SQL 弱點評量服務可協助您識別資料庫弱點SQL Vulnerability Assessment service helps you identify database vulnerabilities

SQL 弱點評量是容易設定的服務,可探索、追蹤及協助您修復潛在的資料庫弱點。SQL Vulnerability Assessment is an easy to configure service that can discover, track, and help you remediate potential database vulnerabilities. 您可以用它來主動改善資料庫安全性。Use it to proactively improve your database security.

弱點評量是進階資料安全性 (ADS) 供應項目的一部分,該供應項目是進階 SQL 安全性功能的整合套件。Vulnerability Assessment is part of the advanced data security (ADS) offering, which is a unified package for advanced SQL security capabilities. 弱點評量可以透過中央 SQL ADS 入口網站存取及管理。Vulnerability Assessment can be accessed and managed via the central SQL ADS portal.


Azure SQL Database、Azure SQL 受控執行個體及 Azure SQL 資料倉儲可支援弱點評量。Vulnerability Assessment is supported for Azure SQL Database, Azure SQL Managed Instance and Azure SQL Data Warehouse. 為了簡單起見,在本文中提到任何受控資料庫服務時都會使用 SQL Database。For simplicity, SQL Database is used in this article when referring to any of these managed database services.

弱點評量服務The Vulnerability Assessment service

SQL 弱點評量 (VA) 這項服務可提供安全性狀態的可視性,並包括解決安全性問題和增強資料庫安全性的可行步驟。SQL Vulnerability Assessment (VA) is a service that provides visibility into your security state, and includes actionable steps to resolve security issues, and enhance your database security. 它可協助您:It can help you:

  • 符合需要資料庫掃描報告的合規性需求。Meet compliance requirements that require database scan reports.
  • 符合資料隱私權標準。Meet data privacy standards.
  • 監視難以追蹤變更的動態資料庫環境。Monitor a dynamic database environment where changes are difficult to track.

弱點評量是 Azure SQL Database 服務內建的掃描服務。Vulnerability Assessment is a scanning service built into the Azure SQL Database service. 此服務採用的規則知識庫會對安全性弱點加上旗標,並醒目顯示偏離最佳做法的情況,例如設定錯誤、權限過高以及敏感性資料未受保護。The service employs a knowledge base of rules that flag security vulnerabilities and highlight deviations from best practices, such as misconfigurations, excessive permissions, and unprotected sensitive data. 規則是以 Microsoft 的最佳作法為基礎,並著重於顯示資料庫和其珍貴資料的最大安全性問題風險。The rules are based on Microsoft’s best practices and focus on the security issues that present the biggest risks to your database and its valuable data. 它們涵蓋了資料庫層級的問題以及伺服器層級的安全性問題,例如伺服器防火牆設定和伺服器層級權限。They cover both database-level issues as well as server-level security issues, like server firewall settings and server-level permissions. 這些規則也代表各管理機關的許多要求以符合其合規性標準。These rules also represent many of the requirements from various regulatory bodies to meet their compliance standards.

掃描結果包含可解決每個問題和提供適用的自訂補救指令碼的可行步驟。Results of the scan include actionable steps to resolve each issue and provide customized remediation scripts where applicable. 您可以為權限設定、功能設定及資料庫設定來設定可接受的基準,針對環境自訂評量報告。An assessment report can be customized for your environment by setting an acceptable baseline for permission configurations, feature configurations, and database settings.

實作弱點評量Implementing Vulnerability Assessment

下列步驟可在 SQL Database 上實作 VA。The following steps implement VA on SQL Database.

1.執行掃描1. Run a scan

透過瀏覽至 Azure SQL Database 窗格中 [安全性] 標題下的 [進階資料安全性] ,開始使用 VA。Get started with VA by navigating to Advanced Data Security under the Security heading in your Azure SQL Database pane. 按一下以啟用進階資料安全性,然後按一下 [選取儲存體] 或 [弱點評量] 卡片,該卡片會自動開啟整個 SQL 伺服器的 [弱點評量] 設定卡片。Click to enable advanced data security, and then click on Select Storage or on the Vulnerability Assessment card, which automatically opens the Vulnerability Assessment settings card for the entire SQL server.

從設定儲存體帳戶開始,以儲存伺服器上所有資料庫的掃描結果。Start by configuring a storage account where your scan results for all databases on the server will be stored. 如需儲存體帳戶的資訊,請參閱關於 Azure 儲存體帳戶For information about storage accounts, see About Azure storage accounts. 設定儲存體之後,按一下 [掃描] 以掃描您資料庫的弱點。Once storage is configured, click Scan to scan your database for vulnerabilities.



掃描是輕量級且安全的。The scan is lightweight and safe. 執行會需要幾秒鐘的時間,並為完全唯讀。It takes a few seconds to run, and is entirely read-only. 它不會對資料庫進行任何變更。It does not make any changes to your database.

2.檢視報告2. View the report

掃描完成時,會在 Azure 入口網站中自動顯示掃描報告。When your scan is complete, your scan report is automatically displayed in the Azure portal. 此報告會提供安全性狀態的概觀、找到多少個問題及其各自的嚴重性。The report presents an overview of your security state: how many issues were found and their respective severities. 結果包括偏離最佳作法的警告和安全性相關設定的快照集,例如資料庫主體和角色及其相關權限。掃描報告也會提供在資料庫中所發現機密資料的對應,並包含使用資料探索與分類來將該資料分類的建議。Results include warnings on deviations from best practices and a snapshot of your security-related settings, such as database principals and roles and their associated permissions.The scan report also provides a map of sensitive data discovered in your database, and includes recommendations to classify that data using data discovery & classification.


3.分析結果並解決問題3. Analyze the results and resolve issues

檢閱您的結果,並判斷報告中的哪些調查結果是環境中真正的安全性問題。Review your results and determine the findings in the report that are true security issues in your environment. 向下鑽研至每個失敗的結果,了解調查結果的影響,以及每個安全性檢查失敗的原因。Drill down to each failed result to understand the impact of the finding and why each security check failed. 若要解決此問題,使用報告所提供的可操作補救資訊。Use the actionable remediation information provided by the report to resolve the issue.


4.設定基準4. Set your baseline

當您檢閱評量結果時,可以將特定結果標示為環境中可接受的「基準」 。As you review your assessment results, you can mark specific results as being an acceptable Baseline in your environment. 基本上,基準就是自訂報告結果的方式。The baseline is essentially a customization of how the results are reported. 符合基準的結果都會視為傳入後續掃描。Results that match the baseline are considered as passing in subsequent scans. 建立基準安全性狀態之後,VA 只會報告偏離基準的情況,讓您可以將注意力放在相關的問題。Once you have established your baseline security state, VA only reports on deviations from the baseline and you can focus your attention on the relevant issues.


5.執行新掃描,以查看您的自訂追蹤報告5. Run a new scan to see your customized tracking report

完成設定規則基準之後,執行新掃描,以檢視自訂的報告。After you complete setting up your Rule Baselines, run a new scan to view the customized report. VA 現在只會報告該偏離所核准基準狀態的安全性問題。VA now reports only the security issues that deviate from your approved baseline state.


弱點評量現在可用來監視您的資料庫,隨時維護高度安全性並符合組織原則。Vulnerability Assessment can now be used to monitor that your database maintains a high level of security at all times, and that your organizational policies are met. 如果需要合規性報告,VA 報告對於加快合規性流程很有幫助。If compliance reports are required, VA reports can be helpful to facilitate the compliance process.

6.設定重複執行的週期性掃描6. Set up periodic recurring scans

瀏覽至 [弱點評量] 設定以開啟週期性掃描Navigate to the Vulnerability Assessment settings to turn on Periodic recurring scans. 這會將 [弱點評量] 設定為每週自動執行一次資料庫掃描。This configures Vulnerability Assessment to automatically run a scan on your database once per week. 掃描結果摘要將傳送到您所提供的電子郵件地址。A scan result summary will be sent to the email address(es) you provide.


7.匯出評量報告7. Export an assessment report

按一下 [匯出掃描結果] 以建立一份可下載的掃描結果 Excel 報告。Click Export Scan Results to create a downloadable Excel report of your scan result. 此報告包含 [摘要] 索引標籤,其中顯示評量摘要,包括所有失敗的檢查。This report contains a summary tab that displays a summary of the assessment, including all failed checks. 它還包含一個 [結果] 索引標籤,其中包含完整的掃描結果集,包括所有執行的檢查以及每個檢查的結果詳細資料。It also includes a Results tab containing the full set of results from the scan, including all checks that were run and the result details for each.

8.檢視掃描歷程記錄8. View scan history

按一下 [VA] 窗格中的 [掃描歷程記錄] ,以檢查先前在此資料庫上執行的所有掃描歷程記錄。Click Scan History in the VA pane to view a history of all scans previously run on this database. 選取清單中的特定掃描,以檢視該掃描的詳細結果。Select a particular scan in the list to view the detailed results of that scan.

弱點評量現在可用來監視您的資料庫,隨時維護高度安全性並符合組織原則。Vulnerability Assessment can now be used to monitor that your database maintains a high level of security at all times, and that your organizational policies are met. 如果需要合規性報告,VA 報告對於加快合規性流程很有幫助。If compliance reports are required, VA reports can be helpful to facilitate the compliance process.

使用 Azure PowerShell 管理弱點評定Manage Vulnerability Assessments using Azure PowerShell


本文已更新為使用新的 Azure PowerShell Az 模組。This article has been updated to use the new Azure PowerShell Az module. AzureRM 模組在至少 2020 年 12 月之前都還會持續收到錯誤 (Bug) 修正,因此您仍然可以持續使用。You can still use the AzureRM module, which will continue to receive bug fixes until at least December 2020. 若要深入了解新的 Az 模組和 AzureRM 的相容性,請參閱新的 Azure PowerShell Az 模組簡介To learn more about the new Az module and AzureRM compatibility, see Introducing the new Azure PowerShell Az module. 如需 Az 模組安裝指示,請參閱安裝 Azure PowerShellFor Az module installation instructions, see Install Azure PowerShell.


PowerShell Azure 资源管理器模块仍受 Azure SQL 数据库的支持,但所有未来的开发都是针对 Az.Sql 模块的。The PowerShell Azure Resource Manager module is still supported by Azure SQL Database, but all future development is for the Az.Sql module. 若要了解这些 cmdlet,请参阅 AzureRM.SqlFor these cmdlets, see AzureRM.Sql. Az 模块和 AzureRm 模块中的命令参数大体上是相同的。The arguments for the commands in the Az module and in the AzureRm modules are substantially identical.

您可以使用 Azure PowerShell Cmdlet,以程式設計方式管理您的弱點評定。You can use Azure PowerShell cmdlets to programmatically manage your vulnerability assessments. 支援的 Cmdlet 如下:The supported cmdlets are:

如需指令碼範例,請參閱 Azure SQL 弱點評定的 PowerShell 支援For a script example, see Azure SQL Vulnerability Assessment PowerShell support.

後續步驟Next steps