Configure Microsoft Defender for SQL Servers on machines to the Standard tier

Security · Microsoft Defender for Cloud · Rule · 2022_09 · Critical

Enable Microsoft Defender for SQL servers on machines.

Description

SQL databases are used to store critical and strategic assets for your company and should be carefully secured. Microsoft Defender for SQL Servers on machines represents a single go-to location to manage security capabilities.

Enabling Defender for SQL automatically enables vulnerability Assessment for your SQL databases hosted in a VM. It discovers, tracks, and provides guidance to remediate potential database vulnerabilities.

Enabling at subscription level doesn't protect all your SQL servers. A Log Analytics agent must be deployed on the machine and the Log Analytics workspace must have Defender for SQL enabled.

Recommendation

Consider using Microsoft Defender for SQL Servers on machines to protect your SQL servers running on VMs.

Examples

Configure with Azure template

To enable Defender for SQL servers on machines:

• Set the Standard pricing tier for Microsoft Defender for SQL servers on machines.

For example:

Azure Template snippet

{
  "type": "Microsoft.Security/pricings",
  "apiVersion": "2024-01-01",
  "name": "SqlServerVirtualMachines",
  "properties": {
    "pricingTier": "Standard"
  }
}

Configure with Bicep

To enable Defender for SQL servers on machines:

• Set the Standard pricing tier for Microsoft Defender for SQL servers on machines.

For example:

Azure Bicep snippet

resource defenderForSQLOnVM 'Microsoft.Security/pricings@2024-01-01' = {
  name: 'SqlServerVirtualMachines'
  properties: {
    pricingTier: 'Standard'
  }
}

Configure with Azure Verified Modules

A pre-validated module supported by Microsoft is available from the Azure Bicep public registry. To reference the module, please use the following syntax:

br/public:avm/ptn/security/security-center:<version>

To use the latest version:

br/public:avm/ptn/security/security-center:0.1.1

---

• What is Azure Verified Modules?
• Usage and parameters for this module

Configure with Azure CLI

Azure CLI snippet

az security pricing create -n 'SqlServerVirtualMachines' --tier 'standard'

Configure with Azure PowerShell

Azure PowerShell snippet

Set-AzSecurityPricing -Name 'SqlServerVirtualMachines' -PricingTier 'Standard'

Links

• SE:10 Monitoring and threat detection
• Introduction to Microsoft Defender for SQL Servers on machines
• Security considerations for SQL Server on Azure Virtual Machines
• Azure Security Benchmark - Data protection
• Azure deployment reference

Comments