virtual-machines-best-practices-security.md

author	MashaMSFT
ms.author	mathoma
ms.date	03/29/2023
ms.service	virtual-machines
ms.topic	include

SQL Server features and capabilities provide methods of securing data at the database level that can be combined with security features at the infrastructure level. Together, these features provide defense-in-depth at the infrastructure level for cloud-based and hybrid solutions. In addition, with Azure security measures, it's possible to encrypt your sensitive data, protect virtual machines from viruses and malware, secure network traffic, identify and detect threats, meet compliance requirements, and provides a single method for administration and reporting for any security need in the hybrid cloud.

• Use Microsoft Defender for Cloud to evaluate and take action to improve the security posture of your data environment. Capabilities such as Azure Advanced Threat Protection (ATP) can be used across your hybrid workloads to improve security evaluation and give the ability to react to risks. Registering your SQL Server VM with the SQL IaaS Agent extension surfaces Microsoft Defender for Cloud assessments within the SQL virtual machine resource of the Azure portal.
• Use Microsoft Defender for SQL to discover and mitigate potential database vulnerabilities, as well as detect anomalous activities that could indicate a threat to your SQL Server instance and database layer.
• Vulnerability Assessment is a part of Microsoft Defender for SQL that can discover and help remediate potential risks to your SQL Server environment. It provides visibility into your security state, and includes actionable steps to resolve security issues.
• Use Azure confidential VMs to reinforce protection of your data in-use, and data-at-rest against host operator access. Azure confidential VMs allow you to confidently store your sensitive data in the cloud and meet strict compliance requirements.
• If you're on SQL Server 2022, consider using Microsoft Entra authentication to connect to your instance of SQL Server.
• Azure Advisor analyzes your resource configuration and usage telemetry and then recommends solutions that can help you improve the cost effectiveness, performance, high availability, and security of your Azure resources. Use Azure Advisor at the virtual machine, resource group, or subscription level to help identify and apply best practices to optimize your Azure deployments.
• Use Azure Disk Encryption when your compliance and security needs require you to encrypt the data end-to-end using your encryption keys, including encryption of the ephemeral (locally attached temporary) disk.
• Managed Disks are encrypted at rest by default using Azure Storage Service Encryption, where the encryption keys are Microsoft-managed keys stored in Azure.
• For a comparison of the managed disk encryption options, review the managed disk encryption comparison chart.
• Management ports should be closed on your virtual machines - Open remote management ports expose your VM to a high level of risk from internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine.
• Turn on Just-in-time (JIT) access for Azure virtual machines.
• Use Azure Bastion over Remote Desktop Protocol (RDP).
• Lock down ports and only allow the necessary application traffic using Azure Firewall which is a managed Firewall as a Service (FaaS) that grants/ denies server access based on the originating IP address.
• Use Network Security Groups (NSGs) to filter network traffic to, and from, Azure resources on Azure Virtual Networks.
• Use Application Security Groups to group servers together with similar port filtering requirements, with similar functions, such as web servers and database servers.
• For web and application servers use Azure Distributed Denial of Service (DDoS) protection. DDoS attacks are designed to overwhelm and exhaust network resources, making apps slow or unresponsive. It's common for DDoS attacks to target user interfaces. Azure DDoS protection sanitizes unwanted network traffic, before it impacts service availability.
• Use VM extensions to help address anti-malware, desired state, threat detection, prevention, and remediation to address threats at the operating system, machine, and network levels:
  • Guest Configuration extension performs audit and configuration operations inside virtual machines.
  • Network Watcher Agent virtual machine extension for Windows and Linux monitors network performance, diagnostic, and analytics service that allows monitoring of Azure networks.
  • Microsoft Antimalware Extension for Windows to help identify and remove viruses, spyware, and other malicious software, with configurable alerts.
  • Evaluate third party extensions such as Symantec Endpoint Protection for Windows VM (/azure/virtual-machines/extensions/symantec).
• Use Azure Policy to create business rules that can be applied to your environment. Azure Policies evaluate Azure resources by comparing the properties of those resources against rules defined in JSON format.
• Azure Blueprints enables cloud architects and central information technology groups to define a repeatable set of Azure resources that implements and adheres to an organization's standards, patterns, and requirements. Azure Blueprints are different than Azure Policies.
• Use Windows Server 2019 or Windows Server 2022 to be FIPS compliant with SQL Server on Azure VMs.
• Treat restoring backups as a high-risk operation and never restore a backup from an untrusted source.