SQL Server Predictable Active Directory Account Name

  • Query id: 530e8291-2f22-4bab-b7ea-306f1bc2a308
  • Query name: SQL Server Predictable Active Directory Account Name
  • Platform: Ansible
  • Severity: Medium
  • Category: Best Practices
  • URL: Github

Description

Azure SQL Server must avoid using predictable Active Directory Administrator Account names, like 'Admin', which means the attribute 'ad_user' must be set to a name that is not easy to predict
Documentation

Code samples

Code samples with security vulnerabilities

Positive test num. 1 - yaml file
#this is a problematic code where the query should report a result(s)
- name: create ad sp
  azure_ad_serviceprincipal:
    app_id: "{{ app_id }}"
    state: present
    tenant: "{{ tenant_id }}"
    ad_user: admin
- name: create ad sp2
  azure_ad_serviceprincipal:
    app_id: "{{ app_id2 }}"
    state: present
    tenant: "{{ tenant_id2 }}"
    ad_user: ""
- name: create ad sp3
  azure_ad_serviceprincipal:
    app_id: "{{ app_id3 }}"
    state: present
    tenant: "{{ tenant_id3 }}"
    ad_user:

Code samples without security vulnerabilities

Negative test num. 1 - yaml file
#this code is a correct code for which the query should not find any result
- name: create ad sp
  azure_ad_serviceprincipal:
    app_id: '{{ app_id }}'
    state: present
    tenant: '{{ tenant_id }}'
    ad_user: unpredictableName