您现在访问的是微软AZURE全球版技术文档网站,若需要访问由世纪互联运营的MICROSOFT AZURE中国区技术文档网站,请访问 https://docs.azure.cn.

Azure 虚拟机中的 SQL Server 的安全注意事项Security Considerations for SQL Server in Azure Virtual Machines

本主题包括用于帮助与 Azure 虚拟机 (VM) 中的 SQL Server 实例建立安全访问的总体安全准则。This topic includes overall security guidelines that help establish secure access to SQL Server instances in an Azure virtual machine (VM).

Azure 遵守多个行业法规和标准,使用户能够使用虚拟机中运行的 SQL Server 生成符合规定的解决方案。Azure complies with several industry regulations and standards that can enable you to build a compliant solution with SQL Server running in a virtual machine. 有关 Azure 合规性的信息,请参阅 Azure 信任中心For information about regulatory compliance with Azure, see Azure Trust Center.

备注

Azure 具有用于创建和处理资源的两个不同部署模型:资源管理器部署模型和经典部署模型Azure has two different deployment models for creating and working with resources: Resource Manager and classic. 这篇文章介绍如何使用这两种模型,但 Microsoft 建议大多数最新部署使用 Resource Manager 模型。This article covers using both models, but Microsoft recommends that most new deployments use the Resource Manager model.

控制对 SQL VM 的访问Control access to the SQL VM

创建 SQL Server 虚拟机时,请考虑如何谨慎控制谁有权访问计算机和 SQL Server。When you create your SQL Server virtual machine, consider how to carefully control who has access to the machine and to SQL Server. 一般情况下,应该采取以下措施:In general, you should do the following:

  • 将 SQL Server 访问权限限制为需要它的应用程序和客户端。Restrict access to SQL Server to only the applications and clients that need it.
  • 遵照最佳做法来管理用户帐户和密码。Follow best practices for managing user accounts and passwords.

以下部分提供有关如何实施这些要点的建议。The following sections provide suggestions on thinking through these points.

安全连接Secure connections

使用库映像创建 SQL Server 虚拟机时,可以使用“SQL Server 连接”选项来选择“本地(VM 内部)”、“专用(虚拟网络内部)”或“公共(Internet)”。When you create a SQL Server virtual machine with a gallery image, the SQL Server Connectivity option gives you the choice of Local (inside VM), Private (within Virtual Network), or Public (Internet).

SQL Server 连接

为了获得最佳安全性,请为方案选择限制性最强的选项。For the best security, choose the most restrictive option for your scenario. 例如,如果要运行的应用程序需要访问同一个 VM 的 SQL Server,则“本地”是最安全的选项。For example, if you are running an application that accesses SQL Server on the same VM, then Local is the most secure choice. 如果要运行的 Azure 应用程序需要访问 SQL Server,则“专用”选项只能保护与指定的 Azure 虚拟网络中的 SQL Server 之间的通信。If you are running an Azure application that requires access to the SQL Server, then Private secures communication to SQL Server only within the specified Azure Virtual Network. 如果需要使用“公共(Internet)”选项访问 SQL Server VM,请确保遵照本主题中的其他最佳做法,以减小受攻击面。If you require Public (internet) access to the SQL Server VM, then make sure to follow other best practices in this topic to reduce your attack surface area.

在门户中选择的选项使用 VM 网络安全组 (NSG) 上的入站安全规则来允许或拒绝发往虚拟机的网络流量。The selected options in the portal use inbound security rules on the VM's network security group (NSG) to allow or deny network traffic to your virtual machine. 可以修改或创建新的入站 NSG 规则,以允许发往 SQL Server 端口(默认为 1433)的流量。You can modify or create new inbound NSG rules to allow traffic to the SQL Server port (default 1433). 此外,还可以指定被允许通过此端口通信的特定 IP 地址。You can also specify specific IP addresses that are allowed to communicate over this port.

网络安全组规则

除了用于限制网络流量的 NSG 规则以外,还可以在虚拟机上使用 Windows 防火墙。In addition to NSG rules to restrict network traffic, you can also use the Windows Firewall on the virtual machine.

如果在经典部署模型中使用终结点,可以在不需要使用时删除虚拟机上的任何终结点。If you are using endpoints with the classic deployment model, remove any endpoints on the virtual machine if you do not use them. 有关在终结点上使用 ACL 的说明,请参阅管理终结点上的 ACLFor instructions on using ACLs with endpoints, see Manage the ACL on an endpoint. 使用 Resource Manager 的 VM 并不需要 ACL。This is not necessary for VMs that use the Resource Manager.

最后,请考虑针对 Azure 虚拟机中的 SQL Server 数据库引擎实例启用加密连接。Finally, consider enabling encrypted connections for the instance of the SQL Server Database Engine in your Azure virtual machine. 使用签名证书配置 SQL Server 实例。Configure SQL server instance with a signed certificate. 有关详细信息,请参阅启用到数据库引擎的加密连接连接字符串语法For more information, see Enable Encrypted Connections to the Database Engine and Connection String Syntax.

使用非默认端口Use a non-default port

SQL Server 默认在已知端口 1433 上侦听。By default, SQL Server listens on a well-known port, 1433. 为了提高安全性,请将 SQL Server 配置为在非默认端口(例如 1401)上侦听。For increased security, configure SQL Server to listen on a non-default port, such as 1401. 如果在 Azure 门户中预配 SQL Server 库映像,可以在“SQL Server 设置”边栏选项卡中指定此端口。If you provision a SQL Server gallery image in the Azure portal, you can specify this port in the SQL Server settings blade.

备注

以下屏幕截图来自 Azure 门户中的SQL 虚拟机资源。The following screenshots are from the SQL virtual machines resource within the Azure portal. 对于不在SQL VM 资源提供程序中注册的支持结束 (EOS) sql Server vm 和 SQL Server vm, 请改用SQL Server 配置选项卡来管理 SQL Server VM。For end-of-support (EOS) SQL server VMs, and SQL Server VMs that have not been registered with the SQL VM resource provider, use the SQL Server configuration tab to manage your SQL Server VM instead.

若要在预配后配置此端口,可以使用两个选项:To configure this after provisioning, you have two options:

  • 对于资源管理器 Vm, 你可以从SQL 虚拟机资源中选择 "安全性"。For Resource Manager VMs, you can select Security from the SQL virtual machines resource. 这会提供一个用于更改端口的选项。This provides an option to change the port.

    在门户中更改 TCP 端口

  • 对于经典 VM 或者未使用门户预配的 SQL Server VM,可以通过远程连接到 VM 来手动配置端口。For Classic VMs or for SQL Server VMs that were not provisioned with the portal, you can manually configure the port by connecting remotely to the VM. 有关配置步骤,请参阅将服务器配置为在特定的 TCP 端口上侦听For the configuration steps, see Configure a Server to Listen on a Specific TCP Port. 如果使用这种手动方法,则还需要添加一个 Windows 防火墙规则来允许该 TCP 端口上的传入流量。If you use this manual technique, you also need to add a Windows Firewall rule to allow incoming traffic on that TCP port.

重要

如果 SQL Server 端口向公共 Internet 连接开放,则指定非默认端口是一种很好的做法。Specifying a non-default port is a good idea if your SQL Server port is open to public internet connections.

当 SQL Server 在非默认端口上侦听时,必须在连接时指定该端口。When SQL Server is listening on a non-default port, you must specify the port when you connect. 例如,假设存在这种情况:服务器 IP 地址为 13.55.255.255,SQL Server 在端口 1401 上侦听。For example, consider a scenario where the server IP address is 13.55.255.255 and SQL Server is listening on port 1401. 若要连接到 SQL Server,应在连接字符串中指定 13.55.255.255,1401To connect to SQL Server, you would specify 13.55.255.255,1401 in the connection string.

管理帐户Manage accounts

我们都不希望攻击者能够轻松猜出帐户名或密码。You don't want attackers to easily guess account names or passwords. 以下提示可以提供帮助:Use the following tips to help:

  • 创建一个唯一的本地管理员帐户,不要命名为 AdministratorCreate a unique local administrator account that is not named Administrator.

  • 对所有帐户使用复杂的强密码。Use complex strong passwords for all your accounts. 有关如何创建强密码的详细信息,请参阅创建强密码一文。For more information about how to create a strong password, see Create a strong password article.

  • 默认情况下,Azure 在 SQL Server 虚拟机安装期间会选择 Windows 身份验证。By default, Azure selects Windows Authentication during SQL Server Virtual Machine setup. 因此,会禁用 SA 登录名,并由安装程序分配密码。Therefore, the SA login is disabled and a password is assigned by setup. 我们不建议使用或启用 SA 登录名。We recommend that the SA login should not be used or enabled. 如果必须使用 SQL 登录名,请使用以下策略之一:If you must have a SQL login, use one of the following strategies:

    • 创建一个具有 sysadmin 成员身份且名称唯一的 SQL 帐户。Create a SQL account with a unique name that has sysadmin membership. 在门户中预配期间启用“SQL 身份验证”即可实现此目的。You can do this from the portal by enabling SQL Authentication during provisioning.

      提示

      如果在预配期间未启用“SQL 身份验证”,则必须手动将身份验证模式更改为“SQL Server 和 Windows 身份验证模式”。If you do not enable SQL Authentication during provisioning, you must manually change the authentication mode to SQL Server and Windows Authentication Mode. 有关详细信息,请参阅 更改服务器身份验证模式For more information, see Change Server Authentication Mode.

    • 如果必须使用 SA 登录名,请在预配后启用该登录名,并分配一个新的强密码。If you must use the SA login, enable the login after provisioning and assign a new strong password.

遵照本地最佳做法Follow on-premises best practices

除了本主题中所述的做法以外,我们还建议在适当的情况下查看并实施传统的本地安全做法。In addition to the practices described in this topic, we recommend that you review and implement the traditional on-premises security practices where applicable. 有关详细信息,请参阅 SQL Server 安装的安全注意事项For more information, see Security Considerations for a SQL Server Installation

后续步骤Next Steps

如果还对性能最佳实践感兴趣,请参阅 Azure 虚拟机中 SQL Server 的性能最佳实践If you are also interested in best practices around performance, see Performance Best Practices for SQL Server in Azure Virtual Machines.

有关其他与在 Azure VM 中运行 SQL Server 相关的主题,请参阅 Azure 虚拟机上的 SQL Server 概述For other topics related to running SQL Server in Azure VMs, see SQL Server on Azure Virtual Machines overview. 如果对 SQL Server 虚拟机有任何疑问,请参阅常见问题解答If you have questions about SQL Server virtual machines, see the Frequently Asked Questions.