SQL Database Server Firewall Allows All IPS
- Query id: 6a3201a5-1630-494b-b294-3129d06b0eca
- Query name: SQL Database Server Firewall Allows All IPS
- Platform: AzureResourceManager
- Severity: Critical
- Category: Networking and Firewall
- URL: Github
Description¶
SQL Database Server Firewall endIpAddress should not be '255.255.255.255' when startIpAddress is '0.0.0.0' since this allows all IPS
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - json file
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "2.0.0.0",
"apiProfile": "2019-03-01-hybrid",
"parameters": {},
"variables": {},
"functions": [],
"resources": [
{
"name": "sqlServer1",
"type": "Microsoft.Sql/servers",
"apiVersion": "2021-02-01-preview",
"location": "[resourceGroup().location]",
"tags": {
"displayName": "sqlServer1"
},
"properties": {
"administratorLogin": "adminUsername",
"administratorLoginPassword": "adminPassword"
},
"resources": [
{
"type": "firewallRules",
"apiVersion": "2021-02-01-preview",
"dependsOn": [
"[resourceId('Microsoft.Sql/servers', 'sqlServer1')]"
],
"location": "[resourceGroup().location]",
"name": "AllowAllWindowsAzureIps",
"properties": {
"endIpAddress": "255.255.255.255",
"startIpAddress": "0.0.0.0"
}
}
]
}
],
"outputs": {}
}
Positive test num. 2 - json file
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "2.0.0.0",
"apiProfile": "2019-03-01-hybrid",
"parameters": {},
"variables": {},
"functions": [],
"resources": [
{
"type": "Microsoft.Sql/servers/firewallRules",
"apiVersion": "2021-02-01-preview",
"name": "sample/firewall",
"properties": {
"endIpAddress": "255.255.255.255",
"startIpAddress": "0.0.0.0/0"
}
}
],
"outputs": {}
}
Positive test num. 3 - json file
{
"properties": {
"template": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "2.0.0.0",
"apiProfile": "2019-03-01-hybrid",
"parameters": {},
"variables": {},
"functions": [],
"resources": [
{
"name": "sqlServer1",
"type": "Microsoft.Sql/servers",
"apiVersion": "2021-02-01-preview",
"location": "[resourceGroup().location]",
"tags": {
"displayName": "sqlServer1"
},
"properties": {
"administratorLogin": "adminUsername",
"administratorLoginPassword": "adminPassword"
},
"resources": [
{
"type": "firewallRules",
"apiVersion": "2021-02-01-preview",
"dependsOn": [
"[resourceId('Microsoft.Sql/servers', 'sqlServer1')]"
],
"location": "[resourceGroup().location]",
"name": "AllowAllWindowsAzureIps",
"properties": {
"endIpAddress": "255.255.255.255",
"startIpAddress": "0.0.0.0"
}
}
]
}
],
"outputs": {}
},
"parameters": {}
},
"kind": "template",
"type": "Microsoft.Blueprint/blueprints/artifacts",
"name": "myTemplate"
}
Positive test num. 4 - json file
{
"properties": {
"template": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "2.0.0.0",
"apiProfile": "2019-03-01-hybrid",
"parameters": {},
"variables": {},
"functions": [],
"resources": [
{
"type": "Microsoft.Sql/servers/firewallRules",
"apiVersion": "2021-02-01-preview",
"name": "sample/firewall",
"properties": {
"endIpAddress": "255.255.255.255",
"startIpAddress": "0.0.0.0/0"
}
}
],
"outputs": {}
},
"parameters": {}
},
"kind": "template",
"type": "Microsoft.Blueprint/blueprints/artifacts",
"name": "myTemplate"
}
Code samples without security vulnerabilities¶
Negative test num. 1 - json file
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "2.0.0.0",
"apiProfile": "2019-03-01-hybrid",
"parameters": {},
"variables": {},
"functions": [],
"resources": [
{
"type": "Microsoft.Sql/servers/firewallRules",
"apiVersion": "2021-02-01-preview",
"name": "sample/firewall",
"properties": {
"endIpAddress": "0.0.0.0",
"startIpAddress": "0.0.0.0"
}
}
],
"outputs": {}
}
Negative test num. 2 - json file
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "2.0.0.0",
"apiProfile": "2019-03-01-hybrid",
"parameters": {},
"variables": {},
"functions": [],
"resources": [
{
"type": "Microsoft.Sql/servers/firewallRules",
"apiVersion": "2021-02-01-preview",
"name": "sample/firewall",
"properties": {
"endIpAddress": "192.168.1.2",
"startIpAddress": "192.168.1.254"
}
}
],
"outputs": {}
}
Negative test num. 3 - json file
{
"properties": {
"template": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "2.0.0.0",
"apiProfile": "2019-03-01-hybrid",
"parameters": {},
"variables": {},
"functions": [],
"resources": [
{
"type": "Microsoft.Sql/servers/firewallRules",
"apiVersion": "2021-02-01-preview",
"name": "sample/firewall",
"properties": {
"endIpAddress": "0.0.0.0",
"startIpAddress": "0.0.0.0"
}
}
],
"outputs": {}
},
"parameters": {}
},
"kind": "template",
"type": "Microsoft.Blueprint/blueprints/artifacts",
"name": "myTemplate"
}
Negative test num. 4 - json file
{
"properties": {
"template": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "2.0.0.0",
"apiProfile": "2019-03-01-hybrid",
"parameters": {},
"variables": {},
"functions": [],
"resources": [
{
"type": "Microsoft.Sql/servers/firewallRules",
"apiVersion": "2021-02-01-preview",
"name": "sample/firewall",
"properties": {
"endIpAddress": "192.168.1.2",
"startIpAddress": "192.168.1.254"
}
}
],
"outputs": {}
},
"parameters": {}
},
"kind": "template",
"type": "Microsoft.Blueprint/blueprints/artifacts",
"name": "myTemplate"
}