Show pageOld revisionsBacklinksBack to top This page is read only. You can view the source, but not change it. Ask your administrator if you think this is wrong. ====== Database Security ====== * [[https://docs.microsoft.com/en-us/azure/azure-sql/database/authentication-aad-overview]] * [[https://docs.microsoft.com/en-us/azure/azure-sql/database/security-overview]] ===== SQL Database Authentication ===== * AAD is recommended over native SQL Server authentication for database authentication * [[https://learn.microsoft.com/en-us/azure/azure-sql/database/authentication-aad-configure?view=azuresql&tabs=azure-powershell#using-an-azure-ad-identity-to-connect-using-ssms-or-ssdt]] ==== SQL Authentication ==== With this authentication method, the user submits a user account name and associated password to establish a connection. This password is stored in the master database for user accounts linked to a login or stored in the database containing the user accounts not linked to a login. Logins and users: In Azure SQL, a user account in a database can be associated with a login that is stored in the master database or can be a user name that is stored in an individual database * A **login** is an individual account in the master database, to which a user account in one or more databases can be linked. With a login, the credential information for the user account is stored with the login. * A **user account** is an individual account in any database that may be but does not have to be linked to a login. With a user account that is not linked to a login, the credential information is stored with the user account. * **Recommendation: ** Use Azure Active Directory authentication to centrally manage identities of database users and as an alternative to SQL Server authentication. ==== AAD Authentication ==== * **SSMS** supports authentication with AAD using AAD Universal Authentication ===== SQL Database Firewalls ===== * [[https://docs.microsoft.com/en-us/learn/modules/sql-database-security/3-firewalls]] * Initially, all access to your Azure SQL Database is blocked by the SQL Database firewall. * To help protect your data, firewalls prevent all access to your database server until you specify which computers have permission. The firewall grants access to databases based on the originating IP address of each request. * There are **server-level IP firewall rules** and **database-level IP firewall rules**. Server-level apply to all databases on the server and since the scope is broader they are evaluated after database-level rules. * **Recommendation: ** Whenever possible, as a best practice, use database-level IP firewall rules to enhance security and to make your database more portable. Use server-level IP firewall rules for administrators and when you have several databases with the same access requirements, and you don't want to spend time configuring each database individually. ===== Auditing ===== > Auditing for Azure SQL Database and Azure Synapse Analytics tracks database events and writes them to an audit log in your Azure storage account, Log Analytics workspace or Event Hubs. * Auditing can be enabled at the server-level or database-level azure/az-500/alt/database_security.txt Last modified: 2023/02/06 21:16by mmuze