简体繁体 English

SQL漏洞评估中的“VA2065-服务器级防火墙规则”怎么办？

[英]What to do about "VA2065 - Server-level firewall rules" in SQL Vulnerability Assessment?

原文 2020-01-22 18:04:12 7 1 azure/ azure-security

Working through an SQL Vulnerability assessment and one of the warnings is "VA2065 - Server-level firewall rules should be tracked and maintained at a strict minimum".通过 SQL 漏洞评估和警告之一是“VA2065 - 服务器级防火墙规则应该被跟踪并保持在最低限度”。

There then is a list of firewall rules in red, with IP addresses next to them (usually just one number but sometimes a range).然后是红色的防火墙规则列表，旁边有 IP 个地址（通常只有一个数字，但有时是一个范围）。

I am trying to understand these rules and this assessment.我试图理解这些规则和这个评估。 I think these are the IP addresses that we allow to access the server.我认为这些是我们允许访问服务器的 IP 地址。 For example, when I access a db on the server in question from SSMS I will occasionally get an error that to proceed I have to add the IP to the firewall rule.例如，当我从 SSMS 访问有问题的服务器上的数据库时，我偶尔会收到一个错误，提示我必须将 IP 添加到防火墙规则中才能继续。 So I say yes.所以我说是的。 I see some rules with names like "ClientIPAddress_2019-05-21_01:24:15" that are probably the result of this.我看到一些规则的名称类似于“ClientIPAddress_2019-05-21_01:24:15”，这可能是由此产生的结果。

I also see some weird rules like "AllowAllWindowsAzureIps" with an IP range of 0.0.0.0 to 0.0.0.0.我还看到一些奇怪的规则，例如“AllowAllWindowsAzureIps”，其 IP 范围为 0.0.0.0 到 0.0.0.0。 What is that all about?这是怎么回事？ My guess is that allows any Azure process to access the server, but I do not know.我的猜测是允许任何 Azure 进程访问服务器，但我不知道。

Assuming my analysis is correct, and that all of the rules are OK, what is remediation is necessary?假设我的分析是正确的，而且所有的规则都没有问题，那么什么是需要补救的呢？ Set the current rules as a baseline and send out an alert when a new rule is created?将当前规则设置为基准并在创建新规则时发出警报？ Or disallow any automatic rule creation?或者禁止任何自动规则创建？

Any guidance would be most appreciated.任何指导将不胜感激。

"AllowAllWindowsAzureIps" “允许所有 WindowsAzureIps”

1 个解决方案

I'm not saying this is the correct answer but since it's been over 2 years and nobody has answered, I'll give it a shot.我并不是说这是正确的答案，但由于已经超过 2 年而且没有人回答，我会试一试。

This is how we handled/fixed this.这就是我们处理/修复此问题的方式。 You either add the rule to the baseline(saying it's supposed to be here) or you delete the rule(saying it's not supposed to be here).您要么将规则添加到基线（说它应该在这里），要么删除规则（说它不应该在这里）。 Think of this scan as a reminder that these rules exist and to clean them out when they aren't needed.将此扫描视为存在这些规则的提醒，并在不需要时将其清除。 All your ClientIp rules.您所有的 ClientIp 规则。 The baseline is what is expected.基线是预期的。

If you think of it like a party that has a list of attendees it might help.如果你把它想象成一个有参加者名单的聚会，它可能会有所帮助。 Your party has 2 guests on the list: Martha (your mom) and Jeff (your mom's special friend).你的派对名单上有 2 位客人：玛莎（你妈妈）和杰夫（你妈妈的特别朋友）。 If you go into your party and see 3 people there, you know something isn't right, except it is right, because you forgot that you told Samantha (your hot cousin) she could come.如果你 go 进入你的聚会并看到那里有 3 个人，你知道有些事情不对，但它是对的，因为你忘记了你告诉萨曼莎（你的表妹）她可以来。 So you add her to the list.因此，您将她添加到列表中。 Now everything is ok to your party advisor because 3 names are on the list and 3 people are in the party.现在您的派对顾问一切正常，因为名单上有 3 个名字并且有 3 个人在派对中。

But then you come back later and now there are 4 people at the party.但是后来你回来了，现在聚会上有 4 个人。 Chad (Samantha's boyfriend) showed up.查德（萨曼莎的男朋友）出现了。 Your party administrator knows Chad's gotta go because he's not on the list.您的派对管理员知道 Chad 必须拨打 go，因为他不在名单上。 He got in to the party because Samantha let him in. But it's not Samantha's party and she shouldn't have done that.他参加派对是因为 Samantha 让他进来了。但这不是 Samantha 的派对，她不应该那样做。

Good thing we have this list that tells us who's actually supposed to be at the party or we wouldn't be able to spend alone time with Samantha.幸好我们有这份名单，它告诉我们谁真正应该参加派对，否则我们将无法单独与萨曼莎共度时光。