several sample databases. This rule checks whether the sample databases have been removed. SQL Server 2012+

SQL Managed Instance
VA2112 Permissions from PUBLIC for Data Transformation Services (DTS) should be revoked Authentication and Authorization Medium Data Transformation Services (DTS) is a set of objects and utilities that allow the automation of Extract Transform and Load (ETL) operations to or from a database. The objects are DTS packages and their components and the utilities are called DTS tools. This rule checks that the permissions for the PUBLIC role to use the DTS system stored procedures have been revoked. SQL Server 2012+

SQL Managed Instance
VA2113 Data Transformation Services (DTS) permissions should only be granted to SSIS roles Authentication and Authorization Medium Data Transformation Services (DTS) is a set of objects and utilities that allow the automation of extract transform and load operations to or from a database. The objects are DTS packages and their components and the utilities are called DTS tools. This rule checks that only the SSIS roles are granted permissions to use the DTS system stored procedures. SQL Server 2012+

SQL Managed Instance
VA2114 Minimal set of principals should be members of high impact fixed server roles Authentication and Authorization High SQL Server provides roles to help manage permissions. Roles are security principals that group other principals. Server-level roles are server-wide in their permission scope. This rule checks that a minimal set of principals are members of the fixed server roles. SQL Server 2012+

SQL Managed Instance
VA2115 Minimal set of principals should be members of medium impact fixed server roles Authentication and Authorization Medium SQL Server provides roles to help manage permissions. Roles are security principals that group other principals. Server-level roles are server-wide in their permission scope. This rule checks that a minimal set of principals are members of the fixed server roles. SQL Server 2012+

SQL Managed Instance
VA2120 Features that may affect security should be disabled Surface Area Reduction High SQL Server is capable of providing a wide range of features and services. Some of the features and services provided by default may not be necessary and enabling them could adversely affect the security of the system. This rule checks that these features are disabled. SQL Server 2012+

SQL Managed Instance
VA2121 'OLE Automation Procedures' feature should be disabled Surface Area Reduction High SQL Server is capable of providing a wide range of features and services. Some of the features and services, provided by default, may not be necessary, and enabling them could adversely affect the security of the system. The OLE Automation Procedures option controls whether OLE Automation objects can be instantiated within Transact-SQL batches. These are extended stored procedures that allow SQL Server users to execute functions external to SQL Server. Regardless of its benefits it can also be used for exploits and is known as a popular mechanism to plant files on the target machines. It is advised to use PowerShell as a replacement for this tool. This rule checks that 'OLE Automation Procedures' feature is disabled. SQL Server 2012+

SQL Managed Instance
VA2122 'User Options' feature should be disabled Surface Area Reduction Medium SQL Server is capable of providing a wide range of features and services. Some of the features and services provided by default may not be necessary and enabling them could adversely affect the security of the system. The user options specifies global defaults for all users. A list of default query processing options is established for the duration of a user's work session. The user options allows you to change the default values of the SET options (if the server's default settings are not appropriate). This rule checks that 'user options' feature is disabled. SQL Server 2012+

SQL Managed Instance
VA2123 'Remote Access' feature should be disabled Surface Area Reduction Medium SQL Server is capable of providing a wide range of features and services. Some of the features and services provided by default may not be necessary and enabling them could adversely affect the security of the system. The remote access option controls the execution of local stored procedures on remote servers or remote stored procedures on local server. This rule checks that 'remote access' feature is disabled. SQL Server 2012+

SQL Managed Instance
VA2126 Features that may affect security should be disabled Surface Area Reduction Medium SQL Server is capable of providing a wide range of features and services. Some of the features and services provided by default may not be necessary and enabling them could adversely affect the security of the system. This rule checks that these features are disabled. SQL Server 2016+
VA2127 'External Scripts' feature should be disabled Surface Area Reduction High SQL Server is capable of providing a wide range of features and services. Some of the features and services provided by default may not be necessary and enabling them could adversely affect the security of the system. 'External Scripts enabled' option enables the execution of scripts with certain remote language extensions. This rule checks that 'External Scripts Enabled' feature is disabled. SQL Server 2016+
VA2128 Vulnerability Assessment is not supported for SQL Server versions lower than SQL Server 2012 Installation Updates and Patches High To run a Vulnerability Assessment scan on your SQL Server the server needs to be upgraded to SQL Server 2012 or higher, SQL Server 2008 R2 and below are no longer supported by Microsoft. For more information, see https://www.microsoft.com/cloud-platform/windows-sql-server-2008 SQL Server 2012+

SQL Managed Instance

SQL Database

Azure Synapse
VA2129 Changes to signed modules should be authorized Authentication and Authorization High You can sign a stored procedure, function, or trigger with a certificate or an asymmetric key. This is designed for scenarios when permissions cannot be inherited through ownership chaining or when the ownership chain is broken, such as dynamic SQL. This rule checks for changes made to signed modules, which could be an indication of malicious use. SQL Server 2012+

SQL Database
VA2130 Track all users with access to the database Authentication and Authorization Low Users should be granted permissions according to the principle of least privilege - Each user should be granted the minimum set of permissions required for their role. This check tracks all users with access to a database. Check that these users are authorized according to their current role in the organization. The permissions information in this check can support a User Access Review process for the database. SQL Database

Azure Synapse

1 SQL Server 2012+ refers to all versions of SQL Server 2012 and above.

2 SQL Server 2017+ refers to all versions of SQL Server 2017 and above.

3 SQL Server 2016+ refers to all versions of SQL Server 2016 and above.

Next steps