One of the most prominent questions when working with PaaS databases is how to secure them. In the previous blogpost of these defence series, I talked about limiting access to objects through firewalls and encryption. Today I’ll discuss protecting and auditing your data. Also, I’ll add some extra resources for a complete overview of the available security features on an Azure SQL Sever Database.
Authentication is an mechanism that proves the identity validation in case of an attempted connection. SQL PaaS databases currently support two types of authentication:
The logical SA account or, server admin as known in the context of a PaaS server, is established when you create the logical with a username and password. When using these credentials, you can authenticate in any database on that server as the database owner, or dbo.
If you want to use the Azure Active Directory Authentication for your SA account, you must create another server admin called the Azure AD admin. This administrator can then be used to administer Azure AD users and groups and is also capable of performing all operations that a regular server admin can. The following script provides the Azure AD administrator group named DBA_Group as an Azure AD Admin on the KoheraServer. There is a small catch, as this commandlet does not prevent you from providing Azure AD admins for unsupported users. An unsupported user can be provided, but cannot connect to the databases.
Set-AzureRmSqlServerActiveDirectoryAdministrator –ResourceGroupName " KoheraResourceGroup "
–ServerName "KoheraServer" -DisplayName "DBA_Group
It is always better to create an application account to authenticate your application, because it is a foolproof way to limit granted permissions and at the same time reduce the risks of malicious activity in case of for example a SQL injection attack. The recommended approach is to create a contained database user, which allows your app to authenticate directly to a single database. The following script is an example of how you can create a contained database user that uses SQL authentication and must be executed by a server admin in the corresponding database scope.
CREATE USER ApplicationUser WITH PASSWORD = 'strong_password'; -- SQL Authentication
If you are connected as the Azure AD admin, you can also create a contained database user that uses Azure Active Directory Authentication by executing the following T-SQL command:
CREATE USER [Azure_AD_principal_name | Azure_AD_group_display_name] FROM EXTERNAL PROVIDER; -- Azure Active Directory Authentication
You can see how simple it is to athenticate in this way, so there really is no excuse for you to connect your application using anything else than these application credentials.
As the database engine will close any connections that remains idle for more than 30 minutes, you should consider a reconnecting logic into your application. However, an automated disconnect isn’t the only argument. For security reasons, continuously active connections to a SQL Server database will require reauthorization (performed by the database engine) at least every 10 hours.
The database engine will attempt reauthorization by itself using the originally submitted password and, in many cases, no extra user input will be required. This is important for performance reasons. When a password is reset in a SQL Server database, however, the connection will not be reauthenticated automatically, even if the connection is reset due to connection pooling. keep this in mind, because this is one of the points in which the behaviour of an on-premise SQL Server is different.
If you change a user password since the connection was initially authorized, the connection should be broken en reauthorized by using the new password. The best way to do this, is using an account with the KILL DATABASE CONNECTION permission and then explicitly terminate the user connections to SQL Server database by using the KILL command.
For more info on this topic, be sure to check out Microsoft’s advice on Azure AD authentification.
© 2023 Kohera
Crafted by
© 2022 Kohera
Crafted by
Cookie | Duration | Description |
---|---|---|
ARRAffinity | session | ARRAffinity cookie is set by Azure app service, and allows the service to choose the right instance established by a user to deliver subsequent requests made by that user. |
ARRAffinitySameSite | session | This cookie is set by Windows Azure cloud, and is used for load balancing to make sure the visitor page requests are routed to the same server in any browsing session. |
cookielawinfo-checkbox-advertisement | 1 year | Set by the GDPR Cookie Consent plugin, this cookie records the user consent for the cookies in the "Advertisement" category. |
cookielawinfo-checkbox-analytics | 11 months | This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics". |
cookielawinfo-checkbox-functional | 11 months | The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional". |
cookielawinfo-checkbox-necessary | 11 months | This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary". |
cookielawinfo-checkbox-others | 11 months | This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other. |
cookielawinfo-checkbox-performance | 11 months | This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance". |
CookieLawInfoConsent | 1 year | CookieYes sets this cookie to record the default button state of the corresponding category and the status of CCPA. It works only in coordination with the primary cookie. |
elementor | never | The website's WordPress theme uses this cookie. It allows the website owner to implement or change the website's content in real-time. |
viewed_cookie_policy | 11 months | The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data. |
Cookie | Duration | Description |
---|---|---|
__cf_bm | 30 minutes | Cloudflare set the cookie to support Cloudflare Bot Management. |
pll_language | 1 year | Polylang sets this cookie to remember the language the user selects when returning to the website and get the language information when unavailable in another way. |
Cookie | Duration | Description |
---|---|---|
_ga | 1 year 1 month 4 days | Google Analytics sets this cookie to calculate visitor, session and campaign data and track site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognise unique visitors. |
_ga_* | 1 year 1 month 4 days | Google Analytics sets this cookie to store and count page views. |
_gat_gtag_UA_* | 1 minute | Google Analytics sets this cookie to store a unique user ID. |
_gid | 1 day | Google Analytics sets this cookie to store information on how visitors use a website while also creating an analytics report of the website's performance. Some of the collected data includes the number of visitors, their source, and the pages they visit anonymously. |
ai_session | 30 minutes | This is a unique anonymous session identifier cookie set by Microsoft Application Insights software to gather statistical usage and telemetry data for apps built on the Azure cloud platform. |
CONSENT | 2 years | YouTube sets this cookie via embedded YouTube videos and registers anonymous statistical data. |
vuid | 1 year 1 month 4 days | Vimeo installs this cookie to collect tracking information by setting a unique ID to embed videos on the website. |
Cookie | Duration | Description |
---|---|---|
ai_user | 1 year | Microsoft Azure sets this cookie as a unique user identifier cookie, enabling counting of the number of users accessing the application over time. |
VISITOR_INFO1_LIVE | 5 months 27 days | YouTube sets this cookie to measure bandwidth, determining whether the user gets the new or old player interface. |
YSC | session | Youtube sets this cookie to track the views of embedded videos on Youtube pages. |
yt-remote-connected-devices | never | YouTube sets this cookie to store the user's video preferences using embedded YouTube videos. |
yt-remote-device-id | never | YouTube sets this cookie to store the user's video preferences using embedded YouTube videos. |
yt.innertube::nextId | never | YouTube sets this cookie to register a unique ID to store data on what videos from YouTube the user has seen. |
yt.innertube::requests | never | YouTube sets this cookie to register a unique ID to store data on what videos from YouTube the user has seen. |
Cookie | Duration | Description |
---|---|---|
WFESessionId | session | No description available. |