Skip to content
Log In

Microsoft Azure SQL Database Security Technical Implementation Guide

Rules, Groups, and Values defined within the XCCDF Benchmark

  • Azure SQL Database must implement cryptographic mechanisms preventing the unauthorized disclosure of organization-defined information at rest on organization-defined information system components.

    Azure SQL Databases handling data requiring "data at rest" protections must employ cryptographic mechanisms to prevent unauthorized disclosure and modification of the information at rest. Select...
    Rule High Severity
    Show

  • SRG-APP-000447-DB-000393

    Group
    Show

  • SRG-APP-000314-DB-000310

    Group
    Show

  • Azure SQL Database must associate organization-defined types of security labels having organization-defined security label values with information in transmission.

    Without the association of security labels to information, there is no basis for Azure SQL Database to make security-related access-control decisions. Security labels are abstractions representing...
    Rule Medium Severity
    Show

  • SRG-APP-000328-DB-000301

    Group
    Show

  • Azure SQL Database must enforce discretionary access control policies, as defined by the data owner, over defined subjects and objects.

    Discretionary Access Control (DAC) is based on the notion that individual users are "owners" of objects and therefore have discretion over who should be authorized to access the object and in which...
    Rule Medium Severity
    Show

  • SRG-APP-000342-DB-000302

    Group
    Show

  • Azure SQL Database must restrict execution of stored procedures and functions that utilize [execute as] to necessary cases only.

    In certain situations, to provide required functionality, a DBMS needs to execute internal logic (stored procedures, functions, triggers, etc.) and/or external code modules with elevated privileges...
    Rule Medium Severity
    Show

  • SRG-APP-000378-DB-000365

    Group
    Show

  • SRG-APP-000092-DB-000208

    Group
    Show

  • Azure SQL Database must initiate session auditing upon startup.

    Session auditing is for use when a user's activities are under investigation. To ensure capture of all activity during those periods when session auditing is in use, it needs to be in operation for...
    Rule Medium Severity
    Show

  • SRG-APP-000380-DB-000360

    Group
    Show

  • Azure SQL Database must enforce access restrictions associated with changes to the configuration of the Azure SQL Database server or database(s).

    Failure to provide logical access restrictions associated with changes to configuration may have significant effects on the overall security of the system. When dealing with access restrictions p...
    Rule Medium Severity
    Show

  • SRG-APP-000416-DB-000380

    Group
    Show

  • Azure SQL Database must use NSA-approved cryptography to protect classified information in accordance with the data owners requirements.

    Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data. The application must implement cryptographic modules adhering to the higher standards ...
    Rule High Severity
    Show

  • SRG-APP-000428-DB-000386

    Group
    Show

  • Azure SQL Database must implement cryptographic mechanisms to prevent unauthorized modification of organization-defined information at rest (to include, at a minimum, PII and classified information) on organization-defined information system components.

    Azure SQL Databases handling data requiring "data at rest" protections must employ cryptographic mechanisms to prevent unauthorized disclosure and modification of the information at rest. Selectio...
    Rule High Severity
    Show

  • SRG-APP-000429-DB-000387

    Group
    Show

  • SRG-APP-000101-DB-000044

    Group
    Show

  • SRG-APP-000089-DB-000064

    Group
    Show

  • The Azure SQL Database must be configured to generate audit records for DOD-defined auditable events within all DBMS/database components.

    Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit re...
    Rule Medium Severity
    Show

  • SRG-APP-000090-DB-000065

    Group
    Show

  • Azure SQL Database must allow only the ISSM (or individuals or roles appointed by the ISSM) to select which auditable events are to be audited.

    Without the capability to restrict which roles and individuals can select which events are audited, unauthorized personnel may be able to prevent or interfere with the auditing of critical events. ...
    Rule Medium Severity
    Show

  • SRG-APP-000091-DB-000066

    Group
    Show

  • The Azure SQL Database must be able to generate audit records when privileges/permissions are retrieved.

    Under some circumstances, it may be useful to monitor who/what is reading privilege/permission/role information. Therefore, it must be possible to configure auditing to do this. DBMSs typically mak...
    Rule Medium Severity
    Show

  • SRG-APP-000091-DB-000325

    Group
    Show

  • The Azure SQL Database must be able to generate audit records when unsuccessful attempts to retrieve privileges/permissions occur.

    Under some circumstances, it may be useful to monitor who/what is reading privilege/permission/role information. Therefore, it must be possible to configure auditing to do this. DBMSs typically mak...
    Rule Medium Severity
    Show

  • SRG-APP-000118-DB-000059

    Group
    Show

  • The audit information produced by Azure SQL Database must be protected from unauthorized read access.

    If audit data were to become compromised, then competent forensic analysis and discovery of the true source of potentially malicious system activity is difficult, if not impossible, to achieve. In ...
    Rule Medium Severity
    Show

  • SRG-APP-000119-DB-000060

    Group
    Show

  • SRG-APP-000120-DB-000061

    Group
    Show

  • The audit information produced by Azure SQL Database must be protected from unauthorized deletion.

    If audit data were to become compromised, then competent forensic analysis and discovery of the true source of potentially malicious system activity is impossible to achieve. To ensure the veracit...
    Rule Medium Severity
    Show

  • SRG-APP-000141-DB-000090

    Group
    Show

  • SRG-APP-000142-DB-000094

    Group
    Show

  • The Azure SQL Database must be configured to prohibit or restrict the use of organization-defined functions, ports, protocols, and/or services, as defined in the PPSM CAL and vulnerability assessments.

    To prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling (i.e., embedding of data types within data types), organizations must disable or restr...
    Rule Medium Severity
    Show

  • SRG-APP-000148-DB-000103

    Group
    Show

  • Azure SQL Database must uniquely identify and authenticate organizational users (or processes acting on behalf of organizational users).

    To ensure accountability and prevent unauthenticated access, organizational users must be identified and authenticated to prevent potential misuse and compromise of the system. Organizational use...
    Rule Medium Severity
    Show

  • SRG-APP-000177-DB-000069

    Group
    Show

  • Azure SQL Database must map the PKI-authenticated identity to an associated user account.

    The DOD standard for authentication is DOD-approved PKI certificates. Once a PKI certificate has been validated, it must be mapped to an Azure SQL Database user account for the authenticated identi...
    Rule Medium Severity
    Show

  • SRG-APP-000180-DB-000115

    Group
    Show

  • SRG-APP-000211-DB-000122

    Group
    Show

  • Azure SQL Database must separate user functionality (including user interface services) from database management functionality.

    Information system management functionality includes functions necessary to administer databases, network components, workstations, or servers and typically requires privileged user access. The s...
    Rule Medium Severity
    Show

  • SRG-APP-000231-DB-000154

    Group
    Show

  • Azure SQL Database must protect the confidentiality and integrity of all information at rest.

    This control is intended to address the confidentiality and integrity of information at rest in nonmobile devices and covers user information and system information. Information at rest refers to t...
    Rule High Severity
    Show

  • SRG-APP-000295-DB-000305

    Group
    Show

  • Azure SQL Database must automatically terminate a user session after organization-defined conditions or trigger events requiring session disconnect.

    This addresses the termination of user-initiated logical sessions in contrast to the termination of network connections that are associated with communications sessions (i.e., network disconnect). ...
    Rule Medium Severity
    Show

  • SRG-APP-000340-DB-000304

    Group
    Show

  • SRG-APP-000357-DB-000316

    Group
    Show

  • Azure SQL Database must be able to allocate audit record storage capacity in accordance with organization-defined audit record storage requirements.

    To ensure sufficient storage capacity for the audit logs, the Azure SQL Database must be able to allocate audit record storage capacity. Although another requirement (SRG-APP-000515-DB-000318) mand...
    Rule Medium Severity
    Show

  • SRG-APP-000359-DB-000319

    Group
    Show

Node 2

siemur/test-space

The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.

Capacity
Modules